Security & Compliance Blog

Stay informed on changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

Southern California SOC 2 Audit Reports & Assessments | Fixed Fees

SOC 2 reports and assessments for Southern California businesses – including San Diego, Orange County, Los Angeles, and other select regions – are available from NDNB, one of California’s leading providers of regulatory compliance audits. NDNB offers competitively priced, fixed fee assessments for businesses needing to comply with today’s growing compliance mandates, such as SSAE 18 SOC 1, SOC 2, PCI DSS, HIPAA and many other federally and/or industry specific regulations.

With years of experience working with California businesses, NDNB possesses the manpower and knowledge when it comes to the alphabet soup of regulations, so contact Christopher G. Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

  2022 Hits

6 Things to Know about SSAE 18 SOC 1 for California Businesses

If you’re a California business just entering the world of regulatory compliance, here’s what you need to know about SSAE 18 SOC 1 compliance, courtesy of NDNB, the Golden State’s leading provider of fixed-fee regulatory services and solutions:

1. Begin with a SSAE 18 SOC 1 Scoping & Readiness Assessment. Want to gain a true understanding and working knowledge of SSAE 18 audits, then perform an upfront SOC 1 scoping & readiness assessment – a pre-audit exercise that effectively identifies audit scope boundaries, areas of remediation, personnel needs, and other relevant factors. One of the biggest challenges that California businesses face with regulatory compliance is “scope creep”; an audit that’s simply grown too large, too complex, and costly.

  1606 Hits

SOC 2 Compliance Audits Atlanta, GA – 9 Steps for Auditing Success

SOC 2 compliance audits for Atlanta, Georgia service organizations are often a necessity in today’s world of growing regulatory compliance, so turn to the auditing professionals today at NDNB. We’ve issued hundreds of SOC 2 reports since the launch of the new AICPA System and Organization Controls (SOC) framework in 2011, so call and speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more today.

We’re Georgia’s Compliance Leaders – Let’s Talk

It’s no secret that regulatory compliance is alive and well all throughout North America, and definitely in Atlanta, Georgia due to the tremendous growth of information technology in the Southeast. Georgia is without question one of the leading centers for commerce in the United States, and what’s not to love about our business climate – a diverse mixture of companies, great access to transportation and resources, and so much more.

  1839 Hits

SOC 2 Compliance Consultant – Getting you Ready for Audits

Looking for a SOC 2 consultant, somebody with expertise, knowledge, and years of audit experience in helping you plan and prepare for a successful audit? Then talk to the experts at NDNB, one of North America’s leading providers of SOC 2 audits. Not only do we offer SOC 2 assessments – both SOC 2 Type 1 and SOC 2 Type 2 assessments – for fixed fees, we also offer SOC 2 scoping & readiness assessments for service organizations all throughout North America. In simpler terms, we become your much-needed SOC 2 consultant for helping with all aspects of annual SOC 2 compliance.

  2183 Hits

How to Become SOC 2 Compliant?

Businesses all throughout North America are being hit hard with SOC compliance reporting, so if you’re asking yourself how to become SOC 2 compliant, NDNB – a leading provider of SOC 2 audit services – offers the following SOC 2 roadmap to compliance for helping ensure an efficient, thorough, and cost-effective process is put in place.

Here’s what you need to know regarding how to become SOC 2 compliant, courtesy of NDNB, North America’s leading provider of SOC 2 audits & assessments.

  2680 Hits

SSAE 18 SOC 1 Compliance Auditors - Orange County, CA - Fixed Fees

NDNB is Orange County’s leading provider of SSAE 18 SOC 1 compliance audits, offering high-quality, competitively priced fixed fees. With an ever-increasing list of regulatory compliance mandates being imposed on today’s businesses, Orange County service organizations need a proven and trusted firm for providing guidance and clarity with SOC 1 compliance, and that’s NDNB.

We’ve been involved with regulatory compliance for years, starting with the historical SAS 70 auditing standard in 1992, and continuing on with the new AICPA Service Organization Control (SOC) reporting framework, which consists of SSAE 16 (now SSAE 18) SOC 1, SOC 2, and SOC 3 reporting.

