Security & Compliance Blog

Thanks largely in part to the launch of the American Institute of Certified Public Accountants' (AICPA) SOC framework, the SOC 1 vs. SOC 2 discussion is well under way.

SOC stands for "System and Organization Controls", which allows qualified practitioners (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports.

After the SSAE 16 standard (which is used for issuing SOC 1 reports, and has been replaced with SSAE 18) effectively replaced the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, there has been much debate regarding SOC 1 vs. SOC 2 – specifically, when are they applicable, what is the respective scope for each, and what similarities or differences do they each share.

System and Organization Control (SOC 1) reports are to be conducted in accordance with Statement on Standards for Attestation Engagements No. 18 (SSAE 18). This AICPA attestation standard was intended not only to replace SAS 70 and SSAE 16, but also to reincorporate the auditing process with the concept of internal controls over financial reporting, or ICFR.

The SOC framework places elevated importance on the ICFR component for service organization reporting, thus advocating service organizations to opt for SOC 1 if the organization has a true nexus with ICFR, such as those in the financial services industry.

SSAE 18 Type 1 and Type 2 reporting for payroll providers and check processing companies have a close relationship indeed. Many organizations outsource these material functions to service organizations that provide traditional payroll processing (including the entire lifecycle of the processing platform itself), printing and mailing of hard-copy checks, and multiple other critical services.

If you are a payroll and/or check processing company, or any other type of service organization providing critical services to the payroll industry as a whole, then SSAE 18 Type 1 and Type 2 reporting should be on your radar.

Information technology has created tremendous efficiencies and cost-savings for businesses all throughout the globe, many of which were seemingly not even thought to be possible in the last decade. Organizations everywhere are now even more nimble & proactive in critical decision-making processes than ever before. But with such big rewards also come incredibly large challenges, many relating to the safety and security of highly sensitive client data.

Today’s business platforms rely heavily on cloud-based services and platforms, ranging from the well-known Software as a Service (SaaS) offerings to Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and many other hybrid cloud models. While different in terms of offerings and functionality, all cloud platforms rely on critical services and related policies, procedures, and processes for ensuring their confidentiality, integrity, and availability (CIA).

Currently, the most widely recognized security assessment performed on cloud based businesses is the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) 2 audit. What makes SOC 2 such a well-known and highly respected auditing platform, one that’s embraced by thousands of companies around the world?

Use our SOC 2 audit checklist if you’re using Amazon’s AWS cloud services and need to become SOC 2 compliant each year. With the migration to the cloud happening at record pace, tens of thousands of businesses are now being required to become SOC 2 compliant each year, and NDNB offers a proven process that’s efficient and comprehensive. Here’s what you need to know – and what you need to do – for ensuring your SOC 2 audit is a success.

1. Begin with a SOC 2 Scoping & Readiness Assessment:  Understanding scope and the what business processes are to be included within your SOC 2 audit is essential, and also for mitigating any type of scope creep issues. Because you’re hosting your services (i.e., your production environment) in AWS, it luckily means there are a number of benefits to be had with your SOC 2 audit. First, a large number of the physical security controls are covered by AWS themselves as their private data centers store your virtual server instances.

Second, AWS has a fair number of audit & compliance, and control tools & solutions that are easy to “spin up” in any environment, further helping alleviate compliance reporting requirements (more on this in point #3 below!)

2. Leverage AWS’ SOC Reports for Scope Reduction: For the CPA firm you hired to perform your SOC 2 audit, they’ll ask for you to obtain a copy of AWS’ most current SOC 2 report, and for a very obvious reason – scope reduction. A large number of the controls you’ll need for SOC 2 compliance are actually covered by AWS’ report. From physical and environmental controls – and more – leveraging AWS’ SOC 2 report is a must. Scope reduction = price reduction, something a well-versed SOC 2 auditor can explain to you. To learn more, contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.

3. Identity and Utilize AWS’s Security and Compliance Tools: Familiar with CloudWatch and CloudTrail? CloudWatch logs reports on application logs, while CloudTrail Logs details on specific information on what occurred in your AWS account. These are just a few examples of the many tools that AWS has available for your growing security, governance, and regulatory compliance needs.

