Financial Privacy Rule-Safeguards Rule

At Integrated Accounting Services LLC our understanding of the “SAFEGUARDS RULE” issued by the Federal Trade Commission makes it imperative that all processors of nonpublic and private personal data be compliant with the American Institute of Certified Public Accountants guidelines for designing and implementing controls for the protection of data.
The Safeguards Rule is the Federal Trade Commission’s response to Section 501(b) of the Gramm-Leach-Bliley (GLB) Act which requires ALL FINANCIAL INSITUTIONS OVER WHICH FTC HAS JURSIDICTION to establish IT control standards that safeguard customer information. The GLB Act applies to any financial institution or business that is processing or storing “customer information” including financial institutions and businesses that receive customer information from others storing and processing consumer information. The purpose of the Safeguards Rule is to define the requirements of GLB Act in IT terms for the “development, implementation and maintaining of administrative, technical, and physical safeguards to protect personal and nonpublic customer information”.
To assist in the implementation of the Safeguards Rule the AICPA has established a set of standards and guidelines known as System Organization Controls (SOC). SOC guidelines provide an assessment and reporting procedure for CPAs when auditing assertions by the management of an IT system as to the adequacy of their IT controls. The assessments determine the adequacy of their IT controls being in compliance with the SAFEGUARD RULE. The SOC 1 standard, test the controls that determine the validity of the data used in preparing financial reports and the reliability of its source. SOC 2 also test the management assertions as to the adequacy of the, “Security, Availability, Process Integrity, Confidentiality or Privacy” controls.
The financial liability being incurred by operators of non-compliant IT systems has become enormous as the magnitude of the number of intrusions, identity thefts, fraud and other unauthorized uses continues to increase both nationally and internationally. It has become incumbent upon all non-certified businesses and institutions processing personal and nonpublic data to be assessed for compliance with SOC by a CPA who is a Certified Information Technology Professional (CITP) approved by AICPA. At Integrated Accounting Services LLC the CITP staff performs both SOC 1 and SOC 2 audits as part of financial audit to insure the financial report is based on processed data that is valid.
With the emergence of globally connected IT systems the failure of IT system users to be compliant with the law when connecting to other IT systems, places the entire global IT community at risk as proven again recently. Two hackers in Europe removed over seven hundred thousand personal and nonpublic files from the State of Utah IT records. The potential financial loss for consumers that can result from intrusions of this type into non-compliant IT systems can be non-recoverable. The FTC has no alternative but to insist that Federal and State agencies responsible for licensing institutions and business enforce the laws governing IT systems controls that have been passed. CITPs must be employed to perform independent audits according to SOC guidelines to determine correctness of management assertions as to the adequacy of their IT controls. Non-compliance could result in the same treatment bestowed on those that fail financial audits.
IAS assists the management of IT systems in the private and public sector in the preparation of Security Plans and assertions to insure their IT controls are in compliance with the GLB Act and the SAFEGUARDS RULE. IAS audits and assesses the Security Plans according to SOC standards and guidelines. Michael C. Warren owner of IAS is approved as a CITP by the AICPA and is qualified to certify compliance with the law. Certifications can be withheld in the event there are recommended changes or corrections until they are incorporated.

Go back to top