SOC 1 SSAE 18 Audit Checklist for Service Organizations
Businesses throughout North America getting ready to undertake an SOC 1 assessment can now use NDNB’s in-depth SOC 1 SSAE 18 audit checklist for helping plan and execute accordingly. With increasingly large sums of money being spent on annual regulatory compliance audits for businesses, it’s essential for service organizations to truly assess and understand the merits of SOC 1 SSAE 18 compliance. Therefore, use NDNB’s well-known SOC 1 SSAE 18 audit checklist for auditing success, which consists of the following subject matter, best practices, and other relevant information.
12 Important Steps to Take for SOC 1 SSAE 18 Compliance
1. Pick the Right CPA Firm: Sounds easy enough, right? But to me more specific, be sure you’ve chosen a firm that offers years of in-depth experience in the world of regulatory compliance; a firm that’s conducted hundreds of SOC reports over the years, such as NDNB. Additionally, be sure you choose a firm that offers fixed-fee pricing with no hidden costs and a fee reduction for multi-year contracts, because that’s what NDNB does.
And be sure to find a firm that offers all the services needed for SOC audits – and other compliance mandates – such as scoping & readiness assessments, remediation services, technical assistance, vendor selection assistance for security tools, and more. NDNB does, so if you’re business is located in North America – and you’re in need of compliance services – let’s talk.
2. Understand SOC 1 vs. SOC 2: Some of the biggest discussions in the world of regulatory compliance occur between the SOC 1 vs. SOC 2 debate. While many businesses want to know the differences between each of the assessments, the bigger discussion is which audit to perform? For simplicity and clarity, just remember the following: SOC 1 SSAE 18 assessments are geared towards service organizations performing service that can impact their clients financial reporting. As for SOC 2, these are assessments performed on technology businesses, such as cloud computing vendors, managed services providers, and more. Learn more about SOC 1 SSAE 18 vs. SOC 2 at socreports.com, developed exclusively by NDNB.
3. Define the Business Process: What products, services and business solutions are being examined for the SOC 1 SSAE 18 assessment, your entire suite of offerings, or just a specific unit, brand or division. What are your customers requesting in terms of scope? Are there other areas you should be including in terms of showcasing internal controls for clients and prospects?
These are all excellent questions that require strong answers, and NDNB is ready to assist in helping you define an audit scope that’s acceptable, agreed to by clients, and can reasonably be reported on via the SOC 1 SSAE 18 audit process. Getting scope down right – in terms of what’s included in your SOC 1 SSAE 18 report – is absolutely critical for a number of obvious reasons just discussed.
While you are busy defining the business process, it’s also time to put in place a comprehensive and current list of all information systems within the organization. Specifically, you’ll need to document in a spreadsheet or some other type of formalized recording, all of your network devices, servers, and other systems currently in use. Call it the asset inventory list, a best practice every business should be performing, and one that also greatly aids in the overall process. Remember, auditing is about sampling, and auditors often want to see a full list of information systems so they can pick from a list for purposes of sampling. To be clear, an asset inventory is an essential “must-do” item on anyone’s SOC 1 SSAE 18 audit checklist.
4. Client Financial Reporting:As a service organization, you’ll need to ask yourself the following question: What services are we offering to our clients that can actually impact their financial reporting? Specifically, are you offering services that affect their balance sheets, P&L reporting, etc.? If so, then you’ll need to assess the internal controls that are a very part of the services being offered to clients? Why, because you’ll want assurance that the service you’re performing are being conducted in a valid, accurate, and complete manner, and the relevant controls included within a SOC 1 SSAE 18 report can assess them.
5. Conduct a Readiness Assessment: As to some of the items discussed above, they’re included in NDNB’s comprehensive SOC 1 SSAE 18 scoping & readiness activities, along with numerous other essential initiatives. The true benefits of such an exercise are understanding, assessing, and confirming audit scope boundaries, determining what internal controls require immediate remediation because of gaps and deficiencies, putting in place a plan of action for subsequent steps, and much more. The success of an organization’s SOC 1 SSAE 18 audit can be directly tied to the upfront, pre-audit work that is performed, so keep this in mind, hence, the reason for performing a scoping & readiness assessment.
