Oct
25

Interaction Determines SOC 1 Need

Level of interactivity determines need for SOC 1.

Summary

 The type of interaction between user entities and service organizations providing the information technology services is defined by the degree the user is able to monitor the services of the service organization, that are separate from the user entity, and the user entity’s ability to establish controls over those services.  A user auditor may decide that the interaction between the user entity and service organization is sufficient to allow the user entity to establish its own controls and avoid the need for a service organization to perform a SOC 1 audit.

For a user auditor to evaluate the controls of a service organization the auditor should understand the five components of the user entity’s internal control environment; risk assessment process, information and communication system, control activities and monitoring controls. This is necessary to determine if the entity’s internal controls are sufficient and to assess the risk of material misstatements, whether due to error or fraud. This permits the auditor to design the nature, timing, and the requirements of additional audits in accordance with paragraph 40 of Statement on Auditing Standards (SAS) No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards, AU sec 314).

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

 

 

Oct
25

SOC 1 Type 1 Versus SOC 1 Type 2

What’s the difference between SOC 1 Type 1 and SOC 1 Type 2 reports?

Summary

  • SOC 1 Audits examine a service organization’s controls relevant to a user organization’s internal controls over financial reporting.
  • SOC 1 Type 1 reports cover the suitability of design of controls on a specific date.
  • SOC 1 Type 2 reports cover suitability of control design as well as the effectiveness of those controls over a period of months.

User entities require SOC 1 audits to be performed on IT systems of service organizations when their information technology (IT) infrastructure is a part of the user entity’s IT system and the user entity needs to verify that the service organization controls relevant to the user entity’s own internal control over financial reporting are adequate.  There are two types of reports that can be written as a result of a complete SOC 1 engagement. In a SOC 1 Type 1 report, also called a Report on management’s description of a service organization’s system and the suitability of the design of controls, the service auditor expresses an opinion on the fairness of the description of the system and  the assertion about the system written by the service organization’s management.  A Type 1 report only covers the suitability of the design of the controls to achieve specific control objectives; it does not discuss the effectiveness of those controls which are described in Type 2 report.  Additionally, a SOC 1 Type 1 reports on controls as of a specified date. All Posts

A SOC 1 Type 2 report, referred to as a Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls, covers both the suitability and the effectiveness of the controls.  A SOC 1 Type 2 audit includes the information in a Type 1 report as well as the service auditor’s opinion on the effectiveness of controls in meeting control objectives over a period of months.  While a Type 1 report may be suitable  at times, a Type 2 report will be more desirable in most instances as it provides more information for a user auditor for a longer time period.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

Oct
24

CPAs Outsource SOC 1 Audits

Financial audits may need to include SOC 1 Type 2 audits of any service organizations involved.

 Summary

  • User financial auditors have the option of outsourcing SOC 1 audits
  • SOC 1 audits in support of user auditors auditing accounting data increases assurances of reliable financial status.

CPAs performing financial statement audits have the option to outsource a SOC 1 audit of their client’s information technology data controls to provide their client with a higher level of confidence in the financial report. As more companies begin to comply with new AICPA standards for auditing information technology systems, it will become necessary for them to require SOC 1 Type 2 audits of IT systems as validation of the accuracy of the accounting data used in their financial statements and compliance with the new control standards. Users of information technology that can provide assurances to their customers and other service organizations today are being sought out by others that have been certified.

The auditing team at Integrated Accounting Services LLC provides SOC 1 reports for CPA  firms to assist auditors in providing assurances to their clients that their reports are based on validated data.  The team leaders are CPA.CITP  approved with experience in both accounting audits and IT systems audits.

The team also performs SOC 2 audits and issues SOC 3 certificates of compliance for financial institutions, service organizations and others using systems when security, availability, processing integrity, confidentiality  and privacy are required.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

Oct
24

Why You Need SOC Audits

SOC audits assess whether IT systems are compliant with new federal laws and IT international standards.

Summary

  • The AICPA has created SOC standards to address the problem of data security.
  • Federal regulations require that businesses safeguard personal, and nonpublic data.
  • SOC 1 reports replace SAS 70.
  • SOC 2 and SOC 3 reports provide new standards to assure greater data security.

