INFORMATION TECHNOLOGY LABORATORY (ITL)

At Integrated Accounting Services, LLC we encourage anyone concerned about the security and privacy of information technology systems to check out the work being done by the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST).  The NIST website (http://csrc.nist.gov-computer security division)   states;  “ITL promotes the U. S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems.”

As such they are in the unique position of being able to advise as well as  support standardization of control process for the private sector. ITL has an in  depth understanding of the IT control problems needed to integrate the private systems with the existing government system.  It is the best interest of the government to be involved in this process to ensure compatibility of systems and to establish confidence in the quality of controls that will be placed on systems with which they are integrating.

Everyone interested in advancing design and planning of IT systems must become knowledgeable of the accomplishments of NIST by reading their  Special Publication 800-series reports. The 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and collaborative activities with industry, government, and academic organizations. The NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organization” list pages of specific controls that would be considered in the preparation of a standardized list of IT system controls for the private sector.

The American Institute of Certified Public Accounts (AICPA) has developed and adopted a set of guidelines and regulations for CPA audits in response the requirements of the Gramm-Leach-Bliley Act entitled, Service Organization Controls (SOC).  SOC is divided into two general types of audits SOC 1 and SOC 2 that are described on this site in detail.  SOC  is very specific as to the types of assessments that are to be made for each type of audit. SOC guide lines and regulations do not defined the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

A very large portion of the IT systems data worldwide relates to the actual accounting of the income and expense data.  It would substantially improve the confidence in the accuracy of the data and the validity of private, corporate and government audits if the standardized list controls adopted for financial audits were identified and separated into a separated category from other types of controls.

To expedite certification of the adequacy of IT controls on financial systems  the accounting category should be further divided and organized according to how CPA’s are required to assess and certify as to the adequacy of the controls by AICPA.

A SOC 1 audit assesses controls under two entirely different sets of circumstances. Under the requirements of SSAE No. 15, the audit is “An Examination of an Entity’s Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements“. These controls would deal with the validity and correctness of the data itself.

SOC 1 audits according to the requirements of SSAE No. 16 reports  “On Controls at a Service Organization” that is processing private and nonpublic data that is personal for it’s customers. The controls obviously would vary differently in approach even though there would be some overlap.  Standardizing would require developing different categories of controls for each type of audit.

SOC 2 audits deal with five different concerns: security, availability, integrity, confidentiality, and privacy. There are specific controls that come into play for each of these areas include overlap of controls to prevent possible financial theft, timely transmission, intrusion/manipulation, limited access and nondisclosure .

Should those involved in designing and operating IT systems, decide to become knowledgeable about the standards developed by NIST it would provide a common starting point for the first of a series of joint meetings. The fact that the responsibility given ITL is limited to only federal systems that are not security-related means that all other federal IT systems, are designed and implemented to the same security and safety control guidelines and regulations. The federal systems established by ITL are be designed to interface with the private sector as much as possible considering the number of different systems. It would appear that it is a viable approach to solving a major problem.

At Integrated Accounting System LLC, we believe that the establishment of a Standard Federal IT System by ITL provides a tremendous opportunity to begin the process of standardizing all private sector systems.   Joint studies have been limited by the lack of agreement on a starting point of reference. Utilizing what ITL has developed  would begin the process of  developing a compliance  standard for controls for each of the standard types  IT systems that are emerging in the private sector.  Having  standardized IT system controls for each type of IT system would obviously create the high level of security and safety now enjoyed when processing private, personal and nonpublic data in the medical industry.

Through coordination meetings with IT system organizations, users, system designers, and equipment vendors in the  private sector ITL could provide direction as to how to establish private system controls that would be in compliance with their regulations and guidelines.  ITL would also have the opportunity to modify its design to assist in reaching agreement on  a universal compliance standard.  The meetings would be organized and implemented in the same manner for the industry wide organizational programs and joint meetings that were so successful in the development of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); sixteen years ago.