SSAE 18 SOC 1 Compliance Auditors - Orange County, CA - Fixed Fees

One of the biggest questions Orange County service organizations always have is, “which audit should I do, an SSAE 18 SOC 1 or a SOC 2 audit”, and it’s a good question indeed. While the SSAE 18 standard, which is the professional standard used for issuing SOC 1 reports, officially replaced the one-size fits all SAS 70 and SSAE 16 standard, the SOC 2 standard was completely new.

It’s also important to note that SOC 1 audits are for service organizations that typically display a credible relationship to impacting their clients’ financial reporting, more commonly known as Internal Controls over Financial Reporting (ICFR). Specifically, if you’re performing functions for your clients – and such functions can impact their financial reporting – then SSAE 18 SOC 1 is the preferred choice for assessing internal controls.

  1706 Hits

SOC 1 SSAE 18 Remediation & Audits for Atlanta, GA Businesses – Fixed Fees

NDNB provides SSAE 18 SOC 1 remediation services – along with SOC 1, SOC 2, and SOC 3 audits – to businesses all throughout the Atlanta, Georgia metropolitan area. With the continued growth of regulatory compliance, companies all throughout the Atlanta area are being required to undertake annual SSAE 18 SOC 1 audits, however, getting prepared for such an assessment is often the most difficult, challenging, and time-consuming aspect of the entire audit itself.

Providers of Comprehensive SSAE 18 SOC 1 Solutions at Fixed Fees

But before any service organization can undertake remediation activities, they’ll need to identify what exactly requires remediation, such as policies and procedures, system configuration changes, and other notable mandates. It’s why performing an SSAE 18 SOC 1 readiness assessment is vital for purposes of identifying gaps, weaknesses, and other internal control failures. NDNB provides comprehensive SSAE 18 SOC 1 readiness assessments, along with the following remediation services for SOC audits:

Policy and Procedure Writing: A big – and growing part – of regulatory compliance is documentation, and it’s why NDNB offers comprehensive policy writing services for our clients. The time and effort needed for developing high-quality, comprehensive, SSAE 18 SOC 1 minimum required policies and procedures can be incredibly time-consuming and operationally challenging. The best advice we can give our clients – if you don’t have documentation in place – is allowing NDNB to provide you with our in-depth and easy-to-use information security policy and procedures writing services.

  1612 Hits

SOC 2 Risk Assessments | Introduction and Overview Service Organizations

Per the AICPA Publication, Trust Services Principles and Criteria, “A risk assessment process is used to establish a risk baseline and to, at least annually, identify new or changed risks to personal information and to develop and update responses to such risks.” So, does it mean that service organizations undertaking annual SOC 2 compliance assessments need to perform an annual risk assessment? Absolutely. In fact, a number of the “Common Criteria” listed within the overall Trust Services Principles and Criteria require that a documented, formalized risk assessment process be in place.

What’s the Scope for A SOC 2 Risk Assessment?

The challenge, however, for service organizations, is determining what the scope of a risk assessment should be, what documentation should be used for such an exercise, and are their standards and guidelines to use. Let’s take a look at all of these issues and clarify the risk assessment process once and for all for SOC 2 reporting. NDNB provides a complimentary risk assessment program to all of our valued SOC 2 audit clients.

There are many different categories of risk than you can choose to assess on, such as market risk, credit risk, security risk, country risk, etc.

The key to determining which of these risks you should assess during a SOC 2 engagement depends primarily on your business process and other essential scoping parameters. Yet even with that said, most – if not all – service organizations will assess information security risks, and other applicable operational risks, two key areas relevant to the SOC 2 auditing process.

  3308 Hits

Atlanta, Georgia PCI-QSA Services, Consulting, Certification, PCI-DSS Experts | Fixed Fees

NDNB provides industry leading, fixed-fee PCI DSS consulting and assessment services for Atlanta, Georgia businesses seeking to comply with the Payment Card Industry Data Security Standards (PCI DSS) mandates. With proven cybersecurity auditors that have years of real-world experience, NDNB is Georgia’s preferred choice for PCI DSS compliance.