6. Perform Documentation Remediation: One of the more tedious and time-consuming endeavors of SOC 1 SSAE 18 compliance – or any compliance mandate in today’s business climate – is developing all the necessary – and mandated – information security and operational documents. It can be an incredibly daunting challenge, particularly for service organizations who loathe authoring documentation, but it has to be done.
7. Perform Technical Remediation: While documentation remediation is highly critical – as just stated above – it’s important to remember that many of your information systems may very well also require configuration and setting changes as necessary. Often times, such systems have not been securely provisioned, have weak password settings, incorrect ruleset configurations – and more – thus requiring changes to be performed.
Luckily, most companies have competent, well-qualified staff to perform such initiatives, provided they have guidance and support from an external expert, such as the auditors at NDNB. We offer a wide variety of support services, specifically, our technical provisioning and hardening documents for helping properly secure your systems. It’s just one of the many tools and solutions NDNB offers.
8. Assess and Confirm Control Objectives: For individuals who are familiar with the SOC 1 SSAE 18 reporting standard – and even the historical SSAE 16 and SAS 70 auditing standards – you’re probably well aware of the immense flexibility allowed in terms of scope considerations, control objectives, and more.
Simply stated, compare one SOC 1 SSAE 18 report performed by a CPA firm to another report done on a similar company by another CPA firm and you’ll find notable differences in the report, from the layout to the types of control objectives, and much more. Ultimately, you’ll need to work with your CPA firm – and other internal personnel – in deciding on what control objectives and related tests are to be included in the report.
9. Where’s the ICFR, if any?For SOC 1 SSAE 18 compliance, assessing internal controls is largely about the concept of ICFR – internal controls relating to financial reporting. You therefor have an obligation to your client to identify, assess, and then determine which ICFR components are to be in included within the scope of your SOC 1 SSAE 18 report, both a Type 1 and a Type 2 report. If you don’t think your internal control environment has any relevancy tot the ICFR elements, then consider performing a SOC 2 assessment instead of a SOC 1 SSAE 18 audit. Learn more about SOC 1 vs. SOC 2 at socreports.com that’s been developed exclusively by NDNB.
With the financial sector of the global economy highly focused in the Northeast, many businesses located in Manhattan, New York City, New Jersey, Long Island, Connecticut, and Philadelphia will more than likely be candidates for SOC 1 SSAE 18 compliance, largely due to the services performed that can impact their clients financial reporting.
10. Engage in Continuous Monitoring: Once the initial – or annual audits – have been performed, service organizations still have a vested duty in assessing their internal controls as it relates to processes and processes. With that said, the concept of “continuous monitoring” must be implemented; an activity that requires businesses to regularly assess, analyze, and monitor their control environment.
11. Why Choose NDNB? When it comes to the leaders in the world of regulatory compliance – from SOC 1 SSAE 18 assessments to SOC 2 and SOC 3 compliance, and other mandates – NDNB has been hard at work for years in offering clients high-quality, fixed-fee audits. We know the standards inside and out, have worked tirelessly in implementing them for hundreds of clients throughout North America, and always provide the best services to our valued customers. If you’re in need of compliance services and are located in North America, then let’s talk.
12. Net Steps: Is your business located in North America and are in need of SOC 1 SSAE 18 compliance or some other type of regulatory compliance assessment? If so, then contact us today and let’s talk about our high-quality professional services and our fixed-fee pricing for your business.
Look, regulatory compliance isn’t going away, that we all can readily agree on, so turn to the trusted advisors at NDNB when it comes to meeting the rigorous mandates being imposed on businesses each year. We’re much more than auditors, we’re professionals who build compliance frameworks that help formalize your internal controls, ultimately allowing for a greater degree of organizational order.
NDNB – SOC 1 SSAE 18 Experts for North America – Fixed Fees
Using AWS for Hosting? Here's What You Need to Know about Performing SOC 1 & SOC 2 Audits
In today’s world of regulatory compliance providers, we provide a full lifecycle of services and solutions for helping your organization in becoming compliant. We hope you found the SOC 1 SSAE 18 audit checklist helpful, and please don’t hesitate to contact us regarding your audit needs.