Financial Privacy Rule-Safeguards Rule

At Integrated Accounting Services LLC our understanding of the “SAFEGUARDS RULE” issued by the Federal Trade Commission makes it imperative that all processors of nonpublic and private personal data be compliant with the American Institute of Certified Public Accountants guidelines for designing and implementing controls for the protection of data.
The Safeguards Rule is the Federal Trade Commission’s response to Section 501(b) of the Gramm-Leach-Bliley (GLB) Act which requires ALL FINANCIAL INSITUTIONS OVER WHICH FTC HAS JURSIDICTION to establish IT control standards that safeguard customer information. The GLB Act applies to any financial institution or business that is processing or storing “customer information” including financial institutions and businesses that receive customer information from others storing and processing consumer information. The purpose of the Safeguards Rule is to define the requirements of GLB Act in IT terms for the “development, implementation and maintaining of administrative, technical, and physical safeguards to protect personal and nonpublic customer information”.
To assist in the implementation of the Safeguards Rule the AICPA has established a set of standards and guidelines known as System Organization Controls (SOC). SOC guidelines provide an assessment and reporting procedure for CPAs when auditing assertions by the management of an IT system as to the adequacy of their IT controls. The assessments determine the adequacy of their IT controls being in compliance with the SAFEGUARD RULE. The SOC 1 standard, test the controls that determine the validity of the data used in preparing financial reports and the reliability of its source. SOC 2 also test the management assertions as to the adequacy of the, “Security, Availability, Process Integrity, Confidentiality or Privacy” controls.
The financial liability being incurred by operators of non-compliant IT systems has become enormous as the magnitude of the number of intrusions, identity thefts, fraud and other unauthorized uses continues to increase both nationally and internationally. It has become incumbent upon all non-certified businesses and institutions processing personal and nonpublic data to be assessed for compliance with SOC by a CPA who is a Certified Information Technology Professional (CITP) approved by AICPA. At Integrated Accounting Services LLC the CITP staff performs both SOC 1 and SOC 2 audits as part of financial audit to insure the financial report is based on processed data that is valid.
With the emergence of globally connected IT systems the failure of IT system users to be compliant with the law when connecting to other IT systems, places the entire global IT community at risk as proven again recently. Two hackers in Europe removed over seven hundred thousand personal and nonpublic files from the State of Utah IT records. The potential financial loss for consumers that can result from intrusions of this type into non-compliant IT systems can be non-recoverable. The FTC has no alternative but to insist that Federal and State agencies responsible for licensing institutions and business enforce the laws governing IT systems controls that have been passed. CITPs must be employed to perform independent audits according to SOC guidelines to determine correctness of management assertions as to the adequacy of their IT controls. Non-compliance could result in the same treatment bestowed on those that fail financial audits.
IAS assists the management of IT systems in the private and public sector in the preparation of Security Plans and assertions to insure their IT controls are in compliance with the GLB Act and the SAFEGUARDS RULE. IAS audits and assesses the Security Plans according to SOC standards and guidelines. Michael C. Warren owner of IAS is approved as a CITP by the AICPA and is qualified to certify compliance with the law. Certifications can be withheld in the event there are recommended changes or corrections until they are incorporated.

SSAE 16 Implements Safeguards Rule In Gramm-Leach-Bliley Act

Thanks, guys.

Phil Gramm, Jim Leach and Thomas Bliley, authors of the Gramm-Leach-Bliley Act

SSAE 16 establishes Service Organization Controls


  • The  GRAMM-LEACH-BLILEY ACT  requires new IT  system controls.
  • Safeguards Rule requires IT system controls certified.
  • SSAE 16 guidelines replaces SAS 70 audit reports.

The Statement of Standards for Attestation Engagements, No. 16 (SSAE 16) issued April 2010 by American Institute of Certified Public Accountants (AICPA) Auditing Standards Board became effective on June 15, 2011.  SSAE 16 is  in response to the dictates of the Safeguards Rule contained in the Gramm-Leach-Bliley Act that became law on November 12, 1999, establishes a universal standard for service organization and user audits. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions, that collect information from their own customers, but also to financial institutions such as credit reporting agencies, appraisers, and mortgage brokers that receive customer information from other financial institutions. (For details see Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 6801)

Audit opinions and reports such as SAS 70 will no longer be acceptable because they were based on inadequate guidelines for auditing evaluations and testing of security, availability, processing integrity, confidentiality or privacy of information technology infrastructures. As such, SAS 70 did not provide adequate assurance that the safety controls of a service organization were sufficient for the protection of user entities. Audits are now performed according Service Organizational Controls (SOC) established by American Institute of Certified Accounting Professionals  (AICPA) with the passage Statement of Standards for Attestation Engagements (SSAE) 16 in April 2010.

SSAE 16 requires the same level of evidence and assurance that sufficient controls are in place that was intended under a SAS 70 service auditor engagement. Unfortunately, SAS 70 standards failed to define the degree and type of auditing necessary to provide adequate security and privacy .

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties in compliance with GRAMM-LEACH-BLILEY ACT.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


Go back to top