Atlanta is one of the largest centers of commerce in North America, with companies moving to the metro area almost daily, creating immense opportunities for jobs seekers and for companies looking to call the Peach State home. What also comes along with huge growth are massive regulatory compliance requirements – specifically, the PCI DSS standards – so turn to the experts today at NDNB for proven services and fixed-fee pricing.

NDNB is Atlanta’s premier compliance firm when it comes to the almost endless list of regulations and industry mandates businesses have to comply with. Call and speak directly with a PCI-QSA today at 1-800-277-5415, ext. 705.

What We Offer Atlanta Businesses for PCI DSS Compliance

1. Scoping & Readiness Assessments: A PCI DSS scoping & readiness assessment is essential for Atlanta, Georgia businesses new to the PCI DSS compliance mandates, as critical initiatives – such as scoping, assessing internal controls, developing a roadmap & plan of action for remediation, and more – must be performed prior to any type of certification process even beginning.

The compliance mandates put forth by the Payment Card Industry Data Security Standards (PCI DSS) can be incredibly challenging, complex, and time-consuming, thus it’s important to perform an upfront scoping & readiness assessment prior to your PCI certification efforts.

It doesn’t have to be done annually, but it’s highly recommended to perform this activity for any business new to the PCI DSS reporting mandates. Having a clear plan of action and knowing what the roadmap ahead is in terms of PCI DSS compliance are the true benefits of a scoping & readiness assessment, so call and speak directly with a PCI-QSA today at 1-800-277-5415, ext. 705.

2. Remediation Services: The vast majority of Atlanta merchants and service providers who are seeking to become compliant with the Payment Card Industry Data Security Standards (PCI DSS) will ultimately require some form of remediation. From missing policies and procedures to incorrectly configured system settings, remediation is an essential component of PCI compliance.

NDNB provides comprehensive remediation assistance, from providing policy templates to policy writing services, technical implementation solutions, and much more. There’s simply no reason to “go it alone” when it comes to correcting internal control deficiencies related to PCI compliance – talk to the experts at NDNB today.

3. Policies and Procedures Writing: High on the list of remediation is often policies and procedures, which can become an incredibly time-consuming and arduous process, but thanks to our industry leading security policy templates, we’ve got you covered with two great options. First, you can simply obtain our policy and procedure templates – which have been written by our very own PCI-QSA – and customize them yourself, ultimately saving thousands of dollars and hundreds of hours.

Second, you can hire NDNB to author the policies for you – a service we’ve been providing since 2009 to our clients all throughout North America – also a great option that saves a tremendous amount of time.

4. Technical Remediation: Remember that the Payment Card Industry Data Security Standards (PCI DSS) are a rather technical certification process, one that includes numerous I.T. mandates. Because of this, both merchants and service providers will often find themselves implementing a number of technical remediation activities, ranging from changing firewall configuration files to implementing File Integrity Monitoring, and much more.

  1738 Hits

SSAE 18 SOC 1 Introduction and Overview for Washington DC Metro, Maryland, and Northern Virginia Businesses

NDNB is a leading provider of SSAE 18 SOC 1 assessments for Washington DC, Maryland, and Northern Virginia service organizations. With fixed-fee pricing and years of experience in regulatory compliance, we offer highly efficient audit services that save businesses both time and money. The DC metro area is arguably now the biggest I.T. region in North America – surpassing even coveted Silicon Valley in various metrics – which ultimately means big and looming regulatory compliance mandates are just around the corner for thousands of businesses.

From Northern Virginia to Annapolis, we’re a Household Name

Looking for a firm with true roots in the DC Metro region, then look no further than the professionals at NDNB, as many of our founding partners not only call the area home, they have also spent decades raising their families and starting their careers here. The Washington, D.C. metropolitan area is a fascinating, complex and lively region, offering incredible opportunities for all walks of life, and its one reason the region is still experiencing massive growth.

As such, NDNB has positioned itself as a hometown service provider of regulatory compliance services, offering fixed-fee assessments for many of today’s challenging and demanding rulings and regulations. Getting ready, prepared, and successfully executing on today’s complex and time-consuming compliance mandates requires expert knowledge and audit “know-how” – traits that NDNB exhibits with each of our clients.

