Security & Compliance Blog

Stay informed on changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

SOC 1 SSAE 18 Standard and 6 Essential Points

1.  Say Hello to SSAE 18: The SOC 1 SSAE 18 auditing standard has effectively replaced SSAE 16, which in turn replaced SAS 70 for reporting periods ending on or after June 15, 2011. With this being the case, all interested parties---service organizations in particular---should begin to familiarize themselves with the following six (6) essential points regarding the new AICPA (American Institute of Certified Public Accountants) SOC (System and Organization Controls) reporting platform, as well as SSAE 18, the standard under which these reports are issued.

SSAE 18 represents not only the emergence of not only a new “attest” standard, but also a new approach to reporting on controls, as witnessed by the SOC framework, which consists of SOC 1, SOC 2, and SOC 3 reports. This new framework, which has effectively replaced the outdated SSAE 16 and SAS 70 auditing standards, provides service organizations and practitioners alike with a considerably broader platform for reporting on controls.

Specifically, SOC 1 SSAE 18 reports focus on the concept of ICFR, or Internal Control over Financial Reporting. SOC 2 reports, on the other hand, have been designed to meet the growing demand for reporting on controls on technology-related entities, such as cloud computing vendors, Software as a Service (SaaS) entities and software development companies, to name a few. SOC 3 reports are similar to SOC 2, as both utilize the Trust Services Criteria (TSC) and can also be effectively used for reporting on controls on the large and ever-growing list of technology-oriented service organizations.

While SAS 70 was a one-size fits all auditing standard used for almost twenty years for reporting on controls at service organizations, the SOC framework thankfully now provides entities with true, viable options that are much more reflective of today’s ever-changing business environment. Many would agree the changes were long overdue; hence, the migration from SAS 70 to the new SOC framework has generally been well-received.

2. Say Hello to 3 Reporting Options: If you have undertaken SAS 70 compliance in the past, you would be wise to consider all reporting options under the new AICPA SOC framework, not just SOC 1, but also SOC 2 and SOC 3 reports. Most service organizations may feel compelled to simply migrate towards SOC 1 SSAE 16 (now SOC 1 SSAE 18) reporting, primarily due to the current obscurity of SOC 2 and SOC 3 reports. This obscurity may very well be short-lived as the new AICPA SOC framework becomes much more visible, transparent and better understood by all interested parties.

Remember, the SOC 1 SSAE 18 framework is intended for reporting on controls that have a clear and credible link to the ICFR concept. Meanwhile, SOC 2 and SOC 3 are viable options for today's growing list of technology-related service organizations, such as those described above.

  1799 Hits

SSAE 18 SOC 1 Introduction Manhattan, New York City, New Jersey, Long Island, Connecticut, and Philadelphia Businesses

Auditing Expertise for PA, NJ, NY, and CT Businesses

Businesses all throughout Manhattan, New York City, New Jersey, Long Island, Connecticut, and Philadelphia can now gain a comprehensive and in-depth introduction and overview of SSAE 18 SOC 1 audits, courtesy of NDNB, one of North America’s leading providers of regulatory compliance services and solutions.

SSAE 18 SOC 1 Overview for Tri-State Area Businesses

Here’s what you need to know about SSAE 18 SOC 1 audits and also how they differ from their well-known sibling – the SOC 2 audit framework – which is being adopted by a large number of technology driven service organizations.
SOC Framework: There are three (3) reporting options under the AICPA Service Organization Control (SOC) platform – SOC 1, SOC 2, and SOC 3. While SOC 1 uses the well-known SSAE 18 standard for performing SOC 1 audits, SOC 2 and SOC 3 use a much lesser known standard called AT 101. For clarity, just remember that SSAE 18 SOC 1 reporting is an assessment generally conducted on service organizations offering services to clients that can impact financial reporting for such clients.

As for SOC 2, think data centers, cloud service providers, and other technology organizations – they’re prime candidates for this type of assessment. To learn more, contact Christopher Nickell at This email address is being protected from spambots. You need JavaScript enabled to view it. or call him at 1-800-277-5415, ext. 706 today.

  2037 Hits

Introduction to SOC Reports - SOC 1 SSAE 18, SOC 2, SOC 3

Commonly referred to as SOC 1 SSAE 18, SOC 2, and SOC 3, System and Organization Control (SOC) reports are the product of a comprehensive framework put in motion by the American Institute of Certified Public Accountants (AICPA) for reporting on controls at service organizations. Unlike its historical predecessor, Statement on Auditing Standards No. 70 (SAS 70), which was the global "de facto" reporting standard for almost any entity labeled or deemed a "service organization", the SOC framework is an internal control platform aimed at clarifying and bringing to light much needed transparency for reporting on controls at service organizations.