 Cyber espionage has become major problem for information technology in the United States and internationally.  Part of the reason is the system designs and operating effectiveness of the technological information systems used by financial institutions, service organizations and others that process private and nonpublic information do not provide adequate privacy and protection controls    These intrusions have become a serious financial problem for users of information technology systems.  Federal law requires that all financial institutions, service organizations and others handling private and nonpublic utilizing information technology provide evidence that they have incorporated adequate controls for the protection of the data. To provide proof of meeting the law, those processing the data must produce a management description of their system and controls that asserts the suitability and the effectiveness of the controls protecting the system. An independent CPA experienced and knowledgeable about IT systems or a CPA.CITP auditor must be engaged to attest to the suitability of the measurements and effectiveness of the controls described by the management report before the information system  can be certified to be in compliance with the Service Organization Controls (SOC) standards.  The AICPA have issued regulations and guidelines for those performing the audits and preparing reports to determine if the system is certifiable.

The Statement of Standards for Attestation Engagements, No. 16 (SSAE 16) issued April 2010 by AICPA’s Auditing Standards Board became effective on June 15, 2011.  SSAE 16, establishes a universal standard and recommended guidelines for the audit of financial institutions, service organizations and others processing confidential, private and nonpublic data. The standards and guidelines were issued in response to the dictates of the Safeguards Rule contained in the Gramm-Leach-Bliley Act that became law on November 12, 1999. They establish a universal standard for for all SOC audits. SSAE 16 is considered to contain the same requirements as contained in the International Standard on Assurance Engagements (ISAE) 3402. SSAE 16 includes new guidance for assurance audits of Internal Controls over Financial Reporting (ICFR) for Service Organizations that is also effective June 15, 2011 .

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions, that collect information from their own customers, but also to financial institutions such as credit reporting agencies, appraisers, and mortgage brokers that receive customer information from other financial institutions. (For details see Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 6801.)

The new  uniform auditing standards are set forth in AICPA’s guide; Reports on Controls at a Service Organization Over Security, Availability, Processing Integrity, Confidentiality or Privacy, issued in 2011 and became effective June 15, 2011.  The guidelines document is known as Service Organization Controls , (SOC).  The guidelines describe three types of audits labeled  as SOC 1, SOC 2 and SOC 3.

A SOC 1 audit examines and tests information technology (IT) infrastructures according to the terms associated with ICFR that replaces SAS 70 which are part of the Statement of Standards for Attestation Engagements, SSAE 16- Reporting on Controls at a Service Organization adopted April 2011.

SOC 2 and SOC 3 audit processes are conducted in accordance with AT Section 101 and relies on the recently released AICPA audit guide titled ‘’ Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy’’.

These audits include tests of the information systems and controls along with other procedures necessary to enable the auditor to express an unqualified opinion that the information technology systems and controls described by the management assertion allow, in all material respects, conformity with the established standards.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


 

Oct
20

What Businesses Can Profit From SOC 2 Type 2 Audits?

SOC 2 Type 2 certifications qualify business to exchange data with other certified IT systems.

Summary

  • Successful SOC 2 Type 2 reports enable businesses to process personal and nonpublic data.
  • SOC 2 Type 2 certifications assure stakeholders that their liability is limited by having well designed controls in place.

Effective June 15, 2011 companies who have information technology systems that handle confidential,  private and nonpublic data can become qualified to connect with other data processing systems by complying with Service Organization Controls (SOC)  systems design and control requirements established by the American Institute of CPAs (AICPA).  User entities and service organizations need to work together to establish and agree on  critical controls that meet the requirements of the audit.  Companies that have not established information technology controls and incorporated standards that meet the SOC guide lines could be in jeopardy of failing the SOC 2 audit requirements established by AICPA. This could result in the loss of business because other companies with whom they are connecting  IT systems will want assurances that their systems designs and controls are sufficient to pass a SOC 2 Type 2 audit.

Users of service organizations who establish proper SOC 2 Type 2 systems design and controls will need their third party service organizations to have been certified also. Users can then state their system has the controls to provide adequate protection.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.




Oct
19

What are SOC 2 Type 2 Reports?

SOC 2 audits of information technology systems determine the adequacy and effectiveness of the system controls.

Summary

  • SOC 2 Type 2 audits assess the management report assertion as to fairness of adequacy and effectiveness of the system controls.
  • SOC 2 Type 2 assessments are conducted at different times over a period of time.
  • SOC 2 audits provide information sufficient for an unqualified opinion as to the adequacy and effectiveness of the controls.

SOC is an acronym for Service Organization  Controls, a name given a set of standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data established by AICPA.  Two 0f the audits, SOC 2 and SOC 3,  audits are conducted in accordance with AT Section 101 and relies on the recently released AICPA audit guide titled ‘’ Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy’’. These audits include tests of the information systems and controls along with other procedures necessary to enable the auditor to express an unqualified opinion that the information technology systems and controls described by the management assertion allow, in all material respects, conformity with the standards established by the following principles:

  1. Security: The system is protected against unauthorized access (both physical and logical).
  2. Availability: The system is available for operation and use as committed or agreed.
  3. Processing integrity: System processing is complete, accurate, timely, and authorized.
  4. Confidentiality: Information designated as confidential is protected as committed or agreed.
  5. Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP).

