Security & Compliance Blog

Use our SOC 2 audit checklist if you’re using Amazon’s AWS cloud services and need to become SOC 2 compliant each year. With the migration to the cloud happening at record pace, tens of thousands of businesses are now being required to become SOC 2 compliant each year, and NDNB offers a proven process that’s efficient and comprehensive. Here’s what you need to know – and what you need to do – for ensuring your SOC 2 audit is a success.

1. Begin with a SOC 2 Scoping & Readiness Assessment:  Understanding scope and the what business processes are to be included within your SOC 2 audit is essential, and also for mitigating any type of scope creep issues. Because you’re hosting your services (i.e., your production environment) in AWS, it luckily means there are a number of benefits to be had with your SOC 2 audit. First, a large number of the physical security controls are covered by AWS themselves as their private data centers store your virtual server instances.

Second, AWS has a fair number of audit & compliance, and control tools & solutions that are easy to “spin up” in any environment, further helping alleviate compliance reporting requirements (more on this in point #3 below!)

2. Leverage AWS’ SOC Reports for Scope Reduction: For the CPA firm you hired to perform your SOC 2 audit, they’ll ask for you to obtain a copy of AWS’ most current SOC 2 report, and for a very obvious reason – scope reduction. A large number of the controls you’ll need for SOC 2 compliance are actually covered by AWS’ report. From physical and environmental controls – and more – leveraging AWS’ SOC 2 report is a must. Scope reduction = price reduction, something a well-versed SOC 2 auditor can explain to you. To learn more, contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.

3. Identity and Utilize AWS’s Security and Compliance Tools: Familiar with CloudWatch and CloudTrail? CloudWatch logs reports on application logs, while CloudTrail Logs details on specific information on what occurred in your AWS account. These are just a few examples of the many tools that AWS has available for your growing security, governance, and regulatory compliance needs.

NDNB provides comprehensive SOC 2 audit and compliance assessment services & SOC reporting for businesses in Dallas, Houston, Austin, and other surrounding locations in Texas. With increased regulatory requirements being placed on businesses all throughout North America – and the globe – now’s the time to talk to the experts at NDNB. We offer fixed-fee pricing and high-quality audit services, so contact Chris Nickell at 1-800-277-5415, ext. 706 to learn more about NDNB’s SOC 2 assessments for Texas businesses, or email Chris directly at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Comprehensive SOC 2 Services for Texas Businesses – Fixed Fees

Services offered by NDNB for businesses located in Dallas, Houston, Austin, and other surrounding locations in Texas include the following:

SOC 2 Scoping & Readiness Assessments: One of the most fundamentally important activities to be performed during the SOC 2 audit process is beginning with a scoping & readiness assessment; an invaluable function for helping service organizations adequately determine project scope, areas requiring remediation (i.e., policies and procedures, technical changes/modifications, etc.), assessing personnel needs, physical locations to visit, and more.

NDB offers fixed-fee SOC 2 HIPAA audit reports & assessments consisting of SOC 2 Type 1 and SOC 2 Type 2 audits for organizations seeking compliance with the Health Insurance Portability and Accountability Act (HIPAA). Ensuring the safety and security of Protected Health Information (PHI), Personally Identifiable Information (PII), and other forms of highly confidential consumer/patient data is now more important than ever.

Additionally, many of today’s main healthcare exchanges and large insurance carriers are requesting SOC 2 HIPAA reports from their downstream providers, which consist of thousands of organizations offering various healthcare related services.

Looking to learn about the SOC 2 audit process from beginning to end? A simple, yet comprehensive and easy-to-understand process on what it takes to become SOC 2 compliant for your organization? NDNB, one of North America’s leading providers of SOC 1 and SOC 2 audits offers the following A to Z explanation of the SOC 2 audit process.

Step 1: Understand Exactly what SOC 2 is.

Ask any number of professionals what SOC 2 is and you’ll probably get quite a few different answers. Some answers we hear are the following:

• It’s an audit
• It’s a certification
• It’s a best practice for operations and information security
• It’s a checklist that can be quickly completed

In simple terms – as simple as we can make it – System and Organization Controls (SOC) 2 is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) in which independent, third-party auditors (i.e., CPA’s) perform an assessment and subsequent testing of controls relating to the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality and/or Privacy.