 Please contact Integrated Accounting Services LLC, if you are interested attending and being a part of the a Joint Planning Task Force meeting with NIST by commenting and making suggestions on this post.

Pretexting Protection

Pretexting Protection is one of the three major components of the Gramm-Leach-Bliley (GLB) Act that govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:

  • Financial Privacy Rule
  • Safeguards Rule
  • Pretexting Protection

Pretexting, (often referred to as “social engineering”) has become the critical challenge facing the Information Technology Industry as a rapidly increasing the number of hackers are attempting to gain access to personal and nonpublic information.  Numerous organizations worldwide are attempting to develop an Intrusion Detection and Prevention System (IDPS) that can be applied universally.

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. Information Technology personnel should be aware that they also publish a Special Publication 800-series that reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.

A 2007 publication recommended “using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity”.  They identified four primary types of IDPS technologies.  They point out that each technology type offers fundamentally different information gathering, logging, detection, and prevention capabilities.

  •  Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity.
  • Wireless, which monitors wireless networks traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves.
  • Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as Distributed Denial of Service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems).
  • Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Because there is such a wide spectrum of characteristics that describe an IT organization’s system and network environments to evaluate IDPS products it is necessary to first define the requirements and consider using a combination of several sources of data on the products’ characteristics and capabilities.

Until such time as there is a common method of protecting against invasions and pretexting it is suggested by most and encouraged by the GLB Act that operators of IT systems covered by the federal law adopt educational programs for their employees and users processing IT data. The GLB Safeguard Rule requires the development, monitoring, and testing of programs to determine the adequacy of the IT controls. GLB Act also recommends that follow-up programs of random spot-checks after the training be incorporated to evaluate personnel test their degree compliance with the guide lines.  The training of employees would concentrate on teaching those that manage access to recognize and deflect inquires made under the pretext of an authorized person. Impersonating the account holder, by phone, by mail, or even by “phishing” is intrusion by using a phony website or email to collect personal nonpublic private data. Pretexting by individuals is punishable as a common law crime of False Pretenses.

 

IT Vulnerability

The vulnerability of information technology (IT) systems globally has become a major, financial liability for companies and institutions that have not been certified as being in compliance with the laws set to determine adequate protection.

Summary

  • Information technology systems are expanding nationally and globally.
  • Lack of controls results in financial losses and major law suits.
  • Standards and guidelines for System Organizational Controls have been adopted.
  • Current law suits regarding invasions indicate the seriousness of the problem.

Information technology has become the medium by which businesses, institutions and people around the globe communicate. The use of email has increased to the point where the number of transmissions per minute is in the millions at practically no cost to the senders. The amount of letters and use of postal service have declined to such a degree that the United States postal service can no longer afford to  operate at prior levels of manpower.

Information technology systems handling financial data that is personal and nonpublic have literally taken over the exchange of financial data between banks and businesses. Businesses processing credit card information, and other types of financial history of individuals transmit personal data that is not for release to the public on a routine basis.

Processing communications and financial information has increased business efficiencies to a level that it is impossible to calculate. However this has come at a high cost for many people and businesses globally because of invasions of systems by unauthorized users which lead to unauthorized withdrawals and charges by identity thefts.

The degree to which people who have been damaged by the invasion of an IT system is being reported by the filing of law suits nationally and internationally against system organizations, financial institutions and business indicates that the vulnerability of IT systems remains very high.

This has created the necessity for establishing a standard for Service Organizational Controls (SOC).  This has lead to the establishment of SOC 1, SOC 2, and SOC 3 standards and guidelines for information technology systems by AICPA.