What DC Metro Businesses Need to Know for SSAE 18 SOC 1

We’ve put together the following detailed and comprehensive SSAE 18 SOC 1 introduction and overview for Washington DC, Maryland, and Northern Virginia businesses for helping gain a greater understanding of one of today’s most demanding compliance mandates. SOC 1 compliance is here to stay, so it’s important to gain a strong technical understanding of all the relevant aspects of the AICPA Service Organization Control (SOC) framework.

  1605 Hits

SOC 2 Remediation Services for California Businesses

NDNB offers a wide variety of SOC 2 compliance services for California businesses, including notable SOC 2 remediation services ranging from policy and procedure writing to technical implementation and correction of internal controls. NDNB has been California’s leading compliance provider for years, so turn to the experts who offer the following SOC 2 remediation services.

SOC 2 Remediation Services for California Businesses

1. InfoSec Policy Documentation: Information security policies and procedures form a large element of SOC 2 compliance as each of the respective “Common Criteria” provisions within the Trust Services Criteria (TSC) essentially advocate documentation. It can be an incredibly time-consuming and challenging endeavor in developing all necessary policies and procedures, and it’s why NDNB offers such services. We also provide all of our California clients with a complimentary documentation if they would like to develop the policies themselves. It’s just another example of what separates NDNB from the “other guys”.

  1857 Hits

AICPA Trust Services Principle and Criteria (TSP) – Introduction for SOC 2 Audits

The AICPA Trust Services Principles and Criteria (TSP) are essentially control criteria established by the Assurance Services Executive Committee (ASEC), and consist of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Furthermore, such control criteria are used for attestation or consulting engagements for evaluating and reporting on controls over the security, availability, processing integrity, confidentiality, or privacy over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.

There are Five Trust Services Criteria (TSP)

As to the actual Trust Services Principles and Criteria (TSP), they comprise of the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy
  13752 Hits

SOC 2 Audits & HITRUST CSF Assessments – Introduction and Overview

As a healthcare organization – or provider of services to the broader healthcare arena – you’ve probably come across the SOC 2 HITRUST topic. After all, in today’s world of ever-growing regulatory compliance mandates, SOC 2 HITRUST is now front and center for thousands of businesses throughout North America. NDNB, one of the country’s leading provider of security and compliance audits, offers a comprehensive introduction and overview to the SOC 2 HITRUST topic.

And with HITRUST certification comes along one of the biggest questions that healthcare organizations are asking themselves: “Should we become HITRUST CSF compliant, or should I have a CPA firm perform a SOC 2 HITRUST assessment on my organization, and what’s the difference?”

Let’s examine this question – and others – in more detail.

What is HITRUST?

According to, HITRUST, in conjunction with private sector, government, technology and information privacy and security leaders, has developed the HITRUST CSF, a certifiable framework that can be used by any organization that creates, accesses, stores or exchanges sensitive information.

Furthermore, the HITRUST CSF harmonizes multiple frameworks, standards, state, federal and International regulations and leading practices into a single framework. The HITRUST CSF addresses industry- specific challenges by leveraging and enhancing existing frameworks, standards and regulations to provide organizations of varying sizes, geographic operation and risk profiles with prescriptive implementation requirements and guidelines.

Lastly, the HITRUST CSF is a scalable, prescriptive and certifiable framework that harmonizes numerous standards, regulations, control frameworks and leading practices.

A large number of healthcare organizations undertake annual HITRUST compliance by having an independent, third-party auditor assess them against the prescriptive HITRUST CSF framework. Specifically, HITRUST CSF Certification requires the services of a HITRUST approved CSF Assessor organization. The result is a report with findings that can be given to customers, prospects, local/state/federal agencies, and other applicable entities.

Let’s not forget that a much-talked about press release in 2015 ( for which HITRUST gained the attention of the broader healthcare industry as the HITRUST CSF framework was anticipating heavy adoption and implementation, for which this has happened. Bottom line, HITRUST CSF is the unrivaled industry leader in terms of healthcare compliance frameworks, and it’s here to stay.

