Financial Privacy Rule-Safeguards Rule

At Integrated Accounting Services LLC our understanding of the “SAFEGUARDS RULE” issued by the Federal Trade Commission makes it imperative that all processors of nonpublic and private personal data be compliant with the American Institute of Certified Public Accountants guidelines for designing and implementing controls for the protection of data.
The Safeguards Rule is the Federal Trade Commission’s response to Section 501(b) of the Gramm-Leach-Bliley (GLB) Act which requires ALL FINANCIAL INSITUTIONS OVER WHICH FTC HAS JURSIDICTION to establish IT control standards that safeguard customer information. The GLB Act applies to any financial institution or business that is processing or storing “customer information” including financial institutions and businesses that receive customer information from others storing and processing consumer information. The purpose of the Safeguards Rule is to define the requirements of GLB Act in IT terms for the “development, implementation and maintaining of administrative, technical, and physical safeguards to protect personal and nonpublic customer information”.
To assist in the implementation of the Safeguards Rule the AICPA has established a set of standards and guidelines known as System Organization Controls (SOC). SOC guidelines provide an assessment and reporting procedure for CPAs when auditing assertions by the management of an IT system as to the adequacy of their IT controls. The assessments determine the adequacy of their IT controls being in compliance with the SAFEGUARD RULE. The SOC 1 standard, test the controls that determine the validity of the data used in preparing financial reports and the reliability of its source. SOC 2 also test the management assertions as to the adequacy of the, “Security, Availability, Process Integrity, Confidentiality or Privacy” controls.
The financial liability being incurred by operators of non-compliant IT systems has become enormous as the magnitude of the number of intrusions, identity thefts, fraud and other unauthorized uses continues to increase both nationally and internationally. It has become incumbent upon all non-certified businesses and institutions processing personal and nonpublic data to be assessed for compliance with SOC by a CPA who is a Certified Information Technology Professional (CITP) approved by AICPA. At Integrated Accounting Services LLC the CITP staff performs both SOC 1 and SOC 2 audits as part of financial audit to insure the financial report is based on processed data that is valid.
With the emergence of globally connected IT systems the failure of IT system users to be compliant with the law when connecting to other IT systems, places the entire global IT community at risk as proven again recently. Two hackers in Europe removed over seven hundred thousand personal and nonpublic files from the State of Utah IT records. The potential financial loss for consumers that can result from intrusions of this type into non-compliant IT systems can be non-recoverable. The FTC has no alternative but to insist that Federal and State agencies responsible for licensing institutions and business enforce the laws governing IT systems controls that have been passed. CITPs must be employed to perform independent audits according to SOC guidelines to determine correctness of management assertions as to the adequacy of their IT controls. Non-compliance could result in the same treatment bestowed on those that fail financial audits.
IAS assists the management of IT systems in the private and public sector in the preparation of Security Plans and assertions to insure their IT controls are in compliance with the GLB Act and the SAFEGUARDS RULE. IAS audits and assesses the Security Plans according to SOC standards and guidelines. Michael C. Warren owner of IAS is approved as a CITP by the AICPA and is qualified to certify compliance with the law. Certifications can be withheld in the event there are recommended changes or corrections until they are incorporated.

Protecting Private Data From Intrusions

     The private and nonpublic data being processed by information technology systems has become a major financial risk for businesses and governments world wide due to the lack of adequate controls for protection of the data.  As the use of the Internet for the exchanging of correspondence and financial data has increased the increase in the number of unauthorized intrusions into information technology systems has created enormous financial losses.

     The increase in the financial risks of utilizing information technology systems necessitated the passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB). The act imposed the legal requirement that all financial institutions and organizations that process data utilizing information systems must incorporate adequate controls to identify and prevent intrusions and the theft of private and nonpublic data. The GLB act established the Safeguards Rule of November 12, 1999 that applied to all IT systems.  To meet the intent of the Safeguards Rule the controls must provide for protection of the security, confidentiality, and integrity of private and nonpublic information. The requirements of the Safeguards Rule have become the basis of many additional federal laws intended to clarify standards and guidelines for developing and implementing administrative, technical and physical safeguards. To insure that an organization has adequate IT controls to protect its clients and the IT systems of other companies that are connected has become necessary that IT systems be audited.

      In response to the Safeguard Rule imposed by Federal Trade Commision, Service Organization Controls (SOC) were establish by the American Institute of Certified Public Accountants (AICPA) as a set of standards and guidelines to  be used by auditors of IT systems. The auditors are to evaluate the  adequacy of the controls incorporated as part of information technology (IT) systems in an effort to meet the new regulations.

     SOC consists of three types of auditing procedures to be conducted: SOC 1, SOC 2 and SOC 3 which provide detailed definitions of the different controls that are to be verified as to adequacy. The controls include the management and administrative procedures, and access limitations, for institutions that process, store or collect, private, personal and nonpublic data. The SOC requirements include the requirement for controls that detect and prevent unauthorized intrusion into the IT processing systems.  The intent of the controls is to prevent the theft of the private and nonpublic data of customers and consumers by administrative, electronic and physical means.

    The AICPA  offers a certification  of compliance with the SOC control  requirements upon the successful completion of an audit by a CITP.  A CITP is a CPA that has been evaluated and approved as a Certified Information Technology Professional  by the AICPA. To enable a CITP  to perform an audit of the electronic IT controls it has become necessary that the IT system be electronically tested to determine the adequacy of the controls.  This has resulted in the requirement to develop soft ware systems that can be attached to IT systems to detect unauthorized inquiries and removal of personal data that can be used  for identity theft. Protecting private data is a federal requirement that will soon require compliance to be certified.

Go back to top