NDNB provides comprehensive SOC 2 audit and compliance assessment services & SOC reporting for businesses in Dallas, Houston, Austin, and other surrounding locations in Texas. With increased regulatory requirements being placed on businesses all throughout North America – and the globe – now’s the time to talk to the experts at NDNB. We offer fixed-fee pricing and high-quality audit services, so contact Chris Nickell at 1-800-277-5415, ext. 706 to learn more about NDNB’s SOC 2 assessments for Texas businesses, or email Chris directly at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Comprehensive SOC 2 Services for Texas Businesses – Fixed Fees

Services offered by NDNB for businesses located in Dallas, Houston, Austin, and other surrounding locations in Texas include the following:

SOC 2 Scoping & Readiness Assessments: One of the most fundamentally important activities to be performed during the SOC 2 audit process is beginning with a scoping & readiness assessment; an invaluable function for helping service organizations adequately determine project scope, areas requiring remediation (i.e., policies and procedures, technical changes/modifications, etc.), assessing personnel needs, physical locations to visit, and more.

NDB offers fixed-fee SOC 2 HIPAA audit reports & assessments consisting of SOC 2 Type 1 and SOC 2 Type 2 audits for organizations seeking compliance with the Health Insurance Portability and Accountability Act (HIPAA). Ensuring the safety and security of Protected Health Information (PHI), Personally Identifiable Information (PII), and other forms of highly confidential consumer/patient data is now more important than ever.

Additionally, many of today’s main healthcare exchanges and large insurance carriers are requesting SOC 2 HIPAA reports from their downstream providers, which consist of thousands of organizations offering various healthcare related services.

Looking to learn about the SOC 2 audit process from beginning to end? A simple, yet comprehensive and easy-to-understand process on what it takes to become SOC 2 compliant for your organization? NDNB, one of North America’s leading providers of SOC 1 and SOC 2 audits offers the following A to Z explanation of the SOC 2 audit process.

Step 1: Understand Exactly what SOC 2 is.

Ask any number of professionals what SOC 2 is and you’ll probably get quite a few different answers. Some answers we hear are the following:

• It’s an audit
• It’s a certification
• It’s a best practice for operations and information security
• It’s a checklist that can be quickly completed

In simple terms – as simple as we can make it – System and Organization Controls (SOC) 2 is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) in which independent, third-party auditors (i.e., CPA’s) perform an assessment and subsequent testing of controls relating to the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality and/or Privacy.

SOC 2 for startups is an interesting topic as one would think that a small, relatively non-complex environment would be easy for obtaining SOC 2 (or even SSAE 18 SOC 1) compliance. Well, yes and no. Don’t you hate the political in the middle answer! Truth be told, the yes part of the answer is that working with a small group of professionals, generally located in one physical location, can make SOC 2 for startups easy going. The no part of the answer is that startups generally lack any type of real and meaningful policies, procedures, and processes. Change control processes? Probably not in place. Documented incident response procedures? Probably not well documented! Security awareness training? Hmm, nope, not being done! Get the picture. That’s the yes and no.

SOC 2 reports are in high demand today, especially when it comes to the ever-growing number of technology-oriented service organizations who are providing critical outsourcing services to other businesses. NDNB provides high-quality, competitively priced, fixed fee SOC 2 reports for both Type 1 and Type 2 reports for Dallas, Houston, and Austin, Texas businesses.

Take a page out of the NDNB playbook for Dallas, Houston, and Austin, Texas businesses, making note of the following best practices and other important criteria regarding SOC 2 reports:

SOC 1 vs. SOC 2

Make sure you that your business is performing the “correct” audit when it comes to SSAE 18 SOC 1 and SOC 2. SOC 1 assessments are for service organizations performing ICFR functions, while SOC 2 assessments are aimed at technology companies – data centers, SaaS, IaaS, PaaS, managed services, and others. There is a difference between SOC 1 and SOC 2, and deciding on which assessment generally begins with client requests and demands.

Pick the Correct Trust Services Principles

Simply known as the TSP’s, there are five (5) of them, which are the following: 1. Security. 2 Availability. 3. Processing Integrity. 4. Confidentiality. 5. Privacy. They are each unique in that they assess a specific area within a service organization’s control environment, ranging from processes and procedures to essential services and functions being performed by a company. As to which of the five (5) TSP’s to include in your SOC 2 audit – good question – and this really comes down to client needs and expectations, along with other variables, such as industry specific/market needs, etc.