Financial Privacy Rule-Safeguards Rule

At Integrated Accounting Services LLC our understanding of the “SAFEGUARDS RULE” issued by the Federal Trade Commission makes it imperative that all processors of nonpublic and private personal data be compliant with the American Institute of Certified Public Accountants guidelines for designing and implementing controls for the protection of data.
The Safeguards Rule is the Federal Trade Commission’s response to Section 501(b) of the Gramm-Leach-Bliley (GLB) Act which requires ALL FINANCIAL INSITUTIONS OVER WHICH FTC HAS JURSIDICTION to establish IT control standards that safeguard customer information. The GLB Act applies to any financial institution or business that is processing or storing “customer information” including financial institutions and businesses that receive customer information from others storing and processing consumer information. The purpose of the Safeguards Rule is to define the requirements of GLB Act in IT terms for the “development, implementation and maintaining of administrative, technical, and physical safeguards to protect personal and nonpublic customer information”.
To assist in the implementation of the Safeguards Rule the AICPA has established a set of standards and guidelines known as System Organization Controls (SOC). SOC guidelines provide an assessment and reporting procedure for CPAs when auditing assertions by the management of an IT system as to the adequacy of their IT controls. The assessments determine the adequacy of their IT controls being in compliance with the SAFEGUARD RULE. The SOC 1 standard, test the controls that determine the validity of the data used in preparing financial reports and the reliability of its source. SOC 2 also test the management assertions as to the adequacy of the, “Security, Availability, Process Integrity, Confidentiality or Privacy” controls.
The financial liability being incurred by operators of non-compliant IT systems has become enormous as the magnitude of the number of intrusions, identity thefts, fraud and other unauthorized uses continues to increase both nationally and internationally. It has become incumbent upon all non-certified businesses and institutions processing personal and nonpublic data to be assessed for compliance with SOC by a CPA who is a Certified Information Technology Professional (CITP) approved by AICPA. At Integrated Accounting Services LLC the CITP staff performs both SOC 1 and SOC 2 audits as part of financial audit to insure the financial report is based on processed data that is valid.
With the emergence of globally connected IT systems the failure of IT system users to be compliant with the law when connecting to other IT systems, places the entire global IT community at risk as proven again recently. Two hackers in Europe removed over seven hundred thousand personal and nonpublic files from the State of Utah IT records. The potential financial loss for consumers that can result from intrusions of this type into non-compliant IT systems can be non-recoverable. The FTC has no alternative but to insist that Federal and State agencies responsible for licensing institutions and business enforce the laws governing IT systems controls that have been passed. CITPs must be employed to perform independent audits according to SOC guidelines to determine correctness of management assertions as to the adequacy of their IT controls. Non-compliance could result in the same treatment bestowed on those that fail financial audits.
IAS assists the management of IT systems in the private and public sector in the preparation of Security Plans and assertions to insure their IT controls are in compliance with the GLB Act and the SAFEGUARDS RULE. IAS audits and assesses the Security Plans according to SOC standards and guidelines. Michael C. Warren owner of IAS is approved as a CITP by the AICPA and is qualified to certify compliance with the law. Certifications can be withheld in the event there are recommended changes or corrections until they are incorporated.

Protecting Private Data From Intrusions

     The private and nonpublic data being processed by information technology systems has become a major financial risk for businesses and governments world wide due to the lack of adequate controls for protection of the data.  As the use of the Internet for the exchanging of correspondence and financial data has increased the increase in the number of unauthorized intrusions into information technology systems has created enormous financial losses.

     The increase in the financial risks of utilizing information technology systems necessitated the passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB). The act imposed the legal requirement that all financial institutions and organizations that process data utilizing information systems must incorporate adequate controls to identify and prevent intrusions and the theft of private and nonpublic data. The GLB act established the Safeguards Rule of November 12, 1999 that applied to all IT systems.  To meet the intent of the Safeguards Rule the controls must provide for protection of the security, confidentiality, and integrity of private and nonpublic information. The requirements of the Safeguards Rule have become the basis of many additional federal laws intended to clarify standards and guidelines for developing and implementing administrative, technical and physical safeguards. To insure that an organization has adequate IT controls to protect its clients and the IT systems of other companies that are connected has become necessary that IT systems be audited.