  2399 Hits

SSAE 18 SOC 1 Introduction and Overview for California Service Organizations

Many businesses in California – and around the nation – are being required to undertake annual SSAE 18 SOC 1 assessments & audits, but are unfortunately not clear on many of the facets regarding Statement on Standards for Attestation Engagements (SSAE) No. 18. As such, NDNB, California’s leading provider of high-quality, fixed fee audits, has provided the following introduction and overview regarding SSAE 18 SOC 1 reports.

California’s Leading Provider of SSAE 18 SOC 1 Compliance

NDNB has been performing a wide variety of regulatory compliance audits and assessments all throughout California, and along the way we’re often asked what the important points a business really needs to know for ensuring an efficient audit process from day. We understand compliance can be complex, costly, and incredibly time-consuming, so we’ve assembled our team of auditing experts and put together the following list for California businesses.

What California Businesses Need to Know About SSAE 18 SOC 1 Reporting

Learn About the SOC Framework: SOC stands for System and Organization Controls (SOC) reports, a comprehensive reporting platform put forth by the American Institute of Certified Public Accountants (AICPA) which offers the following three (3) reporting options: SOC 1, SOC 2, and SOC 3. Additionally, SSAE 18 is the professional standard for issuing SOC 1 assessments, while SOC 2 and SOC 3 – which are geared towards technology companies – utilize the AT 101 standard. This represents a radical departure – and much needed – from the aging, and antiquated SAS 70 auditing standard that was released in April, 1992.

Understand the ICFR Concept: There’s a concept in the world of auditing known as “Internal Controls over Financial Reporting”, which essentially states that any service organization undertaking financial related activities for their customers – for which such activities can impact financial reporting for customers – should be assessing against the SOC 1 reporting option, which uses the SSAE 18 standard. Thus, for example, if you’re an actuarial entity, and the reporting provided to clients impacts their financial reporting, SOC 1 reporting is to be utilized. SOC 2 audits have no ICFR concept, and are thus geared towards technology driven service organizations.

Be Aware of Critical Scope Considerations and Control Objectives: Want to have a successful, efficient, and cost-effective audit – not a costly, nightmarish scenario with the dreaded “scope creep” – then undertake an NDNB SSAE 18 SOC 1 readiness assessment. When performed correctly for California and Orange County service organizations, an SSAE 18 SOC 1 readiness assessment helps assess scope, determine gaps and deficiencies within one’s internal control environment, thereby preparing an organization for long-term audit success.

Additionally, NDNB provides a complimentary information security policies and procedures to all of our clients for helping bridge the gap with critical audit documents needed for compliance. It’s just one of many reasons why Southern California businesses choose NDNB. Call and speak with Christopher Nickell today at 1-800-277-5415, ext. 705 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

  1738 Hits

Overview of AWS Shared Responsibility for SOC 2 Reporting for Users of AWS’ Cloud Services

Businesses operating in the Amazon AWS cloud infrastructure often have to undergo their own annual SOC 2 Type 2 audit assessment. Fortunately, Amazon undergoes an annual SOC 2 audit report for their “Amazon Web Services System”, which, from a scope perspective, includes almost every imaginable cloud service offering. This ultimately brings us to the much-talked about topic of Amazon AWS’ “Shared Responsibility Model”, which is the following, per AWS:

Moving IT infrastructure to AWS builds a shared responsibility model between customers and AWS. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, customers assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall.

AWS Shared Responsibility Matrix – Who is Responsible for What and Why

In its most-simplest terms, you, as a customer using AWS’ services, have certain responsibilities for ensuring the security of your environment in the cloud. Yet AWS also has certain responsibilities for ensuring security measures are in place. Therefore, the phrases you’ll often hear for AWS compliance are the following:

AWS responsibility for “Security of the Cloud”: AWS is essentially responsible for protecting the infrastructure that runs all of the services offered within the actual AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customer responsibility “Security in the Cloud”: The customer responsibility will ultimately be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. As such, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS), ultimately requiring that the customer perform all of the necessary security configuration and management tasks.

