Jul
04

INFORMATION TECHNOLOGY LABORATORY (ITL)

At Integrated Accounting Services, LLC we encourage anyone concerned about the security and privacy of information technology systems to check out the work being done by the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST).  The NIST website (http://csrc.nist.gov-computer security division)   states;  “ITL promotes the U. S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems.”

As such they are in the unique position of being able to advise as well as  support standardization of control process for the private sector. ITL has an in  depth understanding of the IT control problems needed to integrate the private systems with the existing government system.  It is the best interest of the government to be involved in this process to ensure compatibility of systems and to establish confidence in the quality of controls that will be placed on systems with which they are integrating.

Everyone interested in advancing design and planning of IT systems must become knowledgeable of the accomplishments of NIST by reading their  Special Publication 800-series reports. The 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and collaborative activities with industry, government, and academic organizations. The NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organization” list pages of specific controls that would be considered in the preparation of a standardized list of IT system controls for the private sector.

The American Institute of Certified Public Accounts (AICPA) has developed and adopted a set of guidelines and regulations for CPA audits in response the requirements of the Gramm-Leach-Bliley Act entitled, Service Organization Controls (SOC).  SOC is divided into two general types of audits SOC 1 and SOC 2 that are described on this site in detail.  SOC  is very specific as to the types of assessments that are to be made for each type of audit. SOC guide lines and regulations do not defined the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

A very large portion of the IT systems data worldwide relates to the actual accounting of the income and expense data.  It would substantially improve the confidence in the accuracy of the data and the validity of private, corporate and government audits if the standardized list controls adopted for financial audits were identified and separated into a separated category from other types of controls.

To expedite certification of the adequacy of IT controls on financial systems  the accounting category should be further divided and organized according to how CPA’s are required to assess and certify as to the adequacy of the controls by AICPA.

A SOC 1 audit assesses controls under two entirely different sets of circumstances. Under the requirements of SSAE No. 15, the audit is “An Examination of an Entity’s Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements“. These controls would deal with the validity and correctness of the data itself.

SOC 1 audits according to the requirements of SSAE No. 16 reports  “On Controls at a Service Organization” that is processing private and nonpublic data that is personal for it’s customers. The controls obviously would vary differently in approach even though there would be some overlap.  Standardizing would require developing different categories of controls for each type of audit.

SOC 2 audits deal with five different concerns: security, availability, integrity, confidentiality, and privacy. There are specific controls that come into play for each of these areas include overlap of controls to prevent possible financial theft, timely transmission, intrusion/manipulation, limited access and nondisclosure .

Should those involved in designing and operating IT systems, decide to become knowledgeable about the standards developed by NIST it would provide a common starting point for the first of a series of joint meetings. The fact that the responsibility given ITL is limited to only federal systems that are not security-related means that all other federal IT systems, are designed and implemented to the same security and safety control guidelines and regulations. The federal systems established by ITL are be designed to interface with the private sector as much as possible considering the number of different systems. It would appear that it is a viable approach to solving a major problem.

At Integrated Accounting System LLC, we believe that the establishment of a Standard Federal IT System by ITL provides a tremendous opportunity to begin the process of standardizing all private sector systems.   Joint studies have been limited by the lack of agreement on a starting point of reference. Utilizing what ITL has developed  would begin the process of  developing a compliance  standard for controls for each of the standard types  IT systems that are emerging in the private sector.  Having  standardized IT system controls for each type of IT system would obviously create the high level of security and safety now enjoyed when processing private, personal and nonpublic data in the medical industry.

Through coordination meetings with IT system organizations, users, system designers, and equipment vendors in the  private sector ITL could provide direction as to how to establish private system controls that would be in compliance with their regulations and guidelines.  ITL would also have the opportunity to modify its design to assist in reaching agreement on  a universal compliance standard.  The meetings would be organized and implemented in the same manner for the industry wide organizational programs and joint meetings that were so successful in the development of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); sixteen years ago.

 Please contact Integrated Accounting Services LLC, if you are interested attending and being a part of the a Joint Planning Task Force meeting with NIST by commenting and making suggestions on this post.