      In response to the Safeguard Rule imposed by Federal Trade Commision, Service Organization Controls (SOC) were establish by the American Institute of Certified Public Accountants (AICPA) as a set of standards and guidelines to  be used by auditors of IT systems. The auditors are to evaluate the  adequacy of the controls incorporated as part of information technology (IT) systems in an effort to meet the new regulations.

     SOC consists of three types of auditing procedures to be conducted: SOC 1, SOC 2 and SOC 3 which provide detailed definitions of the different controls that are to be verified as to adequacy. The controls include the management and administrative procedures, and access limitations, for institutions that process, store or collect, private, personal and nonpublic data. The SOC requirements include the requirement for controls that detect and prevent unauthorized intrusion into the IT processing systems.  The intent of the controls is to prevent the theft of the private and nonpublic data of customers and consumers by administrative, electronic and physical means.

    The AICPA  offers a certification  of compliance with the SOC control  requirements upon the successful completion of an audit by a CITP.  A CITP is a CPA that has been evaluated and approved as a Certified Information Technology Professional  by the AICPA. To enable a CITP  to perform an audit of the electronic IT controls it has become necessary that the IT system be electronically tested to determine the adequacy of the controls.  This has resulted in the requirement to develop soft ware systems that can be attached to IT systems to detect unauthorized inquiries and removal of personal data that can be used  for identity theft. Protecting private data is a federal requirement that will soon require compliance to be certified.

SOC, What is it?

Service Organization Controls (SOC) establishes standards and guidelines for  protecting  IT data.

 Summary

  • SOC audits reduce information technology systems invasions, identity thefts and corporate liability.
  • Federal legislation establishes the requirement for protecting IT data.
  • All operators of IT systems processing private and nonpublic data must comply.
  • SOC audits assess the fairness of assertions made by the management of information technology system about the controls in place and their suitability and/or effectiveness.

SOC is an acronym for Service Organization Controls, a name given set of new standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data. SOC standards and guidelines were established by the American Institute of Certified Public Accountants (AICPA) on June  15, 2011.  The AICPA created the standards in response to the Gramm-Leach-Bliley Act (passed by Congress in 1999) and other related federal and state regulations. SOC requires that the information technology systems of all financial institutions and all other organizations that process, store or collect personal and nonpublic data have controls that protect the data  from intrusions, identity theft, fraud and other unauthorized uses.

The audit is an attestation engagement to gather evidence on the fairness of assertions by a service organization’s management.  The management report addresses the suitability and/or effectiveness of the IT system controls.  The auditor’s attestation objectively assess the management’s assertion according to the requirements of AICPA’s SSAE 16 and/or AT 101. The guidelines and standards in SOC 1 audits are virtually identical to their international complements, the International Accounting Standards Board (ISAB)’s International Standard on Assurance Engagements (ISAE) 3402.

SOC establishes three audit standards; SOC 1, SOC 2, and SOC 3 to evaluate IT systems to determine the level of security and accuracy of financial data associated with financial audits, the total operation of the system, and the privacy respectively.

SOC 1 and SOC 2 Type  1 audits are conducted at one session that is a short period of time,  and Type 2 during several sessions over a period of time such as six months.

A  SOC 1 audit examines and tests information technology (IT) infrastructures relevant to financial reporting according to the Statement of Standards for Attestation Engagements, SSAE 16-Reporting on Controls at a Service Organization adopted April 2011.

SOC 2 audits are conducted in accordance with AT Section 101 and utilizes the newly release AICPA audit guide titled “Reports on Controls at a Service Organization over Security, Availability, Process Integrity, Confidentiality, or Privacy“.  The auditor’s report includes the results of tests necessary to enable the auditor to express an unqualified opinion that the information technology system and controls described by the management report allow financial statements to be fairly presented, in all material respects, and in conformity with the standards established established by following principles;