Here's an Example of a Typical Customer Deployment: More specifically, let’s say a customer deploys an Amazon EC2 instance, they are then effectively responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.

  3773 Hits

California SOC 1 SSAE 18 Audits - San Diego, LA, Bay Area, San Francisco - Fixed Fees

NDNB provides comprehensive SOC 1 SSAE 18 (and SOC 2) audit assessment reporting for California businesses, from San Diego to Sacramento, and all other regions throughout the Golden State. With regulatory compliance mandates challenging businesses like never before, the time is now for turning to the proven and trusted experts at NDNB. As one of California’s leading providers of SSAE 18 SOC 1 and SOC 2 audits, NDNB offers high-quality, competitively priced, fixed fee engagements, so contact Christopher Nickell today at This email address is being protected from spambots. You need JavaScript enabled to view it. or call him at 1-800-277-5415, ext. 706 today.

Fixed Fees – Proven Auditing Expertise – That’s the NDNB Difference

California is without question one of the most important financial markets in the entire world – based on a number of obvious indicators – and with it comes heavy regulatory compliance mandates for many Golden State businesses. Add to the fact that California is a highly regulated economy – one with numerous and often quite imposing laws, regulations, and taxes – one can clearly see the need for a professional CPA firm capable of providing cost-effective solutions. That firm is NDNB, a nationally recognized leader offering SOC 1 SSAE 18 – and SOC 2 – audits up and down the California coast, via a proven and highly effective phased approach.

  1839 Hits

SSAE 18 SOC 1 Roadmap to Compliance for Atlanta, Georgia Businesses

NDNB offers a highly efficient, scalable, and workable SSAE 18 SOC 1 compliance roadmap, a lockstep process that’s been refined and fine-tuned over the years, beginning as far back as 1992 with the now historical SAS 70 auditing standard. SSAE 18 SOC 1 audits can be incredibly challenging and time-consuming – there’s no debating that – so what’s needed is a roadmap, a true understanding of what it takes to successfully undertake and complete an SSAE 18 SOC 1 assessment on time and on budget.

When it comes to SSAE 18 SOC 1 audits for businesses throughout Atlanta, along with the surrounding Southeast region – and all throughout the United States – look to the experts at NDNB.

SSAE 18 SOC 1 Roadmap to Compliance for Atlanta, Georgia Businesses

Readiness Assessment: Let’s not put the cart before the horse – as the old saying goes – when it comes to SSAE 18 SOC 1 compliance. Specifically, jumping headfirst into a SSAE 18 SOC 1 audit without proper preparation is not recommended, that’s why NDNB recommends performing a readiness assessment, especially for service organizations new to the AICPA Service Organization Control (SOC) framework. Benefits include the following: a true picture of one’s internal control environment, such as the policies, procedures, and processes that will ultimately be assessed during an SSAE 18 SOC 1 audit.

Another big component of an SSAE 18 SOC 1 scoping & readiness assessment is scope, specifically, determining what information systems are to be examined and possibly tested for compliance, what personnel are going to be involved in the audit, what physical locations are to visited and more. It’s also important to put together a comprehensive asset inventory list of all information systems, such as the following: firewalls, routers, switches, load balancer, servers, and the underlying applications running on each server.

  1597 Hits

SSAE 18 SOC 1 Roadmap to Compliance – Fixed Fees Audits & Assessments

California service organizations are often being required to undergo annual SSAE 18 SOC 1 compliance assessments, forcing such entities to spend considerable time and money with one of today’s most demanding and operationally taxing audits. From San Diego to Sacramento, NDNB offers highly experienced audit and compliance services for SSAE 18 SOC 1 audits, along with SOC 2 reporting, and numerous other solutions and services for today’s demanding and complex compliance mandates.

SSAE 18 SOC 1 Roadmap for California Businesses

Looking to gain a stronger understanding of critical steps to take and subject matter you need to know about for ensuring an audit that’s delivered on time and within budget? NDNB offers the following roadmap for helping ease the pain and costs associated with regulatory compliance with the AICPA System and Organization Controls (SOC) framework:

Get in the Mindset: Compliance can often be a mundane, time-consuming, and taxing exercise for California businesses, as this is one of the country’s most highly regulated economies. Add to the mix of growing security compliance mandates – such as SSAE 18 SOC 1 and SOC 2 audits – and its’ easy to see how this can start to get extremely frustrating.