Oct
25

Interaction Determines SOC 1 Need

Level of interactivity determines need for SOC 1.

Summary

 The type of interaction between user entities and service organizations providing the information technology services is defined by the degree the user is able to monitor the services of the service organization, that are separate from the user entity, and the user entity’s ability to establish controls over those services.  A user auditor may decide that the interaction between the user entity and service organization is sufficient to allow the user entity to establish its own controls and avoid the need for a service organization to perform a SOC 1 audit.

For a user auditor to evaluate the controls of a service organization the auditor should understand the five components of the user entity’s internal control environment; risk assessment process, information and communication system, control activities and monitoring controls. This is necessary to determine if the entity’s internal controls are sufficient and to assess the risk of material misstatements, whether due to error or fraud. This permits the auditor to design the nature, timing, and the requirements of additional audits in accordance with paragraph 40 of Statement on Auditing Standards (SAS) No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards, AU sec 314).

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

 

 

Oct
24

CPAs Outsource SOC 1 Audits

Financial audits may need to include SOC 1 Type 2 audits of any service organizations involved.

 Summary

  • User financial auditors have the option of outsourcing SOC 1 audits
  • SOC 1 audits in support of user auditors auditing accounting data increases assurances of reliable financial status.

CPAs performing financial statement audits have the option to outsource a SOC 1 audit of their client’s information technology data controls to provide their client with a higher level of confidence in the financial report. As more companies begin to comply with new AICPA standards for auditing information technology systems, it will become necessary for them to require SOC 1 Type 2 audits of IT systems as validation of the accuracy of the accounting data used in their financial statements and compliance with the new control standards. Users of information technology that can provide assurances to their customers and other service organizations today are being sought out by others that have been certified.

The auditing team at Integrated Accounting Services LLC provides SOC 1 reports for CPA  firms to assist auditors in providing assurances to their clients that their reports are based on validated data.  The team leaders are CPA.CITP  approved with experience in both accounting audits and IT systems audits.

The team also performs SOC 2 audits and issues SOC 3 certificates of compliance for financial institutions, service organizations and others using systems when security, availability, processing integrity, confidentiality  and privacy are required.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

Oct
24

Why You Need SOC Audits

SOC audits assess whether IT systems are compliant with new federal laws and IT international standards.

Summary

  • The AICPA has created SOC standards to address the problem of data security.
  • Federal regulations require that businesses safeguard personal, and nonpublic data.
  • SOC 1 reports replace SAS 70.
  • SOC 2 and SOC 3 reports provide new standards to assure greater data security.

 Cyber espionage has become major problem for information technology in the United States and internationally.  Part of the reason is the system designs and operating effectiveness of the technological information systems used by financial institutions, service organizations and others that process private and nonpublic information do not provide adequate privacy and protection controls    These intrusions have become a serious financial problem for users of information technology systems.  Federal law requires that all financial institutions, service organizations and others handling private and nonpublic utilizing information technology provide evidence that they have incorporated adequate controls for the protection of the data. To provide proof of meeting the law, those processing the data must produce a management description of their system and controls that asserts the suitability and the effectiveness of the controls protecting the system. An independent CPA experienced and knowledgeable about IT systems or a CPA.CITP auditor must be engaged to attest to the suitability of the measurements and effectiveness of the controls described by the management report before the information system  can be certified to be in compliance with the Service Organization Controls (SOC) standards.  The AICPA have issued regulations and guidelines for those performing the audits and preparing reports to determine if the system is certifiable.

The Statement of Standards for Attestation Engagements, No. 16 (SSAE 16) issued April 2010 by AICPA’s Auditing Standards Board became effective on June 15, 2011.  SSAE 16, establishes a universal standard and recommended guidelines for the audit of financial institutions, service organizations and others processing confidential, private and nonpublic data. The standards and guidelines were issued in response to the dictates of the Safeguards Rule contained in the Gramm-Leach-Bliley Act that became law on November 12, 1999. They establish a universal standard for for all SOC audits. SSAE 16 is considered to contain the same requirements as contained in the International Standard on Assurance Engagements (ISAE) 3402. SSAE 16 includes new guidance for assurance audits of Internal Controls over Financial Reporting (ICFR) for Service Organizations that is also effective June 15, 2011 .