SOC 2 for startups is an interesting topic as one would think that a small, relatively non-complex environment would be easy for obtaining SOC 2 (or even SSAE 18 SOC 1) compliance. Well, yes and no. Don’t you hate the political in the middle answer! Truth be told, the yes part of the answer is that working with a small group of professionals, generally located in one physical location, can make SOC 2 for startups easy going. The no part of the answer is that startups generally lack any type of real and meaningful policies, procedures, and processes. Change control processes? Probably not in place. Documented incident response procedures? Probably not well documented! Security awareness training? Hmm, nope, not being done! Get the picture. That’s the yes and no.

SOC 2 reports are in high demand today, especially when it comes to the ever-growing number of technology-oriented service organizations who are providing critical outsourcing services to other businesses. NDNB provides high-quality, competitively priced, fixed fee SOC 2 reports for both Type 1 and Type 2 reports for Dallas, Houston, and Austin, Texas businesses.

Take a page out of the NDNB playbook for Dallas, Houston, and Austin, Texas businesses, making note of the following best practices and other important criteria regarding SOC 2 reports:

SOC 1 vs. SOC 2

Make sure you that your business is performing the “correct” audit when it comes to SSAE 18 SOC 1 and SOC 2. SOC 1 assessments are for service organizations performing ICFR functions, while SOC 2 assessments are aimed at technology companies – data centers, SaaS, IaaS, PaaS, managed services, and others. There is a difference between SOC 1 and SOC 2, and deciding on which assessment generally begins with client requests and demands.

Pick the Correct Trust Services Principles

Simply known as the TSP’s, there are five (5) of them, which are the following: 1. Security. 2 Availability. 3. Processing Integrity. 4. Confidentiality. 5. Privacy. They are each unique in that they assess a specific area within a service organization’s control environment, ranging from processes and procedures to essential services and functions being performed by a company. As to which of the five (5) TSP’s to include in your SOC 2 audit – good question – and this really comes down to client needs and expectations, along with other variables, such as industry specific/market needs, etc.

SOC 2 vs PCI Compliance – Introduction and Overview

As auditors, we’re often asked to provide a comprehensive overview regarding SOC 2 vs PCI compliance. More specifically, businesses that have to undertake both SOC 2 audits and PCI DSS assessments on an annual basis want to learn more about the respective frameworks, what overlaps and mapping of controls exist, pricing, and much more. Well, let’s get started and take a deep dive into SOC 2 vs PCI compliance, compliments of NDNB, one of North America’s leading providers of high-quality, fixed-fee audit services from coast to coast.

An Introduction to SOC 2

System and Organization Controls (SOC) 2 is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) for which independent, third-party auditors, such as a CPA and/or CPA firm, perform an assessment and subsequent testing of controls relating to the Trust Services Criteria (TSP) of Security, Availability, Processing Integrity, Confidentiality and/or Privacy.

In need of a SOC 2 audit or are seeking to learn all about the SOC 2 audit process? Then consider NDNB, California’s leading provider of high-quality, fixed-fee audit services. NDNB also offers comprehensive training resources for all aspects of the AICPA System and Organization Control (SOC) framework, which consists of SSAE 18 SOC 1, SOC 2 and SOC 3 reporting. Learn more about NDNB’s SOC 2 audit services today at socreports.com, or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 (or email at This email address is being protected from spambots. You need JavaScript enabled to view it.) to learn about NDNB’s fixed-fee SOC 2 audit engagements.

California’s Leading Provider of SOC 2 Audits – Fixed Fees

As California’s leading provider of high-quality, fixed-fee SOC 2 audits, NDNB can help your organization become compliant quickly, comprehensively, and in a cost-effective manner. The SOC 2 audit process doesn’t have to be an extremely laborious, time-consuming and expensive proposition – not all – especially when utilizing the services of a proven and trusted CPA firm such as NDNB. From offering initial SOC 2 readiness assessments to comprehensive documentation writing services – and more – NDNB is ready to get you compliant, quickly and cost-effectively.

SOC 2 reporting for Colorado businesses in Denver, Fort Collins, Boulder, and other surrounding areas, is offered by NDNB, one of North America’s leading providers of SOC 1, SOC 2, and SOC 3 compliance solutions. SOC 2 reporting, which is part of the AICPA System and Organization Controls (SOC) framework, incorporates the use of what’s known as the Trust Services Principles & Criteria (TSP), which essentially consists of “criteria” based provisions. Simply stated, it’s a comprehensive audit performed on many technology companies regarding their internal control structure.