As for SSAE 18 SOC 1 compliance, the real key for auditing efficiency, reduced fees and expenses and minimal business interruption is to conduct a readiness assessment – a useful exercise that clearly defines audit scope and identifies missing gaps and other critical issues. It means changing your mindset about audits and conducting an SSAE 18 SOC 1 readiness assessment for long-term value.

When properly performed, a SOC 2 scoping & readiness assessment successfully identifies critical gaps, weaknesses, and other control issues relevant to a service organization’s internal controls. Specifically, California businesses need to be aware of audit pitfalls, challenges, and what initiatives need to be put in place for ensuring a successful SOC 2 audit, this year, and many years forward. Compliance is here to stay, thus it’s important to properly assess and correct all gaps identified during a SOC 2 scoping & readiness assessment.

  1599 Hits

Charles Denyer Spotlight - National Security, Cybersecurity/Information Security Expert, Author, Speaker

Charles Denyer is a noted author and speaker with publications focusing on national security, cybersecurity, historical and emerging geopolitical issues.  Recipient of Master of Information & Telecommunications Systems from the Johns Hopkins University, Master of Nuclear Engineering from the University of Tennessee at Knoxville, and a BA from the University of Texas at Austin. Learn more at

Former Vice President Dan Quayle and Charles Denyer

  2092 Hits

SOC 1 SSAE 18 Standard and 6 Essential Points

1.  Say Hello to SSAE 18: The SOC 1 SSAE 18 auditing standard has effectively replaced SSAE 16, which in turn replaced SAS 70 for reporting periods ending on or after June 15, 2011. With this being the case, all interested parties---service organizations in particular---should begin to familiarize themselves with the following six (6) essential points regarding the new AICPA (American Institute of Certified Public Accountants) SOC (System and Organization Controls) reporting platform, as well as SSAE 18, the standard under which these reports are issued.

SSAE 18 represents not only the emergence of not only a new “attest” standard, but also a new approach to reporting on controls, as witnessed by the SOC framework, which consists of SOC 1, SOC 2, and SOC 3 reports. This new framework, which has effectively replaced the outdated SSAE 16 and SAS 70 auditing standards, provides service organizations and practitioners alike with a considerably broader platform for reporting on controls.

Specifically, SOC 1 SSAE 18 reports focus on the concept of ICFR, or Internal Control over Financial Reporting. SOC 2 reports, on the other hand, have been designed to meet the growing demand for reporting on controls on technology-related entities, such as cloud computing vendors, Software as a Service (SaaS) entities and software development companies, to name a few. SOC 3 reports are similar to SOC 2, as both utilize the Trust Services Criteria (TSC) and can also be effectively used for reporting on controls on the large and ever-growing list of technology-oriented service organizations.

While SAS 70 was a one-size fits all auditing standard used for almost twenty years for reporting on controls at service organizations, the SOC framework thankfully now provides entities with true, viable options that are much more reflective of today’s ever-changing business environment. Many would agree the changes were long overdue; hence, the migration from SAS 70 to the new SOC framework has generally been well-received.

2. Say Hello to 3 Reporting Options: If you have undertaken SAS 70 compliance in the past, you would be wise to consider all reporting options under the new AICPA SOC framework, not just SOC 1, but also SOC 2 and SOC 3 reports. Most service organizations may feel compelled to simply migrate towards SOC 1 SSAE 16 (now SOC 1 SSAE 18) reporting, primarily due to the current obscurity of SOC 2 and SOC 3 reports. This obscurity may very well be short-lived as the new AICPA SOC framework becomes much more visible, transparent and better understood by all interested parties.

Remember, the SOC 1 SSAE 18 framework is intended for reporting on controls that have a clear and credible link to the ICFR concept. Meanwhile, SOC 2 and SOC 3 are viable options for today's growing list of technology-related service organizations, such as those described above.

  1616 Hits
Since 2006, NDNB has been setting the standard for security & compliance regulations