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions, that collect information from their own customers, but also to financial institutions such as credit reporting agencies, appraisers, and mortgage brokers that receive customer information from other financial institutions. (For details see Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 6801.)

The new  uniform auditing standards are set forth in AICPA’s guide; Reports on Controls at a Service Organization Over Security, Availability, Processing Integrity, Confidentiality or Privacy, issued in 2011 and became effective June 15, 2011.  The guidelines document is known as Service Organization Controls , (SOC).  The guidelines describe three types of audits labeled  as SOC 1, SOC 2 and SOC 3.

A SOC 1 audit examines and tests information technology (IT) infrastructures according to the terms associated with ICFR that replaces SAS 70 which are part of the Statement of Standards for Attestation Engagements, SSAE 16- Reporting on Controls at a Service Organization adopted April 2011.

SOC 2 and SOC 3 audit processes are conducted in accordance with AT Section 101 and relies on the recently released AICPA audit guide titled ‘’ Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy’’.

These audits include tests of the information systems and controls along with other procedures necessary to enable the auditor to express an unqualified opinion that the information technology systems and controls described by the management assertion allow, in all material respects, conformity with the established standards.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


 

Oct
20

What Businesses Can Profit From SOC 2 Type 2 Audits?

SOC 2 Type 2 certifications qualify business to exchange data with other certified IT systems.

Summary

  • Successful SOC 2 Type 2 reports enable businesses to process personal and nonpublic data.
  • SOC 2 Type 2 certifications assure stakeholders that their liability is limited by having well designed controls in place.

Effective June 15, 2011 companies who have information technology systems that handle confidential,  private and nonpublic data can become qualified to connect with other data processing systems by complying with Service Organization Controls (SOC)  systems design and control requirements established by the American Institute of CPAs (AICPA).  User entities and service organizations need to work together to establish and agree on  critical controls that meet the requirements of the audit.  Companies that have not established information technology controls and incorporated standards that meet the SOC guide lines could be in jeopardy of failing the SOC 2 audit requirements established by AICPA. This could result in the loss of business because other companies with whom they are connecting  IT systems will want assurances that their systems designs and controls are sufficient to pass a SOC 2 Type 2 audit.

Users of service organizations who establish proper SOC 2 Type 2 systems design and controls will need their third party service organizations to have been certified also. Users can then state their system has the controls to provide adequate protection.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.




Oct
19

Who Needs SOC 2 Type 2 reports?

Businesses that are connected to IT systems must be audited to determine if they have adequate controls to protect private and nonpublic data.

Summary

  • A SOC 2 Type 2 audit report is issued by a CPA or CPA.CITP which covers the suitability and effectiveness of controls over data at a service organization
  • A SOC 2 Type 2 audit report examines controls over  the  security, availability, processing integrity, confidentiality and privacy of data.

 SOC 2 is one of three guidelines and standards introduced by the American Institute of Certified Public Accounts (AICPA).   AICPA has named the guidelines,  Service Organization Controls (SOC)  with subcategories SOC 1, SOC 2, and SOC 3.  The SOC 2 engagement is in accordance with the AT 101 and complies with the AICPA audit guide; Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy

SOC 2 Type 2 is an attestation report issued by a CPA or CPA.CITP stating an opinion on the assertion by management of a service organization, related entities and companies processing personal and nonpublic IT data regarding the suitability of their controls and their effectiveness.  A SOC 2 Type 2 report is written after an auditor conducts tests on the system and controls of a service organization’s information technology system and operating procedures to ensure that they meet strict requirements for criteria for security, availability, processing integrity, confidentiality and privacy.

Integrated Accounting Services (IAS) provides SOC2 Type 2.com  as a public service to those seeking an explanation of the SOC standards that must be met by service organizations and their users.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new SOC standards.


Go back to top