NDNB leads the way in SOC 2 Type 1 & 2 audits for Charlotte, Raleigh, Durham and other businesses across the state of North Carolina. We know that running a business is hard work, and that’s why NDNB guarantees that your audit will come in on budget and on time.

NDNB goes above and beyond industry standards in regulatory compliance report auditing, ensuring that your clients have the information they need and the assurance that your business meets all state and federal reporting guidelines. Here’s how.

NDNB enters the picture before the audit process begins by offering a scoping and readiness assessment. This process ensures that the internal controls, policies and procedures are in place and that your audit best represents your North Carolinian company.

Once the gaps and deficiencies are found, NDNB is here to provide our clients with a complementary SOC 2 Policy Packet filled with templates and documents to help remediate those findings; NDND also provides onsite assistance to help strengthen and formalize your internal controls.

As the SOC 2 auditing process can be overwhelming, NDNB suggest clients who are new to these compliance reports to begin with a Type 1, focused on a specific date in time, and then to transition to a Type 2 the following year which encompasses a testing period of generally six (6) months.

From there, we work with your company every step of the way, ensuring that all standards are met and that your organization remains in compliance so you and your clients can rest easy at night.

We are here to help make what may seem like a daunting process as easy as possible. When your business is ready to take these steps with us, call Christopher G. Nickell, CPA, at 1-800-277-5416, ext. 06, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

NDNB is Southern California’s leading provider of SSAE 18 SOC 1 compliance audits, offering fixed fees for both SOC 1 Type 1 and SOC 1 Type 2 assessments for businesses all throughout San Diego, Orange County, Los Angeles, Santa Barbara, and other select locations. With today’s continued growth of massive regulatory compliance mandates, Southern California businesses are being forced to undertake annual audits & assessments – such as SSAE 18 SOC 1 – and NDNB is ready to assist in providing efficient, high-quality, and cost-effective services and solutions.

SOC 1 Compliance Auditors | Southern California | Fixed Fees

One of the most common questions we receive from Southern California businesses is which audit should they be performing, a SOC 1 assessment or possibly a SOC 2 assessment, and it’s a valid question. For clarity, remember that SOC 1 audits are generally imposed on service organizations that have the ability to impact financial reporting on behalf of their clients, such as transactions undertaken that could impact revenue reporting, balance sheet information, cash flow models, etc. As for SOC 2 assessments, they’re aimed directly at businesses that rely heavily on information technology as their core business, such as data centers, SaaS entities, and more.

In need of a SOC 2 audit or are seeking to learn all about the SOC 2 audit process? Then consider NDNB, California’s leading provider of high-quality, fixed-fee audit services. NDNB also offers comprehensive training resources for all aspects of the AICPA System and Organization Control (SOC) framework, which consists of SSAE 18 SOC 1, SOC 2 and SOC 3 reporting. Learn more about NDNB’s SOC 2 audit services today at socreports.com, or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 (or email at This email address is being protected from spambots. You need JavaScript enabled to view it.) to learn about NDNB’s fixed-fee SOC 2 audit engagements.

California’s Leading Provider of SOC 2 Audits – Fixed Fees

As California’s leading provider of high-quality, fixed-fee SOC 2 audits, NDNB can help your organization become compliant quickly, comprehensively, and in a cost-effective manner. The SOC 2 audit process doesn’t have to be an extremely laborious, time-consuming and expensive proposition – not all – especially when utilizing the services of a proven and trusted PCAOB CPA firm such as NDNB. From offering initial SOC 2 readiness assessments to comprehensive documentation writing services – and more – NDNB is ready to get you compliant, quickly and cost-effectively.

NDNB provides Colorado businesses with comprehensive SOC 1 SSAE 18 solutions, ranging from in-depth readiness assessments to SOC 1 SSAE 18 Type 1 and SOC 1 SSAE 18 Type 2 reporting. Because of the complexities and time-commitments necessary for undertaking annual compliance audits – such as SOC 1 SSAE 18 – Colorado businesses in Denver, Boulder, Fort Collins, and other select regions – would highly benefit from a useful and proactive readiness assessment. They’re brief, highly informative, and provide insightful information for ensuring one’s control environment is ready for an actual SOC 1 SSAE 18 audit.