SOC 2 vs PCI Compliance – Introduction and Overview

As auditors, we’re often asked to provide a comprehensive overview regarding SOC 2 vs PCI compliance. More specifically, businesses that have to undertake both SOC 2 audits and PCI DSS assessments on an annual basis want to learn more about the respective frameworks, what overlaps and mapping of controls exist, pricing, and much more. Well, let’s get started and take a deep dive into SOC 2 vs PCI compliance, compliments of NDNB, one of North America’s leading providers of high-quality, fixed-fee audit services from coast to coast.

An Introduction to SOC 2

System and Organization Controls (SOC) 2 is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) for which independent, third-party auditors, such as a CPA and/or CPA firm, perform an assessment and subsequent testing of controls relating to the Trust Services Criteria (TSP) of Security, Availability, Processing Integrity, Confidentiality and/or Privacy.

In need of a SOC 2 audit or are seeking to learn all about the SOC 2 audit process? Then consider NDNB, California’s leading provider of high-quality, fixed-fee audit services. NDNB also offers comprehensive training resources for all aspects of the AICPA System and Organization Control (SOC) framework, which consists of SSAE 18 SOC 1, SOC 2 and SOC 3 reporting. Learn more about NDNB’s SOC 2 audit services today at socreports.com, or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 (or email at This email address is being protected from spambots. You need JavaScript enabled to view it.) to learn about NDNB’s fixed-fee SOC 2 audit engagements.

California’s Leading Provider of SOC 2 Audits – Fixed Fees

As California’s leading provider of high-quality, fixed-fee SOC 2 audits, NDNB can help your organization become compliant quickly, comprehensively, and in a cost-effective manner. The SOC 2 audit process doesn’t have to be an extremely laborious, time-consuming and expensive proposition – not all – especially when utilizing the services of a proven and trusted CPA firm such as NDNB. From offering initial SOC 2 readiness assessments to comprehensive documentation writing services – and more – NDNB is ready to get you compliant, quickly and cost-effectively.

SOC 2 reporting for Colorado businesses in Denver, Fort Collins, Boulder, and other surrounding areas, is offered by NDNB, one of North America’s leading providers of SOC 1, SOC 2, and SOC 3 compliance solutions. SOC 2 reporting, which is part of the AICPA System and Organization Controls (SOC) framework, incorporates the use of what’s known as the Trust Services Principles & Criteria (TSP), which essentially consists of “criteria” based provisions. Simply stated, it’s a comprehensive audit performed on many technology companies regarding their internal control structure.

NDNB leads the way in SOC 2 Type 1 & 2 audits for Charlotte, Raleigh, Durham and other businesses across the state of North Carolina. We know that running a business is hard work, and that’s why NDNB guarantees that your audit will come in on budget and on time.

NDNB goes above and beyond industry standards in regulatory compliance report auditing, ensuring that your clients have the information they need and the assurance that your business meets all state and federal reporting guidelines. Here’s how.

NDNB enters the picture before the audit process begins by offering a scoping and readiness assessment. This process ensures that the internal controls, policies and procedures are in place and that your audit best represents your North Carolinian company.

Once the gaps and deficiencies are found, NDNB is here to provide our clients with a complementary SOC 2 Policy Packet filled with templates and documents to help remediate those findings; NDND also provides onsite assistance to help strengthen and formalize your internal controls.

As the SOC 2 auditing process can be overwhelming, NDNB suggest clients who are new to these compliance reports to begin with a Type 1, focused on a specific date in time, and then to transition to a Type 2 the following year which encompasses a testing period of generally six (6) months.

From there, we work with your company every step of the way, ensuring that all standards are met and that your organization remains in compliance so you and your clients can rest easy at night.

