SOC Audit Standards for Service Organizations

SOC standards define new guide lines for auditors assessing IT systems for compliance.


  • New federal law requires IT systems that process private and nonpublic personal data have controls to protect data from theft.

  • SAS 70 audits are no longer are evidence of proof of compliance.

  • All business must comply that collect, process, and store private and nonpublic data.

  • A CITP is approved by AICPA to certify IT system compliance to standards.

New standards for entities processing private and nonpublic data were established in response to a federal law requiring that IT systems have adequate controls to protect private and nonpublic data. The uniform auditing standards for assessing compliance are set forth in AICPA‘s guide; Reports on Controls at a Service Organization Over Security, Availability, Processing Integrity, Confidentiality or Privacy, which was issued in 2011. SAS 70 reports are no longer issued or accepted as evidence of sufficient controls for the protection of data.  Service organizations, data centers, financial institutions and others who provide information technology (IT) infrastructure for data collection, processing, storage, and data reporting of financial transactions for clients are now required to comply with the new federal standards.  To receive an AICPA certificate from a Certified Information Technology Professional (CPA.CITP) as being in compliance with the new standards, all entities using an information technology infrastructure to process data must be audited.  A CPA.CITP audit determines the suitability of the system design and operating effectiveness of data controls according to Service Organization Controls (SOC) 2 standards. 

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.




Leave a Reply

Your email address will not be published. Required fields are marked *

Go back to top