Protecting Private Data From Intrusions

     The private and nonpublic data being processed by information technology systems has become a major financial risk for businesses and governments world wide due to the lack of adequate controls for protection of the data.  As the use of the Internet for the exchanging of correspondence and financial data has increased the increase in the number of unauthorized intrusions into information technology systems has created enormous financial losses.

     The increase in the financial risks of utilizing information technology systems necessitated the passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB). The act imposed the legal requirement that all financial institutions and organizations that process data utilizing information systems must incorporate adequate controls to identify and prevent intrusions and the theft of private and nonpublic data. The GLB act established the Safeguards Rule of November 12, 1999 that applied to all IT systems.  To meet the intent of the Safeguards Rule the controls must provide for protection of the security, confidentiality, and integrity of private and nonpublic information. The requirements of the Safeguards Rule have become the basis of many additional federal laws intended to clarify standards and guidelines for developing and implementing administrative, technical and physical safeguards. To insure that an organization has adequate IT controls to protect its clients and the IT systems of other companies that are connected has become necessary that IT systems be audited.

      In response to the Safeguard Rule imposed by Federal Trade Commision, Service Organization Controls (SOC) were establish by the American Institute of Certified Public Accountants (AICPA) as a set of standards and guidelines to  be used by auditors of IT systems. The auditors are to evaluate the  adequacy of the controls incorporated as part of information technology (IT) systems in an effort to meet the new regulations.

     SOC consists of three types of auditing procedures to be conducted: SOC 1, SOC 2 and SOC 3 which provide detailed definitions of the different controls that are to be verified as to adequacy. The controls include the management and administrative procedures, and access limitations, for institutions that process, store or collect, private, personal and nonpublic data. The SOC requirements include the requirement for controls that detect and prevent unauthorized intrusion into the IT processing systems.  The intent of the controls is to prevent the theft of the private and nonpublic data of customers and consumers by administrative, electronic and physical means.

    The AICPA  offers a certification  of compliance with the SOC control  requirements upon the successful completion of an audit by a CITP.  A CITP is a CPA that has been evaluated and approved as a Certified Information Technology Professional  by the AICPA. To enable a CITP  to perform an audit of the electronic IT controls it has become necessary that the IT system be electronically tested to determine the adequacy of the controls.  This has resulted in the requirement to develop soft ware systems that can be attached to IT systems to detect unauthorized inquiries and removal of personal data that can be used  for identity theft. Protecting private data is a federal requirement that will soon require compliance to be certified.

SOC, What is it?

Service Organization Controls (SOC) establishes standards and guidelines for  protecting  IT data.


  • SOC audits reduce information technology systems invasions, identity thefts and corporate liability.
  • Federal legislation establishes the requirement for protecting IT data.
  • All operators of IT systems processing private and nonpublic data must comply.
  • SOC audits assess the fairness of assertions made by the management of information technology system about the controls in place and their suitability and/or effectiveness.

SOC is an acronym for Service Organization Controls, a name given set of new standards and guidelines for auditing information technology (IT) systems that collect and process private and nonpublic data. SOC standards and guidelines were established by the American Institute of Certified Public Accountants (AICPA) on June  15, 2011.  The AICPA created the standards in response to the Gramm-Leach-Bliley Act (passed by Congress in 1999) and other related federal and state regulations. SOC requires that the information technology systems of all financial institutions and all other organizations that process, store or collect personal and nonpublic data have controls that protect the data  from intrusions, identity theft, fraud and other unauthorized uses.

The audit is an attestation engagement to gather evidence on the fairness of assertions by a service organization’s management.  The management report addresses the suitability and/or effectiveness of the IT system controls.  The auditor’s attestation objectively assess the management’s assertion according to the requirements of AICPA’s SSAE 16 and/or AT 101. The guidelines and standards in SOC 1 audits are virtually identical to their international complements, the International Accounting Standards Board (ISAB)’s International Standard on Assurance Engagements (ISAE) 3402.

SOC establishes three audit standards; SOC 1, SOC 2, and SOC 3 to evaluate IT systems to determine the level of security and accuracy of financial data associated with financial audits, the total operation of the system, and the privacy respectively.

SOC 1 and SOC 2 Type  1 audits are conducted at one session that is a short period of time,  and Type 2 during several sessions over a period of time such as six months.

A  SOC 1 audit examines and tests information technology (IT) infrastructures relevant to financial reporting according to the Statement of Standards for Attestation Engagements, SSAE 16-Reporting on Controls at a Service Organization adopted April 2011.

SOC 2 audits are conducted in accordance with AT Section 101 and utilizes the newly release AICPA audit guide titled “Reports on Controls at a Service Organization over Security, Availability, Process Integrity, Confidentiality, or Privacy“.  The auditor’s report includes the results of tests necessary to enable the auditor to express an unqualified opinion that the information technology system and controls described by the management report allow financial statements to be fairly presented, in all material respects, and in conformity with the standards established established by following principles;

1. Security: The system is protected against unauthorized access (both physical and logical).

2. Availability:  The system is availability for operation and use as committed or agreed.

3. Processing integrity: System process processing is complete, accurate, timely, and authorized.

4. Confidentiality: Information designated as confidential is protected as committed or agreed.

5. Privacy: Personal information(i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.

The number of law suits as a result of a failure to protect personal and nonpublic data and the enormous number of invasions and identity thefts is growing at a very rapid pace both nationally and internationally.  It is incumbent upon all business and institutions processing personal and nonpublic data to become compliant and certified as having adequate controls for their IT systems.  If companies do not take on this responsibility in the immediate future it may become mandatory that the government agencies take action to enforce laws requiring certification for the protection of all IT systems.

To provide a professional solution for these new standards the team at Integrated Accounting Services (IAS) performs audits for service organizations and their clients during the same testing period where possible.  IAS’s integrated approach to auditing both the service organization and its clients provides increased security, integrity and privacy for all systems. Timely coordinated reports and periodic follow-ups are part of the integrated approach to qualifying service organizations and their user entities and reporting the higher level of assurance to responsible parties.

This article is provided by Integrated Accounting Services for those seeking clarification of IT system and control requirements. Please contact us if you need an assessment of your system and to determine whether you need a SOC 1 or a SOC  2 audit to assure clients of your compliance with new standards.


Go back to top