Posts

SOX 1 & 2 Financial Compliance Thumbnail

What is SOC 1 & SOC 2 Compliance?

What Are SOC 1 and SOC 2 Reports ?

Service organizations, like financial advisers and accounting firms, are required to meet compliance requirements. The two most common compliance frameworks are SOC 1 and SOC 2.

SOC 1

Service Organization Control 1, or SOC 1, reports are for businesses that handle financial information for their clients. This report ensures that financial information is managed securely by the organization.

In other words, SOC 1 reports assure costumers that your business has the appropriate controls in place to protect their financial information. SOC 1 features Type 1 and Type 2 compliance reports.

Furthermore, this report is conducted by a third party SOC Audit service and usually applies to businesses that provide financial related services.

The SOC 1 report focuses on the service organization’s controls and key control objectives decided by the organization.

A SOC 1 report is part of the SSAE, the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C Section 320. SOC 1 reports were established by the American Institute of Certified Public Accountants (AICPA).

SOC 1 evaluates service control. However, a service organization is responsible for deciding key control objectives for the services they provide clients. Control objectives refer to business processes (controls concerning processing client information) and IT processes ( controls concerning the security of client information).

A service organization that needs a SOC 1 report can be companies that offer payroll services to clients. Typically, outsourced services provide their customer or client with a SOC 1 report as proof that they have reliable internal controls in place.

Type I Reports vs Type II Reports

Now that we’re clear on the difference between SOC 1 and SOC 2, we can go into the types. A type 1 exam evaluates the design of controls as of a particular date.

A type II exam also evaluates design of controls, however it also includes testing operation of controls over a period of time. The type II exam covers a minimum of six months.

Type I reports

Essentially, Type I reports allow auditors to perform risk assessments and let businesses know they can perform critical assessment procedures. The report describes an organizations system and how it works to achieve goals clients and customers. These reports also test how controls achieve specific objectives on a chosen date.

Type II

A type 2 report demonstrates the effectiveness of those controls over a period of time. Moreover, type 2 reports are a review of an organizations internal controls over a period of 6 to 12 months and includes an in-depth review of those controls.

When an organization undergoes the audit, they are continuously audited either annually or semi-annually. Additionally, a type 2 report analyses an organization’s environment to evaluate if the organization’s internal controls design and functionality are effective.

SOC 2

The difference a SOC 2 report have from SOC 1 are that the SOC 2 report addresses an organization’s controls pertaining to operations and compliance standards. The AICPA developed Trust Service Criteria, or TSC, which determines the standards for trustworthy controls.

Things like security, integrity, availability, privacy, and confidentiality are all aspects of TSC. However, the only TSC required in SOC 2 is security.

So, if a service organization chooses, they can take a SOC 2 report that focuses solely on security or all five TSCs depending on their specific requirements for audit.

SOC 1 & 2 AICPA Regulations values security, privacy, confidentiality, processing integrity, and availability.

In Summary

– SOC 1 reports deal with internal controls pertinent to the audit of a service organization’s client’s financial statements.
– SOC 2 reports deal with  service organization’s controls pertinent to their operations and compliance. This is detailed by the AICPA’s Trust Service Criteria (TSC).

For more content regarding Compliance, cyber security, Cloud technology, news and more visit our blog.

SOC 1 & 2 Financial Compliance Leaderboard

Os33 Workplace cloud complies with FINRA, SOX, SOX11

Compliance on the Cloud 101

What is Compliance?

Compliance when dealing with cloud computing can be an issue for those using cloud storage or backup services. When you transfer data from your internal storage to a cloud provider’s you must examine how that data is stored so that you stay in compliance with laws and regulations. Financial cloud computing, for example, requires IT sox compliance to ensure quality of service.

In 2002 the Sarbanes-Oxley Act (SOX) was implemented as a response to huge accounting scandals. Companies like Enron, Global Crossing and others misled investors and cost shareholders billions of dollars. This, in turn, changed the IT world forever. What does this have to do with IT? It changed how we approach things like storage, data, security and other functions. 