SOC 1 Readiness Assessments for Colorado Businesses

NDNB’s SOC 1 SSAE 18 readiness assessments effectively encompass the following services and solutions for Colorado businesses:

Processes & Practices: Documentation, such as policies and procedures are critical, but so are the actual processes and practices for ensuring a strong internal control environment actually exists. Identifying weaknesses and a lack of controls – if any – is also a critical component of NDNB’s SOC 1 SSAE 18 readiness assessment for Colorado businesses.

SOC 2 Type 1 certification audits are offered from NDNB, North America’s leading provider of high-quality, competitively prices System and Organization Controls (SOC) assessments. Additionally, SOC 2 Type 1 certification audits performed by NDNB also come complete with a complimentary SOC 2 Policy Packet containing hundreds of pages of critical information security and operational specific policies, procedures, and much more.

We provide a complimentary SOC 2 Policy Packet for each our clients! Please note that while the term “SOC 2 certification” is well-known and used, it is actually an incorrect statement as no certification is provided. Rather, a SOC 2 audit is an assessment conducted in accordance with stated AICPA standards, such as the Trust Services Criteria, one that results in the issuance of a SOC 2 report, complete with an attestation.

Here’s what you need to know about SOC 2 Type 1 audits, courtesy of NDNB, North America’s leading provider of SSAE 18 SOC 1 and SOC 2 assessments:

1. SOC 2 Type 1 Audits are a Starting Point: Call it the essential stepping stone process for SOC 2 compliance whereby companies new to internal control audits begin with a SOC 2 Type 1, then subsequently “graduate” and move on to annual SOC 2 Type 2 assessments in future periods. A SOC 2 Type 1 also helps lay the fundamental groundwork for policies, procedures, and processes that will ultimately be assessed during the SOC 2 Type 2 test period.

SSAE 18 SOC 1 audit reports are available at fixed fees for Austin, TX and San Antonio, TX businesses from NDNB, Texas’ leading provider of SOC audits and compliance services. With years of experience performing regulatory compliance audits and assessments, NDNB has the expertise and knowledge for ensuring an efficient, high-quality audit process from beginning to end. While the SOC 2 assessment standard is highly suitable for many of today’ technology businesses (i.e., data centers, SaaS & cloud computing, etc.), SSAE 18 SOC 1 reporting focuses on the Internal Control over Financial Reporting concept, known simply as ICFR.

SOC 1 Reporting and ICFR – What Texas Businesses Need to Know

Specifically, service organizations providing material services to customers for which such functions have the ability to impact their customer’s financial reporting, are the ideal candidates for SSAE 18 SOC 1 audit reports. Banks, trust departments, actuarial services, third party administrators (TPA) – these are all excellent examples of SSAE 18 SOC 1 audit reporting candidates.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.

If you as a service organization are working with any type of client specific data that may be relevant to such clients’ financial reporting, then the SSAE 18 SOC 1 standard is an ideal audit indeed. Since the retirement of the historical SAS 70 audit standard some years ago, SSAE 18 SOC 1 reporting has become the global de factor reporting standard for internal controls relating to financial systems – no question about it – but please keep in mind that SOC 2 is also a viable option, particularly for technology-oriented service organizations.

SOC 2 Type 1 compliance assessments & audits are offered from NDNB, North America’s leading provider of high-quality, competitively prices SOC assessments. Additionally, SOC 2 Type 1 compliance assessments & audits performed by NDNB also include a complimentary SOC 2 Policy Packet containing hundreds of pages of critical information security and operational specific policies, procedures, and much more.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2? Let's Talk.

Here’s what else you also need to know about SOC 2 Type 1 compliance, courtesy of NDNB:

1. A SOC 2 Scoping & Readiness Assessment is Essential: If you’re new to the world of regulatory compliance, particularly the AICPA SOC 1, SOC 2, and SOC 3 reporting frameworks, then welcome, and don’t forget that a readiness assessment is crucial. Why? Because you’ll want to have an objective, independent assessment of your internal controls BEFORE you even begin to think about performing an actual SOC 2 audit. More specifically, you’ll need to find a proven CPA firm who can help assess audit scope, identify areas of remediation, and provide you with a roadmap for audit success.

Getting it “right” in terms of SOC 2 compliance means performing a readiness assessment and assessing, evaluating, and taking necessary action on the findings of such results. Every service organization being required to perform annual SOC 2 audits will no doubt benefit from NDNB’s SOC 2 readiness assessments, so contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

NDNB provides Southern California businesses in Orange County, Los Angeles, San Diego – and other SoCal regions – with industry leading SOC 2 Type 2 reports for fixed fees. As industry leaders in the world of regulatory compliance, NDNB has been working all throughout the state of California for years in offering professional services at reasonable fees that all businesses can live with.