1. Security: The system is protected against unauthorized access (both physical and logical).

2. Availability:  The system is availability for operation and use as committed or agreed.

3. Processing integrity: System process processing is complete, accurate, timely, and authorized.

4. Confidentiality: Information designated as confidential is protected as committed or agreed.

5. Privacy: Personal information(i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

The number of law suits as a result of a failure to protect personal and nonpublic data and the enormous number of invasions and identity thefts is growing at a very rapid pace both nationally and internationally.  It is incumbent upon all business and institutions processing personal and nonpublic data to become compliant and certified as having adequate controls for their IT systems.  If companies do not take on this responsibility in the immediate future it may become mandatory that the government agencies take action to enforce laws requiring certification for the protection of all IT systems.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

 

Service Organization Controls (SOC)

Service Organization Controls (SOC) are standards and guidelines for CITPs to use when assessing the fairness of the assertions of  management of Information Technology systems as to the adequacy of their IT protection controls.

 Summary

  • Service Organizations collect, store, and process data utilizing information technology (IT) for financial institutions, businesses and individuals.
  • New standards and guidelines for auditing IT systems are named Service Organization Controls (SOC) apply to every organization that process data on IT systems.
  • SOC Type 1 audits are for a specific period and consider suitability only, while SOC 1 Type 2 audits cover a period of time and cover the suitability and effectiveness of controls.
  • Audits determine if management reports fairly report on the adequacy of the security, availability, processing integrity, confidentiality, and privacy controls.

There are a growing number of companies utilizing information technology systems that outsource the processing of personal and nonpublic data to companies who collect, store, and process the information on their behalf. The companies to whom these services are outsourced are known as “Service  Organizations”.

SOC is an acronym for Service Organization Controls, a name given a set of new standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data. Although the name given the new regulations implies they are for Service Organizations they actually apply to all businesses, financial institutions or any organization that processes personal and nonpublic data.

SOC standards and guidelines were established by the American Institute of Certified Public Accountants (AICPA) on June  15, 2011.  The AICPA created the SOC auditing standards in response to the Gramm-Leach-Bliley Act and other related federal and state regulations.

A SOC audit is an attestation engagement of a CPA.CITP to gather evidence as to the fairness of the assertions described by the management report of a service organization or financial institution. The management report asserts as to the adequacy and suitability of the design of the IT system controls and the operating effectiveness. The attestation objectively assess the measurement and communication asserted by the responsible party according to the requirements of AICPA’s SSAE 16 (at 101.20)   issued in April 16, 2010. The guide lines and standards are  virtually identical to its international complement, the International Accounting Standards Board (ISAB)’s International Standard on Assurance Engagements (ISAE) 3402.

SOC requires that the information technology systems of all financial institutions and all other businesses that process, store or collect personal and nonpublic data have controls that protect the data  from intrusions and identity theft and other unauthorized uses.

SOC establishes three audit standards; SOC 1, SOC 2, and SOC 3 to evaluate IT systems to determine the level of security and accuracy of financial data associated with financial reporting, the total operation of the system, and the privacy respectively.

SOC 1 Type 1 and SOC 2 Type  1 audits are conducted at one session that is a short period of time,  and Type 2 audits are several sessions over a period of time such as six months.  Additionally, Type 1 reports will consider only the suitability of controls whereas Type 2 reports consider both the suitability of controls and their effectiveness at meeting stated design goals.

The auditor’s report includes the results of tests necessary to enable the auditor to express an unqualified opinion that the information technology system and controls described by the management report allow financial statements to be fairly presented, in all material respects, and in conformity with the standards established established by following principles;

1. Security: The system is protected against unauthorized access (both physical and logical).

2. Availability:  The system is availability for operation and use as committed or agreed.

3. Processing integrity: System process processing is complete, accurate, timely, and authorized.

4. Confidentiality: Information designated as confidential is protected as committed or agreed.

5. Privacy: Personal information(i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

The number of law suits as a result of a failure  to protect personal and nonpublic data and the enormous number of invasions and identity thefts is growing at a very rapid pace both nationally and internationally. It is incombent upon all business and institutions processing personal and nonpublic data to  become compliant and certified as having adequate controls for their IT systems in accordance with SOC 1, SOC 2, AND SOC 3 standards and guidelines.  If we do not take on this responsibility in the immediate future it will become mandatory that the government agencies take action to enforce laws requiring certification for the protection of all IT systems.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards  and guidelines set by AICAP.