Cloud compliance is, simply put, a principle that states a cloud based system must be compliant with standards that the cloud customer faces.

Compliance departments ensure that businesses conform to established rules and it’s important to understand, when switching over to a cloud service, how and in what ways the cloud meets compliance standards. Luckily, there are cloud providers that ensure compliance with regulations like SOX. 

If you’re in the financial services industry there are a few things to think about when considering an IT solutions cloud provider. 

How Compliance Works 

A global survey conducted by Veritas Technologies, a data management company, revealed that of the 13 countries and 1,200 businesses surveyed, 69 percent of organizations or 828, wrongfully believed that data protection, data privacy and compliance are the responsibility of the cloud service provider.

It isn’t.

When it comes to cloud compliance you need to be aware of the data you should move to the cloud and the data that should remain in house, the questions you need to ask of your cloud provider and what be written in a service-level agreement (SLA) to maintain industry compliance.

When SOX was first written, it explicitly left out how regulations should be met. This ensured that industries could adopt the most recent technology instead of having to wait for lawmakers to catch up to technology. Because of this, the cloud is a viable infrastructure for financial companies that forced to adhere to compliance rules. 

 The way IT departments store records changed due to the implementation of SOX. Regulations state what kind of information needs to be stored that relate to SOX compliance. Things like electronic records and messages, spreadsheets and emails are considered valuable and fall under the regulation.  

It’s important that you not take this for granted, and evaluate your SLA’s with the provider.

The first thing that organizations need to do is be aware of the type of services they use. There may be certain information that’s regarded as highly confidential and a company may decide to keep it on an internal network. Or if it is moved to the cloud, it’ll be a private cloud that will be hosted on the premises.

Nerds Support has a hybrid cloud in a secure location that has military grade security.

Ensuring Cloud Compliance 

Once your company has decided what information is to be transferred over to the cloud look at the contracts you have between with your cloud provider. Depending on whether the cloud is internal or external the approach will be slightly different. If it’s external, you have to make sure both you and the provider are clear about what type of data should reside on their cloud services and how they’ll protect said data. If it’s an internal cloud, are you going to have internal compliance checklist to make sure you’re within the regulatory standards?

With cloud financial services, customers and cloud providers share the responsibility to maintain compliance. It’s the duty of the organization to investigate the security policies of the vendor. 

Important questions to ask include: 

  • Where is data stored?
  • Who has access to the storage areas or data centers?
  • How is my data protected?

Compliance 101 SOX FINRA Cost Statistics

Service Organization Controls 

In some cases, companies can look at providers that certify compliance and chose their services without any further research. There are times, however, where a company will have to be more thorough and get involved in the cloud providers security to make sure it complies with industry standards. When it comes to SOX compliance, however, you should look for a vendor that provides you with Service Organization Controls.

This report enables user auditor to evaluate audit risks associated with the use of a financial cloud provider.   

It’s also important to establish and verify benchmarks that help check the effectiveness of the security around your data on the cloud.  Make sure your provider uses federal government guidelines for cloud security if it’s based in the US.

In order to avoid miscommunications between your cloud provider and your organization, make sure you take the time to classify the data in level of importance, delegating carefully what is suitable for the cloud and what needs to remain internally stored. Have the right contracts and go through them, establishing what will be covered under their services and how they’ll protect and back up your data. A business continuity plan is also imperative, just in case of any hiccups.

Nerds Support has cloud services that comply with financial regulations.

Contact us today to schedule a free IT assessment that can identify gaps in your IT infrastructure.

Financial women blind-folded in front of books representing regulatory compliance.

Regulatory Compliance: Compliance is Everything

The Need For Regulatory Compliance

Regulatory compliance is  a dull subject. Yet, if your financial institution or business ignores or isn’t aware of it –it could cause problems.

