Using IT General Controls and SOC Reports to Safeguard Sensitive Data

Increasingly sophisticated hackers and ransomware attacks have made cybersecurity and information technology controls a critical issue for higher-education organizations.

James Moore director Brendan McKitrick and partner Katie Davis explain how IT general controls help keep your organization’s sensitive information safe. They also discuss external controls known as SOC reports, which vouch for the effectiveness of third-party vendors’ security practices.

What are IT general controls?

IT general controls refer to high-level IT controls impacting financial reporting, including your financial significant applications and the surrounding infrastructure. These controls safeguard the systems that compute the financial information for financial statements. In higher education, examples of these systems include your ERP, general ledger, payroll, student-athlete data and donor platforms.

IT general controls include three main areas: logical access, change management and backups. (Higher education institutions often focus primarily on logical access. Change management and backups, meanwhile, are increasingly moving to cloud storage or relying on third-party providers.)

Logical access

Consider who has access to which parts of the financially significant applications and what that access allows them to do. Controls can help restrict users’ access to the areas of your system(s) relevant to their job responsibilities and prevent them from causing unintentional errors. Along the same lines, firewalls and antivirus software are other controls that help protect your organization from bad actors tapping into sensitive data from the outside.

There are several ways to tighten your controls in these areas, starting with user administration and access:

Track new and terminated employees. Define procedures for setting up, modifying and removing user access. Make sure you have a reliable coordination process between IT and HR so that as new employees onboard and employees leave or change positions, their access is adjusted in a timely way.

Define roles and responsibilities. Well-defined roles help ensure you are granting the right level of access to employees given their job responsibilities. Segregate duties to prevent any one person from obtaining an inappropriate amount of access within your financially significant applications. “If you spend the time up front and make sure those roles are appropriate within each application, it further helps with the segregation of duties as you’re adding new users,” Brendan said.

Review user access periodically. Think like an auditor. Formally review user access on a regular basis, and generate a report that is reviewed by more than one person to help catch any issues. “It’s a good exercise to go through your own system to identify any high-risk areas or transactions,” Katie said. “Approach access with the mindset of asking, ‘What could go wrong in the system? How do we prevent that from happening?’”

Password management is another way to beef up your controls:

Use best practices. Long passwords, even phrases such as “I like green bananas,” are often the strongest. Consider replacing certain characters with numbers or special characters for an additional layer of protection. These passwords do not need to be changed as frequently.

Use multi-factor authentication. This provides added security by requiring a user to have another form of identification to authenticate with the software.

Other tactics to tighten up your controls include the following:

Consider automating audit logs. These logs provide a historical record in the event that something goes wrong. Depending on the software capabilities, you might be able to set up automated notifications sent to specific individuals. This provides better monitoring controls over sensitive areas within the financially significant applications. Audit logs can also act as a control for small organizations if application administrators have an unusual amount of access and authority. The logs can be used to monitor administrator activity within the system.

Document policies and procedures. They’re most likely not being followed effectively if they’re not documented and reviewed. Make sure to store them in an easy-to-access location. If you are part of a higher education institution, make sure you’re adhering to campus-wide security standards.

Have a layer of physical security. If you focus only on cyber-centric protections, careless physical storage can give thieves an easy in. Be mindful of where sensitive paper documents are stored, and lock cabinets and doors.

Change management

Change management refers to the steps that help you safely and effectively make updates to your IT system, apply patches as needed and integrate new releases.

Define and document a process for making these changes. Create a test environment in which you can try out new updates and patches before applying them across your system. And don’t forget to have rollback procedures in case something goes wrong.

Backups

Similarly, define steps for backing up your information on a regular basis. Test your backups to make sure they work and are secure. Be especially mindful that backups are stored off site. If you use an outside vendor or cloud-based storage system, review their report on controls (also known as a SOC report – see below) to ensure they are safeguarding your data properly.

How and why to use SOC reports

IT general controls help secure your internal information. Increasingly, however, many organizations rely on third-party vendors to collect and store sensitive data that could impact their financial reporting.

Vendors can offer you an important measure of reassurance they are safeguarding this information properly by providing a System and Organization Controls Report, also known as a SOC report. SOC reports outline the results of an outside auditor’s assessment of the vendor’s controls impacting financial reporting and are considered the gold standard of trust in financial reporting. By insisting on SOC reports, you reduce the risk to your organization.

Types of SOC reports

There are two main types of SOC reports. Type 1 is a report generated for a specific point in time. Type 2 includes the components of a Type 1 report, but evaluates the effectiveness of the control over a period of time.

“As auditors, we prefer to get Type 2 SOC reports because they involve more testing and describe controls over a time period,” Brendan said. “Some of the financial statements we’re working with, including the income statement and cash flow, are over a period of time. So there’s more comfort and assurance when we’re doing audit procedures over a Type 2 report.”

These two report types can then fall under one of three categories of SOC reports:

• SOC 1, the most common form of SOC report, describes the effectiveness of the internal controls of the service organization that are relevant to the user organization’s internal controls over financial reporting.
• SOC 2 reports on the effectiveness of the controls of the service organization related to operations based on the selected trust services criteria (TSC). This is a security-based, restricted-use report.
• SOC 3: reports are similar to the SOC 2 but geared more toward a public readership.

Who needs to undergo a SOC 1 audit?

You should expect a SOC 1 report from any vendor that performs outsourced services that affect the financial statements of your organization. These services might include:

• General ledger application
• Payroll processing application
• Ticketing application
• Enterprise Resource Planning (ERP) application
• Data center/co-location. “If the application that your vendor provides is actually what we call a data center, that data center is most likely providing controls,” Katie said. “These controls could help with backups, change management or physical security. There’s typically a SOC 1 report related to that as well.”

What does a SOC 1 report contain?

These are the basic components of a SOC 1 report:

• Independent service auditor’s report: In this section, the auditor will provide their opinion. This reveals whether they encountered any significant issues during their testing.
• Management’s assertion letter: The vendor must attest that it has described and designed its control system effectively for the designated timeframe.
• Management’s description of systems and controls: This section outlines the internal controls in place.
• Independent service auditor’s tests of controls and test results: This is the core of the report – an analysis of how effective each control is.
• Applicable trust services principles’ criteria and control activities
• Additional information not covered by auditor’s opinion

What you should review in a SOC 1 report?

Pay special attention to these parts of your vendors’ SOC 1 reports.

• Service organization auditor: What is their experience with generating SOC reports?
• Type 1 vs. Type 2 report: Does the report cover the audit timeframe?
• Report period: Do we need to request any gap letters (also known as bridge letters)? “If we’re looking at it for a certain fiscal year, it may only cover six to nine months,” Brendan said. “There may be another letter that you have to request to complete the full 12 months of the audit period.”
• Auditor’s opinion: How does a qualified opinion impact your control environment?
• Subservice organization(s): A vendor can use one of two methods for describing subservice organizations in a SOC 1 report. The carve-out method includes only the services performed by subservice organizations. In the inclusive method, the vendor includes the services performed by subservice organizations, as well as these organizations’ control objectives and related controls, in its description of systems.
• Complimentary user entity controls: These are controls vendor requires you as a customer to have in place to help complete their control environment.

Test of controls: Consider how exceptions impact your control environment.

Keeping sensitive data safe is a higher priority than ever in today’s cybersecurity landscape. Having IT general controls in place and requiring SOC reports are a critical step in this effort.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.