Service Organization Controls (SOC)

Service Organization Controls (SOC) are standards and guidelines for CITPs to use when assessing the fairness of the assertions of  management of Information Technology systems as to the adequacy of their IT protection controls.

 Summary

  • Service Organizations collect, store, and process data utilizing information technology (IT) for financial institutions, businesses and individuals.
  • New standards and guidelines for auditing IT systems are named Service Organization Controls (SOC) apply to every organization that process data on IT systems.
  • SOC Type 1 audits are for a specific period and consider suitability only, while SOC 1 Type 2 audits cover a period of time and cover the suitability and effectiveness of controls.
  • Audits determine if management reports fairly report on the adequacy of the security, availability, processing integrity, confidentiality, and privacy controls.

There are a growing number of companies utilizing information technology systems that outsource the processing of personal and nonpublic data to companies who collect, store, and process the information on their behalf. The companies to whom these services are outsourced are known as “Service  Organizations”.

SOC is an acronym for Service Organization Controls, a name given a set of new standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data. Although the name given the new regulations implies they are for Service Organizations they actually apply to all businesses, financial institutions or any organization that processes personal and nonpublic data.

SOC standards and guidelines were established by the American Institute of Certified Public Accountants (AICPA) on June  15, 2011.  The AICPA created the SOC auditing standards in response to the Gramm-Leach-Bliley Act and other related federal and state regulations.

A SOC audit is an attestation engagement of a CPA.CITP to gather evidence as to the fairness of the assertions described by the management report of a service organization or financial institution. The management report asserts as to the adequacy and suitability of the design of the IT system controls and the operating effectiveness. The attestation objectively assess the measurement and communication asserted by the responsible party according to the requirements of AICPA’s SSAE 16 (at 101.20)   issued in April 16, 2010. The guide lines and standards are  virtually identical to its international complement, the International Accounting Standards Board (ISAB)’s International Standard on Assurance Engagements (ISAE) 3402.

SOC requires that the information technology systems of all financial institutions and all other businesses that process, store or collect personal and nonpublic data have controls that protect the data  from intrusions and identity theft and other unauthorized uses.

SOC establishes three audit standards; SOC 1, SOC 2, and SOC 3 to evaluate IT systems to determine the level of security and accuracy of financial data associated with financial reporting, the total operation of the system, and the privacy respectively.

SOC 1 Type 1 and SOC 2 Type  1 audits are conducted at one session that is a short period of time,  and Type 2 audits are several sessions over a period of time such as six months.  Additionally, Type 1 reports will consider only the suitability of controls whereas Type 2 reports consider both the suitability of controls and their effectiveness at meeting stated design goals.

The auditor’s report includes the results of tests necessary to enable the auditor to express an unqualified opinion that the information technology system and controls described by the management report allow financial statements to be fairly presented, in all material respects, and in conformity with the standards established established by following principles;

1. Security: The system is protected against unauthorized access (both physical and logical).

2. Availability:  The system is availability for operation and use as committed or agreed.

3. Processing integrity: System process processing is complete, accurate, timely, and authorized.

4. Confidentiality: Information designated as confidential is protected as committed or agreed.

5. Privacy: Personal information(i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

The number of law suits as a result of a failure  to protect personal and nonpublic data and the enormous number of invasions and identity thefts is growing at a very rapid pace both nationally and internationally. It is incombent upon all business and institutions processing personal and nonpublic data to  become compliant and certified as having adequate controls for their IT systems in accordance with SOC 1, SOC 2, AND SOC 3 standards and guidelines.  If we do not take on this responsibility in the immediate future it will become mandatory that the government agencies take action to enforce laws requiring certification for the protection of all IT systems.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards  and guidelines set by AICAP.

 

Go back to top