Regulatory compliance ensures organizations follow state and federal law, as well as federal standards and procedures. That may sound simple enough, but considering the variety of mandated regulations like HIPAA, SOX and PCI DSS, falling out of compliance happens fairly frequently. If that happens, you’re looking at possible audits, federal fines, even public scrutiny and negative attention that comes with an investigation. In a time where social media shapes perception, a company cannot risk losing business because of their reputation.

The reality is, not maintaining regulatory compliance only takes you towards significant revenue loss for your organization, or even worse.

Penalties for violating SOX compliance standards, for example, and can lead to millions of dollars fines, removal from listings on the public stock exchange and even years in prison. That is why compliance is often the focus of an organization’s security system.

Regulatory Compliance Isn’t Easy But…

While there are different types of compliance regulations for different industries, the three largest are HIPPA, SOX and PCI DSS. Your particular organization might need to comply with one or all three. Whatever the case may be, it’s important to familiarize yourself with the specifics of the regulations that apply to you. That being said, it’s possible to think you are taking the necessary measures to ensure compliance and still be in violation of one or more regulations. This happens unintentionally or unknowingly.

Some of the reasons for this might be because you’re referencing outdated material, updated or new wording of rules replaces old and misunderstandings on how these laws are interpreted by the various enforcement agencies.

Furthermore, these regulations are constantly changing and keeping track of all the minute alterations can take time and energy better used on other business related goals.

 

Cloud Compliance

Cloud computing for banking and investment services involves a lot of data. Even processing data has to go through regulatory benchmarks. These benchmarks are called Data localization laws. Cloud compliance just means that a cloud service provider is meeting regulatory standards required for their clients.

Data localization is important to understand financial cloud compliance. It should not be confused with data sovereignty. Data localization laws require personal data to be handled in a specific territory instead of a cloud provider. Laws in different countries often differ regarding this. Here are some financial tech support requirements you need to verify with any potential cloud provider.

SOX Compliance

SOX requires the following to be bench-marked, audited and monitored regularly, specifically sections 302, 404, and 409:
• Information Access
• Internal controls
• Database activity
• Account activity
• User activity
• Network Activity
• Login activity

Industry Costs of Compliance Statistics
IT Security:

The Gramm-Leach-Bliley (GLB) Act requires companies legally defined as “financial institutions” to ensure the security and confidentiality of sensitive client information. Therefore, IT security is an essential requirement everyone in the financial services industry.  Given the nature of the data a financial organization possesses, there are serious repercussions for shirking this responsibility.

Make sure the right controls are installed to avoid data breaches and you have the tools ready to alleviate any issues if they occur. Investing in services that monitor and protect your financial database is essential to complying with regulation.

Data Backup:

Always keep backup systems to protect your sensitive data. Both data centers and on-site IT infrastructure are subject to the same SOX compliance requirements. Finance IT solutions is not only about support but security as well.

Access Controls:
This regards both electronic and physical systems put in place to stop unauthorized users from viewing sensitive financial information. Part of this is adopting effective security measures like implementing multi-factored authentication, keeping servers or data centers in secure locations.

What Can You Do?

Considering you are in the best position to look after your businesses’ affairs, you should familiarize yourself with the most recent regulatory compliance information. Knowing as much as possible about the nuances of regulatory mandates prepares you to understand compliance regulations. Moreover, you can leverage this information to stay updated on any changes and plan accordingly.

You should then adopt IT solutions for finance that are in complete compliance with industry standards. That means finding cloud financial support with expert knowledge on regulation and compliance.

You should try to find an organization that creates a customized infrastructure that serves your specific requirements. Additionally, it should take into consideration all the standards mentioned previously: HIPAA, SOX and PCI DSS.

For more information on compliance standards and compatible IT solutions visit our website or call us at (305) 551-2009 and we’ll answer any questions or inquires you might have.

