SOC 2 Type 2.com

CPA.CITP’s at Integrated Accounting Services are certified by the AICPA to issue SOC certifications as to adequacy and effectiveness of IT controls.

Summary

• Integrated Accounting Services, LLC is qualified to conduct SOC 1, SOC 2 and SOC 3 audits.
• SOC 1 audits are limited to a service organization’s controls related to a user entity’s internal controls over financial reporting.
• SOC 1 audits are conducted in accordance with SSAE 16.
• SOC 2 audits examine a service organizations controls relevant to security ,availability, processing integrity, confidentiality and/or privacy.
• SOC 2 audits are conducted in accordance with AT 101.
• SOC 3 audits are distributed to the public and are SOC 2 audits but contain no detail as to testing and results.
• SysTrust or SOC 3 certification can be used by service organizations for marketing purposes.

The Integrated Accounting Services, LLC team of CPA.CITP specialists examine and report according to new AICPA standards SSAE 16 and AT 101  on the controls of financial institutions, service organizations and their users processing personal, nonpublic data.  To assist auditors in the selection of the appropriate standard or guide for a particular type of investigation the AICPA has quantified and organized the audit reports and named them the Service Organization Controls (SOC) reports.  Three types of engagements are named. The source of the guidance for performing and reporting each type has been defined and given the following designations:

1. SOC 1: This audit is performed according to SSAE No. 16, Reporting on Controls at a Service Organization (AICPA, Professional  Standards, AT section801), Service Organization: Applying SSAE No. 16  This examination is limited to data relevant to a user entities’ internal control over financial reporting.   The SOC 1 audit, based on SSAE 16, replaces SAS 70 standards for reporting on the adequacy of controls relevant to internal controls over financial reporting for financial institutions, service organizations and their users. SAS 70 reports are no longer accepted as evidence that financial institutions and service organizations have sufficient security and privacy controls
2. SOC 2: The SOC 2 audit provides the management of companies such as financial institutions, service organizations, and user entities, with information and a CPA’s opinion about their system and controls relevant to security,availability, processing integrity, confidentiality or privacy. The engagement of an auditor is in accordance with AT 101, Attest Engagements  (AICPA Professional Standards) and the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. The SOC 2 Type 2 report also include the CPA’s opinion about their compliance with the commitments in their statement of privacy.   A SOC 2 audit evaluates a management assertion of financial institutions and service organizations as well as their clients to determine the suitability and sufficiency of the measurements and communications of the controls described by the management assertion over a specified period of months.
3. SOC 3: This report is summary of  a CPA or CPA.CITP’s SOC 2 opinion  about the controls at a financial institution, service organization or user entity relevant to security, availability, processing integrity, confidentiality,  or privacy that can be provided to interested parties seeking assurance of the audited entities compliance with the new AICPA standards. The audit must be in strict accordance with the guidelines of AT  101, and TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy, (AICPA, Technical Practice Aids).  These guideline address the privacy principle and provide for a CPA’s opinion about compliance  with the commitments of IF systems  in their privacy notice.

 Financial institution, service organizations and entities using IT systems can now provide proof of compliance by obtaining a SysTrust Certificate. Additional protection is now possible for financial institutions and service organization because they have the right to to require  those with whom they are exchanging information with meet new requirements for security and privacy defined by SOC 1 and SOC 2 and qualify for a SOC 3 certification to ensure their compliance with strict standards.

Integrated Accounting Service’s team leader Mike Warren, is a CPA  qualified as a CITP to perform audits on information technology systems in accordance with SOC 1 and SOC 2 and SOC 3guidelines.  A CPA.CITP is approved by the AICPA to issue a SOC 3 (SysTrust) Certificate of SOC Compliance for qualifying financial institutions, service organizations and their users.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.