Compliance can be an expensive and time-consuming mandate – particularly when it comes to SOC 2 Type 2 reports – so do what other businesses all throughout Southern California have done, and that’s turn to the compliance experts at NDNB.

Want to learn more about SOC 2 – great – then take note of the following critical issues regarding the System and Organization Controls (SOC) framework:

SOC 1 and SOC 2: SSAE 18 SOC 1 assessments are different from SOC 2 assessments, and this you need to know. Yes, they both assess a service organization’s control environment, but SSAE 18 SOC 1 is for businesses providing services that can impact a client’s financials, while SOC 2 is for technology-oriented businesses. You would think with such a clear distinction between two (2) reports that picking the right audit is easy – wrong – and that’s because your clients are often misinformed and mislead on which reporting option to choose. The SOC 1 vs. SOC 2 debate continues to rage, but thankfully, clarity and transparency are coming into play where service organizations are truly beginning to understand the differences.

Looking for a SOC 2 Type 1 guide, then welcome to socreports.com, the most in-depth website dedicated to the SOC 2 standard. Developed by NDNB – North America’s leading provider of SOC 2 assessments, socreports.com will answer all your SOC 2 questions, essentially becoming your SOC 2 Type 1 guide. Moreover, NDNB’s SOC 2 Type 1 guide information is without question the most informative, up-to-date, and easy-to-read documentation found anywhere on the Internet today.

If your business is interested in seeking annual SOC 2 compliance – or you’re being requested to perform such services by a client or notable prospect – here’s what you need to know:

1. Welcome to the World of Regulatory Compliance: Today’s business world is full of challenges and complexities, and now a new and ever-growing mandates sits high on the list for many businesses; regulatory compliance. With an ever-changing digital world and a threat landscape that seems to be growing larger each year, companies are being required to perform a host of annual security and operational audits, such as SSAE 18 SOC 1 and SOC 2 compliance. SOC 2, put forth by the AICPA, is essentially tailored towards technology companies – the likes of data centers, SaaS vendors, and more – so if that’s you, then expect to be summoned for annual SOC 2 compliance.

NDNB provides industry leading SOC 2 audit reports and assessments for metro Atlanta businesses, along with other entities in select regions throughout the state of Georgia. With growing regulatory compliance mandates being imposed on all types of organizations – regardless of industry, size or location – now’s the time to seek out the services of Georgia’s premier SOC 2 audit firm, and that’s NDNB.

Atlanta, Georgia SOC 2 Audits & Assessments | Fixed Fees | Call NDNB

Atlanta is the new hotspot for technology in the country – and it’s no fad – as companies are pouring into Georgia because of friendly labor laws and low taxes. Just look at how much Alpharetta has grown in recent years, with a large part of its success directly attributed to the tech sector. Yet it also means that the untold numbers of technology companies in Atlanta will more than likely face growing regulatory compliance mandates, specifically that of SOC 2 compliance, and for good reason. As companies continue to outsource critical services, they must rely on the safety and security of various third-parties, and SOC 2 audit reports are high on the list for many businesses providing such services to other entities.

Question: What Does SOC 2 Stand For?

Answer: SOC 2 stands for “System and Organization Controls”, for which there are two (2) main types of SOC reports – SOC 1 reports and SOC 2 reports. While SOC 1 reports are primarily aimed at service organizations who provides essential services that could impact financial reporting for their clients, SOC 2 reports are geared towards the large and growing technology industry that is now taking shape.

As stated by the American Institute of Certified Public Accountants (AICPA), “System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.”

The Importance of SOC 2 Reports

As for SOC 2 reports, they are intended to meet the needs of a broad range of users requiring comprehensive information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

As such, SOC 2 reports play a vital role in helping service organizations illustrate their internal controls to other entities requiring such information. Think of it this way in much more simpler terms. You have a business, and you’re relying on other businesses to perform critical functions that are essential to your success. So, don’t you want to know – don’t you deserve to know – that whatever services you’re outsourcing to these businesses, that they have the proper internal controls in place? Yes, you do, and it’s why SOC 2 audits have been experiencing massive growth in recent years, and will continue to do so.