 

Interaction Determines SOC 1 Need

Level of interactivity determines need for SOC 1.

Summary

 The type of interaction between user entities and service organizations providing the information technology services is defined by the degree the user is able to monitor the services of the service organization, that are separate from the user entity, and the user entity’s ability to establish controls over those services.  A user auditor may decide that the interaction between the user entity and service organization is sufficient to allow the user entity to establish its own controls and avoid the need for a service organization to perform a SOC 1 audit.

For a user auditor to evaluate the controls of a service organization the auditor should understand the five components of the user entity’s internal control environment; risk assessment process, information and communication system, control activities and monitoring controls. This is necessary to determine if the entity’s internal controls are sufficient and to assess the risk of material misstatements, whether due to error or fraud. This permits the auditor to design the nature, timing, and the requirements of additional audits in accordance with paragraph 40 of Statement on Auditing Standards (SAS) No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards, AU sec 314).

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

 

 

SOC 1 Type 1 Versus SOC 1 Type 2

What’s the difference between SOC 1 Type 1 and SOC 1 Type 2 reports?

Summary

  • SOC 1 Audits examine a service organization’s controls relevant to a user organization’s internal controls over financial reporting.
  • SOC 1 Type 1 reports cover the suitability of design of controls on a specific date.
  • SOC 1 Type 2 reports cover suitability of control design as well as the effectiveness of those controls over a period of months.

User entities require SOC 1 audits to be performed on IT systems of service organizations when their information technology (IT) infrastructure is a part of the user entity’s IT system and the user entity needs to verify that the service organization controls relevant to the user entity’s own internal control over financial reporting are adequate.  There are two types of reports that can be written as a result of a complete SOC 1 engagement. In a SOC 1 Type 1 report, also called a Report on management’s description of a service organization’s system and the suitability of the design of controls, the service auditor expresses an opinion on the fairness of the description of the system and  the assertion about the system written by the service organization’s management.  A Type 1 report only covers the suitability of the design of the controls to achieve specific control objectives; it does not discuss the effectiveness of those controls which are described in Type 2 report.  Additionally, a SOC 1 Type 1 reports on controls as of a specified date. All Posts

A SOC 1 Type 2 report, referred to as a Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls, covers both the suitability and the effectiveness of the controls.  A SOC 1 Type 2 audit includes the information in a Type 1 report as well as the service auditor’s opinion on the effectiveness of controls in meeting control objectives over a period of months.  While a Type 1 report may be suitable  at times, a Type 2 report will be more desirable in most instances as it provides more information for a user auditor for a longer time period.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

CPAs Outsource SOC 1 Audits

Financial audits may need to include SOC 1 Type 2 audits of any service organizations involved.

 Summary

  • User financial auditors have the option of outsourcing SOC 1 audits
  • SOC 1 audits in support of user auditors auditing accounting data increases assurances of reliable financial status.

CPAs performing financial statement audits have the option to outsource a SOC 1 audit of their client’s information technology data controls to provide their client with a higher level of confidence in the financial report. As more companies begin to comply with new AICPA standards for auditing information technology systems, it will become necessary for them to require SOC 1 Type 2 audits of IT systems as validation of the accuracy of the accounting data used in their financial statements and compliance with the new control standards. Users of information technology that can provide assurances to their customers and other service organizations today are being sought out by others that have been certified.

The auditing team at Integrated Accounting Services LLC provides SOC 1 reports for CPA  firms to assist auditors in providing assurances to their clients that their reports are based on validated data.  The team leaders are CPA.CITP  approved with experience in both accounting audits and IT systems audits.

The team also performs SOC 2 audits and issues SOC 3 certificates of compliance for financial institutions, service organizations and others using systems when security, availability, processing integrity, confidentiality  and privacy are required.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

Go back to top