Accounting Firms SOX Compliance

Are You an Accountant? What You Should Know About SOX Compliance

Background & History of SOX

The Sarbanes-Oxley (SOX Compliance) Act of 2002 mostly came about due to a great deal of national attention surrounding several financial and accounting scandals by major corporations in the early-to-mid 2000’s. These corporations, like Enron, Tyco International, AIG, Adelphia, Peregrine Systems, and WorldCom were discovered to have executives within each organization who falsified accounting records to either secretly steal money for themselves, or to disguise decreasing company earnings, which falsely maintained higher company stock prices.

Because of this, most of the corporations either failed or were sold off, and left in their wake thousands unemployed and billions of dollars lost

As a result, Congressmen Paul Sarbanes , D-Md., and Michael Oxley, R-Ohio, joined forces to create the SOX Act, creating an enforcement method with the goal of protecting shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improving the accuracy of corporate disclosures.

The Act became law on July 30, 2002 and is named after Sarbanes and Oxley, who sponsored it. The act set deadlines for meeting compliance and established requirement rules. Moreover, Congressmen Michael Oxley and Paul Sarbanes drafted the act to create more accountability in the corporate sector.

SOX Compliance Statistics Accounting

Effects & Benefits

The Public Company Accounting Oversight Board was created due to SOX, setting specific standards for audit reports. It obligates all auditors from public companies to register with them. Also, it prohibits accounting firms from doing business consulting with the companies they are auditing. They can still act as tax consultants.

SOX compliance is both a legal obligation and an effective business practice. Although, companies should behave ethically without the need for these standards. Implementing SOX  has the added benefit of protecting a company from cyberattacks like malware and ransomware. Additionally, SOX compliance includes many of the practices of any data security plan.

There are many elements of SOX compliance, all of which Nerds Support are well familiar.

IT SOX compliance solutions for accountants and CPA professionals

A Brief Overview of the Major Elements of SOX Compliance

● Public Company Accounting Oversight Board (PCAOB)

– Provides independent oversight of public accounting firms providing audit services, as well as enforcing registration of auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.

● Auditor Independence

– Establishes standards for external auditor independence to limit conflicts of interest, as well as addressing new auditor approval requirements, audit partner rotation, and auditor reporting requirements.

● Corporate Responsibility

– Mandates that senior executives take individual responsibility for accuracy and completeness of all corporate financial reports.

● Enhanced Financial Disclosures

– Sets enhanced reporting requirements for financial transactions, as well as requiring internal controls for assuring the accuracy of financial reports and disclosures.

● Analyst Conflicts of Interest

– Includes measures designed to help restore investor confidence in the reporting of securities analysts.

● Commission Resources and Authority

– Defines practices to restore investor trust in securities analysts. As well as defining the SEC’s authority to censure or bar securities professionals from practice.

● Studies and Reports

– Require the Comptroller General and the SEC to perform various studies and report their findings.

● Corporate and Criminal Fraud Accountability

– Describes detailed criminal penalties for altering or destroying financial records, also including any other interference with investigations, all the while providing certain protections for informants.

● White Collar Crime Penalty Enhancement

– Increases the criminal penalties associated with white-collar crimes and conspiracies.

● Corporate Tax Returns

– States the Chief Executive Officer must sign company tax returns.

● Corporate Fraud Accountability

– Identifies corporate fraud and records tampering as criminal offenses, and lists to specific penalties for such offenses. The SOX Act contains several specific, severe consequences for violations of any and all specific parts of the act.

 

Penalties for not complying with SOX can lead to fines, removal from the public stock exchange, and more. By the same token, CEOs and CFOs who knowingly submit an incorrect certification to an audit faces up to 20 years in jail and $5 million in fines.

How certain are you that your organization is operating within strict SOX compliance? With Nerds Support, you’re just a call away. Our Miami IT Solutions team is ready to help you tackle all your IT needs. With over 17 years of experience in helping leaders in the accounting industry we know how to help you succeed.

Cloud Computing connecting multiple devices

5 Tips for Establishing a Cloud Plan