SOC, What is it?

Service Organization Controls (SOC) establishes standards and guidelines for  protecting  IT data.


  • SOC audits reduce information technology systems invasions, identity thefts and corporate liability.
  • Federal legislation establishes the requirement for protecting IT data.
  • All operators of IT systems processing private and nonpublic data must comply.
  • SOC audits assess the fairness of assertions made by the management of information technology system about the controls in place and their suitability and/or effectiveness.

SOC is an acronym for Service Organization Controls, a name given set of new standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data. SOC standards and guidelines were established by the American Institute of Certified Public Accountants (AICPA) on June  15, 2011.  The AICPA created the standards in response to the Gramm-Leach-Bliley Act (passed by Congress in 1999) and other related federal and state regulations. SOC requires that the information technology systems of all financial institutions and all other organizations that process, store or collect personal and nonpublic data have controls that protect the data  from intrusions, identity theft, fraud and other unauthorized uses.

The audit is an attestation engagement to gather evidence on the fairness of assertions by a service organization’s management.  The management report addresses the suitability and/or effectiveness of the IT system controls.  The auditor’s attestation objectively assess the management’s assertion according to the requirements of AICPA’s SSAE 16 and/or AT 101. The guidelines and standards in SOC 1 audits are virtually identical to their international complements, the International Accounting Standards Board (ISAB)’s International Standard on Assurance Engagements (ISAE) 3402.

SOC establishes three audit standards; SOC 1, SOC 2, and SOC 3 to evaluate IT systems to determine the level of security and accuracy of financial data associated with financial audits, the total operation of the system, and the privacy respectively.

SOC 1 and SOC 2 Type  1 audits are conducted at one session that is a short period of time,  and Type 2 during several sessions over a period of time such as six months.

A  SOC 1 audit examines and tests information technology (IT) infrastructures relevant to financial reporting according to the Statement of Standards for Attestation Engagements, SSAE 16-Reporting on Controls at a Service Organization adopted April 2011.

SOC 2 audits are conducted in accordance with AT Section 101 and utilizes the newly release AICPA audit guide titled “Reports on Controls at a Service Organization over Security, Availability, Process Integrity, Confidentiality, or Privacy“.  The auditor’s report includes the results of tests necessary to enable the auditor to express an unqualified opinion that the information technology system and controls described by the management report allow financial statements to be fairly presented, in all material respects, and in conformity with the standards established established by following principles;

1. Security: The system is protected against unauthorized access (both physical and logical).

2. Availability:  The system is availability for operation and use as committed or agreed.

3. Processing integrity: System process processing is complete, accurate, timely, and authorized.

4. Confidentiality: Information designated as confidential is protected as committed or agreed.

5. Privacy: Personal information(i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

The number of law suits as a result of a failure to protect personal and nonpublic data and the enormous number of invasions and identity thefts is growing at a very rapid pace both nationally and internationally.  It is incumbent upon all business and institutions processing personal and nonpublic data to become compliant and certified as having adequate controls for their IT systems.  If companies do not take on this responsibility in the immediate future it may become mandatory that the government agencies take action to enforce laws requiring certification for the protection of all IT systems.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


Go back to top