The SOC 2 Type I auditor issues an opinion of the suitability of the design and operating effectiveness of identified systems and controls established by management as of a specific date.

The SOC 2 Type 2 includes Type I criteria.  The audit is conducted repeatedly over a specific time period. (for example June 15, 2011 to December 31, 2011) It also addresses the Privacy Notice. SOC 2 audit reports are issued to identified users who are knowledgeable about the systems and controls audited.  The SOC 2 audit report is not for general public use.

The SOC 3 audit report does not include the details of a SOC 2 report. It is a summary of a SOC 2 audit intended for general public use.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


 

 

 

 

Oct
19

Who Needs SOC 2 Type 2 reports?

Businesses that are connected to IT systems must be audited to determine if they have adequate controls to protect private and nonpublic data.

Summary

  • A SOC 2 Type 2 audit report is issued by a CPA or CPA.CITP which covers the suitability and effectiveness of controls over data at a service organization
  • A SOC 2 Type 2 audit report examines controls over  the  security, availability, processing integrity, confidentiality and privacy of data.

 SOC 2 is one of three guidelines and standards introduced by the American Institute of Certified Public Accounts (AICPA).   AICPA has named the guidelines,  Service Organization Controls (SOC)  with subcategories SOC 1, SOC 2, and SOC 3.  The SOC 2 engagement is in accordance with the AT 101 and complies with the AICPA audit guide; Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy

SOC 2 Type 2 is an attestation report issued by a CPA or CPA.CITP stating an opinion on the assertion by management of a service organization, related entities and companies processing personal and nonpublic IT data regarding the suitability of their controls and their effectiveness.  A SOC 2 Type 2 report is written after an auditor conducts tests on the system and controls of a service organization’s information technology system and operating procedures to ensure that they meet strict requirements for criteria for security, availability, processing integrity, confidentiality and privacy.

Integrated Accounting Services (IAS) provides SOC2 Type 2.com  as a public service to those seeking an explanation of the SOC standards that must be met by service organizations and their users.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new SOC standards.


Oct
18

Integrated Accounting Services LLC Issues SOC Certifications

CPA.CITP’s at Integrated Accounting Services are certified by the AICPA to issue SOC certifications as to adequacy and effectiveness of IT controls.

Summary

  • Integrated Accounting Services, LLC is qualified to conduct SOC 1, SOC 2 and SOC 3 audits.
  • SOC 1 audits are limited to a service organization’s controls related to a user entity’s internal controls over financial reporting.
  • SOC 1 audits are conducted in accordance with SSAE 16.
  • SOC 2 audits examine a service organizations controls relevant to security ,availability, processing integrity, confidentiality and/or privacy.
  • SOC 2 audits are conducted in accordance with AT 101.
  • SOC 3 audits are distributed to the public and are SOC 2 audits but contain no detail as to testing and results.
  • SysTrust or SOC 3 certification can be used by service organizations for marketing purposes.

The Integrated Accounting Services, LLC team of CPA.CITP specialists examine and report according to new AICPA standards SSAE 16 and AT 101  on the controls of financial institutions, service organizations and their users processing personal, nonpublic data.  To assist auditors in the selection of the appropriate standard or guide for a particular type of investigation the AICPA has quantified and organized the audit reports and named them the Service Organization Controls (SOC) reports.  Three types of engagements are named. The source of the guidance for performing and reporting each type has been defined and given the following designations:

  1. SOC 1: This audit is performed according to SSAE No. 16, Reporting on Controls at a Service Organization (AICPA, Professional  Standards, AT section801), Service Organization: Applying SSAE No. 16  This examination is limited to data relevant to a user entities’ internal control over financial reporting.   The SOC 1 audit, based on SSAE 16, replaces SAS 70 standards for reporting on the adequacy of controls relevant to internal controls over financial reporting for financial institutions, service organizations and their users. SAS 70 reports are no longer accepted as evidence that financial institutions and service organizations have sufficient security and privacy controls
  2. SOC 2: The SOC 2 audit provides the management of companies such as financial institutions, service organizations, and user entities, with information and a CPA’s opinion about their system and controls relevant to security,availability, processing integrity, confidentiality or privacy. The engagement of an auditor is in accordance with AT 101, Attest Engagements  (AICPA Professional Standards) and the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. The SOC 2 Type 2 report also include the CPA’s opinion about their compliance with the commitments in their statement of privacy.   A SOC 2 audit evaluates a management assertion of financial institutions and service organizations as well as their clients to determine the suitability and sufficiency of the measurements and communications of the controls described by the management assertion over a specified period of months.
  3. SOC 3: This report is summary of  a CPA or CPA.CITP’s SOC 2 opinion  about the controls at a financial institution, service organization or user entity relevant to security, availability, processing integrity, confidentiality,  or privacy that can be provided to interested parties seeking assurance of the audited entities compliance with the new AICPA standards. The audit must be in strict accordance with the guidelines of AT  101, and TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy, (AICPA, Technical Practice Aids).  These guideline address the privacy principle and provide for a CPA’s opinion about compliance  with the commitments of IF systems  in their privacy notice.

