Security & Compliance Blog

Stay informed on changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

SSAE 18 SOC 1 Introduction and Overview for California Service Organizations

Many businesses in California – and around the nation – are being required to undertake annual SSAE 18 SOC 1 assessments & audits, but are unfortunately not clear on many of the facets regarding Statement on Standards for Attestation Engagements (SSAE) No. 18. As such, NDNB, California’s leading provider of high-quality, fixed fee audits, has provided the following introduction and overview regarding SSAE 18 SOC 1 reports.

California’s Leading Provider of SSAE 18 SOC 1 Compliance

NDNB has been performing a wide variety of regulatory compliance audits and assessments all throughout California, and along the way we’re often asked what the important points a business really needs to know for ensuring an efficient audit process from day. We understand compliance can be complex, costly, and incredibly time-consuming, so we’ve assembled our team of auditing experts and put together the following list for California businesses.

What California Businesses Need to Know About SSAE 18 SOC 1 Reporting

Learn About the SOC Framework: SOC stands for System and Organization Controls (SOC) reports, a comprehensive reporting platform put forth by the American Institute of Certified Public Accountants (AICPA) which offers the following three (3) reporting options: SOC 1, SOC 2, and SOC 3. Additionally, SSAE 18 is the professional standard for issuing SOC 1 assessments, while SOC 2 and SOC 3 – which are geared towards technology companies – utilize the AT 101 standard. This represents a radical departure – and much needed – from the aging, and antiquated SAS 70 auditing standard that was released in April, 1992.

Understand the ICFR Concept: There’s a concept in the world of auditing known as “Internal Controls over Financial Reporting”, which essentially states that any service organization undertaking financial related activities for their customers – for which such activities can impact financial reporting for customers – should be assessing against the SOC 1 reporting option, which uses the SSAE 18 standard. Thus, for example, if you’re an actuarial entity, and the reporting provided to clients impacts their financial reporting, SOC 1 reporting is to be utilized. SOC 2 audits have no ICFR concept, and are thus geared towards technology driven service organizations.

Be Aware of Critical Scope Considerations and Control Objectives: Want to have a successful, efficient, and cost-effective audit – not a costly, nightmarish scenario with the dreaded “scope creep” – then undertake an NDNB SSAE 18 SOC 1 readiness assessment. When performed correctly for California and Orange County service organizations, an SSAE 18 SOC 1 readiness assessment helps assess scope, determine gaps and deficiencies within one’s internal control environment, thereby preparing an organization for long-term audit success.

Additionally, NDNB provides a complimentary information security policies and procedures to all of our clients for helping bridge the gap with critical audit documents needed for compliance. It’s just one of many reasons why Southern California businesses choose NDNB. Call and speak with Christopher Nickell today at 1-800-277-5415, ext. 705 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Get Educated on the SSAE 18 SOC 1 vs. SOC 2 Debate: “So, which is the correct reporting option to use, SOC 1 or SOC 2”, is a question we receive almost daily, and for good reason. For clarity and simplicity, just remember that SSAE 18 SOC 1 reporting should be for service organizations illustrating a true relationship to the above discussed ICFR concept, while SOC 2 reports should be the focus for technology entities – i.e., cloud computing, SaaS, etc. That’s not to say that this path is always followed, as it’s not, as many technology service organizations do in fact opt for SSAE 18 SOC 1 reporting.

Audit Evidence: Providing documents, such as security policies, signed memos, screenshots, configuration files, emails – and many other types of evidence – is what an SSAE 18 SOC 1 audit is all about. Additionally, it’s also about undertaking physical inspections and walking through various facilities and locations, conducting tests as necessary at such sites.

Documentation: Nobody wants to spend hundreds of hours developing security documents for an SSAE 18 SOC 1 audit – we more than get it – so do what dozens of companies all throughout Southern California have done – obtain NDNB’s complimentary information security policies containing hundreds of pages of expert material for rapid audit compliance. Policies are a big, big part of any audit – especially SSAE 18 SOC 1 audits – and they’re often the biggest gaps found during a readiness assessment, which is all the more reason to consider using NDNB and obtaining our complimentary information security policies.

Management Mandates: Southern California businesses opting for SSAE 18 SOC 1 compliance must provide the service auditor with two distinct items, a (1). Description of the System, along with (2). A Written Management Assertion. These are unique to the SOC framework – including SOC 2 compliance – so talk to the CPA firm conducting the audit to learn more.

Remediation: Having a picture-perfect control environment and the ability to assess a service organization with no exceptions is a rarity, and its why California service organizations need to be aware of the various aspects of remediation that must often take place prior to the audit commencing. Policies and procedures, as mentioned above, are a large part of remediation, but so are the many technical mandates that often must be performed also.

SOC 1 SSAE 18 and SOC 2 Policy Templates and Information Security Policies

Examples includes provisioning servers, enforcing stronger passwords, ensuring your data backup and contingency plans are in place – the essential information security and operational best practices that many auditors are on the lookout for when performing today’s regulatory compliance audits, particularly SSAE 18 SOC 1 and SOC 2.

Problem Areas for the Audit: SSAE 18 SOC 1 audits can be laborious and time-consuming, yet many service organizations fail to plan ahead, resulting in the following miscues and problems:

  • Lack of internal resources assigned to the audit.
  • Incorrectly scoped, resulting in the all too often dreaded “scope creep”.
  • Missing policies and other formal documentation.
  • Lack of internal leadership for ensuring a clear path towards compliance.

NDNB – California’s Leading Provider of SOC 1 and SOC 2 Audits

California businesses looking for superior SSAE 18 SOC 1 audit services – those that are reasonably priced – can turn to the proven and trusted experts today at NDNB, so call and contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 today, or vial email at This email address is being protected from spambots. You need JavaScript enabled to view it.. Great service, superior quality, and fixed-fee pricing – that’s the NDNB difference.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

SOC 2 Audits & HITRUST CSF Assessments – Introduct...
Overview of AWS Shared Responsibility for SOC 2 Re...
Since 2006, NDNB has been setting the standard for security & compliance regulations