We are here to help make what may seem like a daunting process as easy as possible. When your business is ready to take these steps with us, call Christopher G. Nickell, CPA, at 1-800-277-5416, ext. 06, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

NDNB is Southern California’s leading provider of SSAE 18 SOC 1 compliance audits, offering fixed fees for both SOC 1 Type 1 and SOC 1 Type 2 assessments for businesses all throughout San Diego, Orange County, Los Angeles, Santa Barbara, and other select locations. With today’s continued growth of massive regulatory compliance mandates, Southern California businesses are being forced to undertake annual audits & assessments – such as SSAE 18 SOC 1 – and NDNB is ready to assist in providing efficient, high-quality, and cost-effective services and solutions.

SOC 1 Compliance Auditors | Southern California | Fixed Fees

One of the most common questions we receive from Southern California businesses is which audit should they be performing, a SOC 1 assessment or possibly a SOC 2 assessment, and it’s a valid question. For clarity, remember that SOC 1 audits are generally imposed on service organizations that have the ability to impact financial reporting on behalf of their clients, such as transactions undertaken that could impact revenue reporting, balance sheet information, cash flow models, etc. As for SOC 2 assessments, they’re aimed directly at businesses that rely heavily on information technology as their core business, such as data centers, SaaS entities, and more.

In need of a SOC 2 audit or are seeking to learn all about the SOC 2 audit process? Then consider NDNB, California’s leading provider of high-quality, fixed-fee audit services. NDNB also offers comprehensive training resources for all aspects of the AICPA System and Organization Control (SOC) framework, which consists of SSAE 18 SOC 1, SOC 2 and SOC 3 reporting. Learn more about NDNB’s SOC 2 audit services today at socreports.com, or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 (or email at This email address is being protected from spambots. You need JavaScript enabled to view it.) to learn about NDNB’s fixed-fee SOC 2 audit engagements.

California’s Leading Provider of SOC 2 Audits – Fixed Fees

As California’s leading provider of high-quality, fixed-fee SOC 2 audits, NDNB can help your organization become compliant quickly, comprehensively, and in a cost-effective manner. The SOC 2 audit process doesn’t have to be an extremely laborious, time-consuming and expensive proposition – not all – especially when utilizing the services of a proven and trusted PCAOB CPA firm such as NDNB. From offering initial SOC 2 readiness assessments to comprehensive documentation writing services – and more – NDNB is ready to get you compliant, quickly and cost-effectively.

NDNB provides Colorado businesses with comprehensive SOC 1 SSAE 18 solutions, ranging from in-depth readiness assessments to SOC 1 SSAE 18 Type 1 and SOC 1 SSAE 18 Type 2 reporting. Because of the complexities and time-commitments necessary for undertaking annual compliance audits – such as SOC 1 SSAE 18 – Colorado businesses in Denver, Boulder, Fort Collins, and other select regions – would highly benefit from a useful and proactive readiness assessment. They’re brief, highly informative, and provide insightful information for ensuring one’s control environment is ready for an actual SOC 1 SSAE 18 audit.

SOC 1 Readiness Assessments for Colorado Businesses

NDNB’s SOC 1 SSAE 18 readiness assessments effectively encompass the following services and solutions for Colorado businesses:

Processes & Practices: Documentation, such as policies and procedures are critical, but so are the actual processes and practices for ensuring a strong internal control environment actually exists. Identifying weaknesses and a lack of controls – if any – is also a critical component of NDNB’s SOC 1 SSAE 18 readiness assessment for Colorado businesses.

SOC 2 Type 1 certification audits are offered from NDNB, North America’s leading provider of high-quality, competitively prices System and Organization Controls (SOC) assessments. Additionally, SOC 2 Type 1 certification audits performed by NDNB also come complete with a complimentary SOC 2 Policy Packet containing hundreds of pages of critical information security and operational specific policies, procedures, and much more.

We provide a complimentary SOC 2 Policy Packet for each our clients! Please note that while the term “SOC 2 certification” is well-known and used, it is actually an incorrect statement as no certification is provided. Rather, a SOC 2 audit is an assessment conducted in accordance with stated AICPA standards, such as the Trust Services Criteria, one that results in the issuance of a SOC 2 report, complete with an attestation.

