COVID 19 Engagements What happens when you can’t get to key client locations 

by Donald E Sheehy

With this global pandemic many companies have been forced to close offices and run operations remotely. COVID-19 health and safety measures recently implemented in countries across the globe are likely to impact the way in which a practitioner plans and performs their procedures to support a SOC opinion, especially where data centers are involved.   The issue- can the practitioner and client be onsite in order that the practitioner can obtain sufficient appropriate evidence 

As a result of restricted/limited access to a CA’s physical premises and CA management, the completion of necessary procedures required to assess whether certain key controls are designed and operating effectively may be more challenging. In some cases, the practitioner may be able to perform alternative procedures to evaluate the effectiveness of controls.  

In addition, health and safety measures may also create a scenario where the data center not be able to perform (or appropriately perform) certain controls that are set out in the SCO report, In the absence of suitable compensating controls, this non-performance or deficiencies in the operating effectiveness of controls could result in a qualified (or adverse) opinion. 

The AICPA and CPA Canada have developed non-authoritative guidance for potentially dealing with this issue.   AICPA guidance  FAQs — SOC 1® and SOC 2® Issues Arising From COVID‐19 is located at

 CPA Canada issued guidance, adapting the AICPA guidance at

Both cover these areas:

  • Understanding Changes to a Service Organization’s Operations, Systems and System Controls due to COVID-19 - What are important considerations for service auditors planning their SOC engagements in 2020?
  • COVID-19-Related Disclosures in the Description of the Service Organization’s System - Is the description of the system required to include disclosures about the effect of COVID-19 on the service organization?
  • Performing Procedures Remotely- What matters may service auditors consider when determining whether they can perform a SOC engagement remotely?
  • Going Concern Issues - Do service auditors have any responsibility in SOC engagements for going concern issues of the service organization arising from COVID-19?
  • Subsequent Events- Should service auditors consider the need for subsequent events disclosures related to COVID-19 in SOC engagements?
  • Management Representation Letters- Should service auditors request additional representations related to COVID-19 in the management representation letter?
  • Subservice Organizations - How might COVID-19 affect a service organization’s disclosures surrounding the use of subservice organizations?

This is just a subset of COVID-19 resources that are available from the Institutes that are available to assist practitioners.

Leave a comment


  • No comments found