Services Cybersecurity

Assessing Sensitive Legal Data with an IT Security Audit

IT Security Audit

When a national law firm specializing in social security disability benefits needed an assessment of their internal IT controls, they turned to PamTen.  The firm dealt with extensive amounts of personal data. Clients and management wanted to ensure that this vulnerable information was compliant with AICPA and protected from external intrusion.


PamTen followed our standard audit engagement approach which began with a discovery call with the client to define the audit scope.  PamTen recommended that the best approach was to perform a SOC 2 Audit to examine the firm’s current level of compliance with the AICPA Trust Services Criteria (TSC) requirements.

The audit began with a detailed review of the firm, its systems and services, IT infrastructure, and internal functions. PamTen interviewed the members of the firm’s IT, Quality, HR staff, and managing partner. A PamTen engagement manager monitored audit activities throughout the engagement and kept the client updated as to the progress.   

The audit included:

  • All internal IT services and controls and the infrastructure, software, processes, people, and data supporting these services and controls.
  • All five AICPA TSC requirements: Security, Availability, Processing integrity, confidentiality, and Privacy.
  • Risk Management
  • Control selection, security configuration, and control implementation, control monitoring.

The audit consisted of the following phases:

  • Audit Engagement Initiation
  • Audit Engagement Planning
  • Audit Plan Development
  • Audit Plan Execution
  • Engagement Closeout

Upon completing the audit, a detailed Service Organization Control (SOC) 2 report was produced and presented to the client’s senior leadership team. The client was pleased to have an industry-recognized acknowledgment of their internal controls’ security, reassuring the firm’s leadership and clients that their data was and will continue to be kept secure and confidential.