Here’s what you need to know about SOC 2 Type 1 audits, courtesy of NDNB, North America’s leading provider of SSAE 18 SOC 1 and SOC 2 assessments:

1. SOC 2 Type 1 Audits are a Starting Point: Call it the essential stepping stone process for SOC 2 compliance whereby companies new to internal control audits begin with a SOC 2 Type 1, then subsequently “graduate” and move on to annual SOC 2 Type 2 assessments in future periods. A SOC 2 Type 1 also helps lay the fundamental groundwork for policies, procedures, and processes that will ultimately be assessed during the SOC 2 Type 2 test period.

SSAE 18 SOC 1 audit reports are available at fixed fees for Austin, TX and San Antonio, TX businesses from NDNB, Texas’ leading provider of SOC audits and compliance services. With years of experience performing regulatory compliance audits and assessments, NDNB has the expertise and knowledge for ensuring an efficient, high-quality audit process from beginning to end. While the SOC 2 assessment standard is highly suitable for many of today’ technology businesses (i.e., data centers, SaaS & cloud computing, etc.), SSAE 18 SOC 1 reporting focuses on the Internal Control over Financial Reporting concept, known simply as ICFR.

SOC 1 Reporting and ICFR – What Texas Businesses Need to Know

Specifically, service organizations providing material services to customers for which such functions have the ability to impact their customer’s financial reporting, are the ideal candidates for SSAE 18 SOC 1 audit reports. Banks, trust departments, actuarial services, third party administrators (TPA) – these are all excellent examples of SSAE 18 SOC 1 audit reporting candidates.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.

If you as a service organization are working with any type of client specific data that may be relevant to such clients’ financial reporting, then the SSAE 18 SOC 1 standard is an ideal audit indeed. Since the retirement of the historical SAS 70 audit standard some years ago, SSAE 18 SOC 1 reporting has become the global de factor reporting standard for internal controls relating to financial systems – no question about it – but please keep in mind that SOC 2 is also a viable option, particularly for technology-oriented service organizations.

SOC 2 Type 1 compliance assessments & audits are offered from NDNB, North America’s leading provider of high-quality, competitively prices SOC assessments. Additionally, SOC 2 Type 1 compliance assessments & audits performed by NDNB also include a complimentary SOC 2 Policy Packet containing hundreds of pages of critical information security and operational specific policies, procedures, and much more.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2? Let's Talk.

Here’s what else you also need to know about SOC 2 Type 1 compliance, courtesy of NDNB:

1. A SOC 2 Scoping & Readiness Assessment is Essential: If you’re new to the world of regulatory compliance, particularly the AICPA SOC 1, SOC 2, and SOC 3 reporting frameworks, then welcome, and don’t forget that a readiness assessment is crucial. Why? Because you’ll want to have an objective, independent assessment of your internal controls BEFORE you even begin to think about performing an actual SOC 2 audit. More specifically, you’ll need to find a proven CPA firm who can help assess audit scope, identify areas of remediation, and provide you with a roadmap for audit success.

Getting it “right” in terms of SOC 2 compliance means performing a readiness assessment and assessing, evaluating, and taking necessary action on the findings of such results. Every service organization being required to perform annual SOC 2 audits will no doubt benefit from NDNB’s SOC 2 readiness assessments, so contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

NDNB provides Southern California businesses in Orange County, Los Angeles, San Diego – and other SoCal regions – with industry leading SOC 2 Type 2 reports for fixed fees. As industry leaders in the world of regulatory compliance, NDNB has been working all throughout the state of California for years in offering professional services at reasonable fees that all businesses can live with.

Compliance can be an expensive and time-consuming mandate – particularly when it comes to SOC 2 Type 2 reports – so do what other businesses all throughout Southern California have done, and that’s turn to the compliance experts at NDNB.

Want to learn more about SOC 2 – great – then take note of the following critical issues regarding the System and Organization Controls (SOC) framework:

SOC 1 and SOC 2: SSAE 18 SOC 1 assessments are different from SOC 2 assessments, and this you need to know. Yes, they both assess a service organization’s control environment, but SSAE 18 SOC 1 is for businesses providing services that can impact a client’s financials, while SOC 2 is for technology-oriented businesses. You would think with such a clear distinction between two (2) reports that picking the right audit is easy – wrong – and that’s because your clients are often misinformed and mislead on which reporting option to choose. The SOC 1 vs. SOC 2 debate continues to rage, but thankfully, clarity and transparency are coming into play where service organizations are truly beginning to understand the differences.