Secure the House: A CPA’s Guide to IT Controls in SOC Reports

August 1, 2025

When you crack open a SOC 1 report, it can feel like stepping into acronym quicksand. ACs, CCs, ITGCs… it’s easy to get lost.

If you’re a CPA trying to determine what actually matters for your audit, especially when key systems are outsourced, this is your guide.

We’re unpacking the Core Four IT Controls you’ll see in most SOC 1 reports. But instead of rattling off technical terms, we’re going to do what auditors do best: use a framework.

So here’s your mental model:

Imagine your client’s financial data is a house. Your job? Make sure it’s secure.

Just like a homeowner protects what’s inside, SOC reports reveal how third-party systems protect financial data. These four ITGCs are the critical safeguards, and if one is missing, your audit could be at risk.

Let’s step inside.

Lock the Front Door (Physical Access)

What it is:
This control answers: Who can physically enter the building or room where financial systems are housed?

SOC reports may describe:

  • Restricted access to server rooms or data centers
  • Badge readers, visitor logs, or mantraps
  • On-site monitoring like cameras or security guards

💡 Why It Matters:
If anyone can waltz into the room where servers live, they can shut down systems, steal data, or tamper with financial records. Physical access is the first layer of defense.

Control the Keys (Logical Access)

What it is:
This control covers who can log into financial systems—and whether they still should.

Look for:

  • How users are added and removed
  • Whether terminated users are promptly deactivated
  • Frequency of access reviews

💡 Why It Matters:
Even if the building is locked, someone with outdated or excessive access can wreak havoc from the inside. Logical access is about giving the right keys to the right people—and taking them away fast when needed.

Set House Rules for Renovations (Change Management)

What it is:
When systems get updates or fixes, this control ensures changes are reviewed, tested, and approved.

SOC reports should describe:

  • Change approval workflows
  • QA or staging environments
  • Oversight of emergency changes

💡 Why It Matters:
Uncontrolled system changes can “break the plumbing” of financial logic. Without guardrails, updates can introduce errors, delete data, or bypass compliance steps.

Pack the Emergency Go-Bag (Backup & Restoration)

What it is:
Backups are your client’s emergency plan. This control looks at how systems recover if something goes wrong.

Key indicators:

  • Frequency of data backups
  • Evidence of successful restoration tests
  • Offsite or secure backup storage

💡 Why It Matters:
No matter how strong the locks or rules, disasters happen. Without tested, retrievable backups, data loss becomes audit risk. This isn’t just IT’s job—it’s audit relevance.

Final Walkthrough: Is the House Secure?

As you review SOC reports, ask:

Does this control protect the availability, integrity, or accuracy of financial data?

If yes, it matters to your audit.

With the “Secure the House” mindset, you’re not just skimming a SOC 1 report. You’re checking the locks, testing the alarm, and making sure your client’s data has a safe place to live.