 Financial institution, service organizations and entities using IT systems can now provide proof of compliance by obtaining a SysTrust Certificate. Additional protection is now possible for financial institutions and service organization because they have the right to to require  those with whom they are exchanging information with meet new requirements for security and privacy defined by SOC 1 and SOC 2 and qualify for a SOC 3 certification to ensure their compliance with strict standards.

Integrated Accounting Service’s team leader Mike Warren, is a CPA  qualified as a CITP to perform audits on information technology systems in accordance with SOC 1 and SOC 2 and SOC 3guidelines.  A CPA.CITP is approved by the AICPA to issue a SOC 3 (SysTrust) Certificate of SOC Compliance for qualifying financial institutions, service organizations and their users.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

 

 

Oct
12

SSAE 16 Implements Safeguards Rule In Gramm-Leach-Bliley Act

Thanks, guys.

Phil Gramm, Jim Leach and Thomas Bliley, authors of the Gramm-Leach-Bliley Act

SSAE 16 establishes Service Organization Controls

Summary

  • The  GRAMM-LEACH-BLILEY ACT  requires new IT  system controls.
  • Safeguards Rule requires IT system controls certified.
  • SSAE 16 guidelines replaces SAS 70 audit reports.

The Statement of Standards for Attestation Engagements, No. 16 (SSAE 16) issued April 2010 by American Institute of Certified Public Accountants (AICPA) Auditing Standards Board became effective on June 15, 2011.  SSAE 16 is  in response to the dictates of the Safeguards Rule contained in the Gramm-Leach-Bliley Act that became law on November 12, 1999, establishes a universal standard for service organization and user audits. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions, that collect information from their own customers, but also to financial institutions such as credit reporting agencies, appraisers, and mortgage brokers that receive customer information from other financial institutions. (For details see Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. §§ 6801)

Audit opinions and reports such as SAS 70 will no longer be acceptable because they were based on inadequate guidelines for auditing evaluations and testing of security, availability, processing integrity, confidentiality or privacy of information technology infrastructures. As such, SAS 70 did not provide adequate assurance that the safety controls of a service organization were sufficient for the protection of user entities. Audits are now performed according Service Organizational Controls (SOC) established by American Institute of Certified Accounting Professionals  (AICPA) with the passage Statement of Standards for Attestation Engagements (SSAE) 16 in April 2010.

SSAE 16 requires the same level of evidence and assurance that sufficient controls are in place that was intended under a SAS 70 service auditor engagement. Unfortunately, SAS 70 standards failed to define the degree and type of auditing necessary to provide adequate security and privacy .

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties in compliance with GRAMM-LEACH-BLILEY ACT.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

 

Oct
11

What are CITPs, anyway?

What a CITP knows. It's actually lots of stuff.
CITP Body of Knowledge

A CITP is a certified auditor of information technology systems.

  • A CITP is required to certify compliance of an IT system.
  • CITP are certified by AICPA.
  • Michael Warren is a CITP.
  • IAS certifies compliance of IT systems.

A CITP is a Certified Information Technology Professional.  A CPA.CITP is a CPA who is uniquely qualified to evaluate the validity of a company’s data and financial statements as well as the Service Organization Controls (SOC) intended to protect their information technology systems. The CITP designation is awarded by the AICPA to CPAs with extensive experience in information technology. With a broad understanding of  how information technology is integrated with accounting, CPA.CITPs are able to offer insights to businesses that a CPA or information technology professional with only one designation cannot offer.

To be certified by AICPA  as a CPA.CITP, a CPA must demonstrate an understanding of information technology principles and practices encompassing a wide body of knowledge across both disciplines. As a CPA.CITP, Michael Warren, the Principal of Integrated Accounting Services (IAS) has years of experience personally performing accounting audits.  He is recognized for his understanding of information technology and its relationship with business accounting. This unique body of knowledge and experience establishes Mr. Warren as one of only a few CPAs qualified to perform audits of the degree of suitability of controls of service organizations and their users, for transmitting, storing, and protecting private and nonpublic data.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.

Go back to top