NDNB is Orange County’s leading provider of SSAE 18 SOC 1 compliance audits, offering high-quality, competitively priced fixed fees. With an ever-increasing list of regulatory compliance mandates being imposed on today’s businesses, Orange County service organizations need a proven and trusted firm for providing guidance and clarity with SOC 1 compliance, and that’s NDNB.

We’ve been involved with regulatory compliance for years, starting with the historical SAS 70 auditing standard in 1992, and continuing on with the new AICPA Service Organization Control (SOC) reporting framework, which consists of SSAE 16 (now SSAE 18) SOC 1, SOC 2, and SOC 3 reporting.

SSAE 18 SOC 1 Compliance Auditors - Orange County, CA - Fixed Fees

One of the biggest questions Orange County service organizations always have is, “which audit should I do, an SSAE 18 SOC 1 or a SOC 2 audit”, and it’s a good question indeed. While the SSAE 18 standard, which is the professional standard used for issuing SOC 1 reports, officially replaced the one-size fits all SAS 70 and SSAE 16 standard, the SOC 2 standard was completely new.

It’s also important to note that SOC 1 audits are for service organizations that typically display a credible relationship to impacting their clients’ financial reporting, more commonly known as Internal Controls over Financial Reporting (ICFR). Specifically, if you’re performing functions for your clients – and such functions can impact their financial reporting – then SSAE 18 SOC 1 is the preferred choice for assessing internal controls.

However, if the control environment being assessed is technology in nature – such as cloud computing, data centers, ISP’s, software development, and other related entities – then SOC 2 Type 1 and SOC 2 Type compliance assessments should be performed. They are similar in many regards, but are also quite different, so it’s important to gain a strong understanding of the SOC 1 vs. SOC 2 debate.

The Many Benefits of an SSAE 18 SOC 1 Readiness Assessment

Long-term savings, audit efficiencies, and real value for an SSAE 18 SOC 1 assessment happen when Orange County service organizations opt for a readiness assessment – a brief, yet highly helpful exercise for assessing audit scope, internal control deficiencies, along with an “action list” of items to complete prior to the audit commencing. Saving money, reducing scope creep, and meeting audit expectations is what you’ll receive when conducting an SSAE 18 SOC 1 readiness assessment. More specifically, an SSAE 18 SOC 1 readiness assessment for Orange County businesses from NDNB encompasses the following:

Determining ICFR: There’s a concept called “Internal Controls over Financial Reporting”, and it’s a relevant component of SSAE 18 SOC 1 reporting for which service organizations need to be aware of. If a business is conducting critical activities that could impact the financial reporting for their clients, then such businesses have an ICFR component to address within their SSAE 18 reporting framework. It means developing control objectives that test the internal controls relating to ICFR, for which a well-qualified CPA firm, such as NDNB, can assist with.

Many service organizations today are actually opting for SOC 2 assessments as the SOC 2 framework itself is highly geared toward I.T. entities. Think data centers, Software as a Service (SaaS), Managed Service Providers (MSP), and others – these are all excellent examples of companies performing SOC 2 audits. SSAE 18 SOC 1 assessments are still relevant, they just have a well-defined application and scope, and it’s for service organizations performing critical services that can impact financial reporting for clients.

Assessing Overall Scope: It’s important to determine what specific business processes are to be included within the scope of an SSAE 18 SOC 1 report – everything a company does, or just a segmented business unit or division? Avoiding scope creep is critical, as costs and time commitments can quickly spiral out of control for an audit.

Control Objectives: Once scope has been properly assessed for an SSAE 18 SOC 1 assessment, control objectives will need to be developed, which is often a collaborative process between the service organization and the CPA firm conducting the audit. Again, an in-depth readiness assessment will help assess and choose the correct control objectives for SSAE 18 reporting.

What’s interesting to note about control objectives is that there’s a large degree of subjectivity and overall flexibility in what goes into the development and use of a control objective for testing. Simply stated, you need to work with your CPA firm that’s conducting the SSAE 18 SOC 1 audit when it comes to assessing, developing, and agreeing upon the control objectives to be used.

Locations: Auditors will often have to visit multiple physical locations for purposes of sampling, physical inspection, and other necessary assessment procedures. It’s therefore important to determine which locations are in scope, why, and what must be accomplished at each location. Travelling can be expensive and time-consuming, so keep this in mind. What’s more, with many other entities now performing annual regulatory compliance audits – such as SSAE 18 SOC 1, SOC 2, SOC 2, PCI DSS certification, and others – the ability to rely on such reports for reducing audit scope and fees is now a reality.

Other Important Considerations Regarding SSAE 18 SOC 1 Compliance

While an SSAE 18 SOC 1 scoping & readiness assessment is absolutely critical for your audit’s success, there’s also a number of other items that require attention and consideration. Getting the full picture on SSAE 18 SOC 1 compliance is important for ensuring an efficient process from beginning to end.

Documentation: Possibly the biggest benefit of an SSAE 18 SOC 1 readiness assessment for Orange County, CA businesses is the ability to readily assess and identify weaknesses in policies and procedures, which are one of the most important deliverables for an audit. Companies disdain developing such documentation, and it’s why NDNB provides complimentary information security policies and procedures to all clients for helping ensure rapid compliance – just another reason to consider NDNB.

Have you taken the time to stop and think about the huge efforts needed in developing all the mandated information security policies and procedures for SSAE 18 SOC 1 compliance? It can be overwhelming as most service organizations simply fail to recognize the amount of time and effort it takes in writing security policies – but we do – and it’s why our policy templates are so essential for helping save hundreds of hours and thousands of dollars on SSAE 18 SOC 1 compliance.

More than just Compliance: As auditors, we’re not doing our job if all we provide is baseline minimum recommendations and best practices for SSAE 18 SOC 1 compliance for Orange County businesses. It’s much more than that, it’s about ensuring the safety and security of all organizational assets, which means NDNB will provide a lengthy list of recommendations that generally go above and beyond the audit.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.

Specifically, compliance with SSAE 18 SOC 1 often requires service organizations to acquire and implement various security tools, such as vulnerability scanning, two-factor authentication, audit monitoring and logging, and various other tools. NDNB has a wide network of proven and trusted third-party vendors offering such tools at cost-effective rates.

NDNB is a household name in Orange County – and all throughout California – providing high-quality, efficient, fixed-fee audit and compliance services for SSAE 18 SOC 1 assessments – both Type 1 and Type 2 – along with SOC 2, SOC 3, PCI DSS, FISMA, HIPAA, and more. Regulatory compliance is what we eat, live, breath and sleep each day from our national headquarters. Call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.