SOC 1 SSAE 18, SOC 2 and SOC 3 – 7 Things You Need to Know for Auditing Success

1. Define Scope: Right out of the gate, one of the most fundamentally important initiatives to tackle for SOC compliance is identifying, assessing, and confirming audit boundaries – the processes, systems, people and locations that will be assessed for compliance. Nobody likes the dreaded “scope creep” scenario, so plan accordingly and proactively, and you’ll be on your way to a highly successful audit. Without proper scoping defined – which is one of the single biggest reasons audits turn into a nightmare, and it’s why a scoping & readiness assessment is a must – your audit can quickly spiral out of control and become unmanageable.

  3143 Hits

SOC 2 Audits & Reports for Houston, TX Businesses

SOC 2 audits & reports for Houston, TX businesses are offered by NDNB, Texas’ leading provider of regulatory compliance assessments and consulting services, such as SOC 1 SSAE 18, SOC 2, PCI DSS, HIPAA assessments, and more. With today’s growing compliance mandates, it’s time to choose a proven provider of professional, fixed-fee services, a firm with a deep record of integrity and value in the Lone Star State, and that’s NDNB!

Houston’s Leading Provider of SOC 2 Compliance Audits

SOC 2 audits are becoming a mainstay in the world of regulatory compliance – and for good reason – as businesses are seeking assurances regarding a service organization’s control environment, such as those relating to documented policies, procedures, and processes. The world we live in today is full of outsourcing – a trend that’s no doubt going to continue – therefore the need for a well-known due diligence assessment, such as SOC 2, has taken firm root. If you’re a service organization in Houston – or any other city in Texas – and providing critical third-party services to other businesses, then expect the SOC 2 mandate to come calling.

  2139 Hits

SOC 1, SOC 2, SOC 3 Reports & Assessments Overview - 7 Things you need to Know

AICPA SOC 1, SOC 2, and SOC 3 reports & assessments are becoming increasingly more common in today’s business arena as service organizations now effectively have three distinct reporting options to choose from. With a global economy that’s becoming more efficient, scalable – and extremely reliant on technology – SOC reports & assessments are now being performed on thousands of businesses throughout the world as customers are demanding assurances of a service organization’s internal controls.

  2699 Hits

SOC 2 Type 1 & Type 2 Audit Reports | Los Angeles, California

NDB Accountants & Consultants, LLP (NDB), one of California’s most well-established compliance firms, offers high-quality, fixed fee pricing for SOC 2 Type 1 and Type 2 assessments. With the growing regulatory compliance drumbeat getting louder each year, businesses are having to undergo annual SOC 2 Type 1 and SOC 2 Type 2 assessments, so turn to the experts today at NDB, leading providers of audit and advisory services to California businesses for more than a decade. We offer the entire spectrum of SOC 2 services, from SOC 2 readiness assessments to remediation services & solutions, along with SOC 2 Type 1 and Type 2 audits. Additionally, we also offer numerous supporting compliance services, such as those for HIPAA, PCI DSS, FISMA, and more. Call and speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 to learn more, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

SOC 2 Type 1 & Type 2 Audit Reports | Los Angeles, California
One of the biggest and most time-consuming mandates regarding SOC 2 compliance is providing auditors with various information security policies and procedures for showcasing an organization’s system of internal controls. The problem, however, is that most companies simply lack this type of documentation, along with also lacking the internal resources for developing all necessary policies and procedures, but NDB can assist, and it’s why businesses turn to us for regulatory compliance, and so should you. As trusted leaders in the world of regulatory compliance, NDB offers the following SOC 2 services to California businesses:

  4359 Hits

AICPA SOC 1, 2, and 3 | Reports and 5 Things You Need to Know

Out with the old and in with the new! With the replacement of the outdated SAS 70 auditing standard (which was in place for nearly two decades), AICPA SOC reports are becoming increasingly more common. Service organizations now have three distinct reporting options---and with this noteworthy change, it is important to take note of the following items regarding these options:

1. It’s a SOC world after all. The all new SOC (Service Organization Control) platform represents a monumental shift initiated by the American Institute of Certified Public Accountants (AICPA). In an effort to modernize and take a more global approach to service organization reporting, the aging SAS 70 auditing platform has been replaced in favor of SSAE 16, under the umbrella of the SOC framework. Within this framework are three reporting options---SOC 1, SOC 2 and SOC 3. The ISAE3402 reporting option serves as an international equivalent to SSAE 16, which is the de facto standard for compliance reporting.

  4844 Hits

SOC 2 Type 1 & Type 2 Audit Reports | Orange County, California

SOC 2 Type 1 & SOC 2 Type 2 audits for Orange County, California service organizations are available from NDB Accountants & Consultants, one of California’s most well-respected and highly regarded audit and advisory firms. For more than a decade, NDB has been helping California businesses charter the rough waters of regulatory compliance, so turn to us for expert advice, along with fixed fee pricing for all SOC 2 audit services.

As for SOC 2 Type 1 & Type 2 reports, these are assessments geared specifically towards today’s growing number of information technology entities, those such as data centers, SaaS reporting, managed services providers, Internet Service Providers (ISP), and many others. While companies often look upon the SSAE 16 SOC 1 reporting platform as an option, keep in mind that technology oriented companies should be utilizing SOC 2 for reporting. The simple, straightforward solution is contacting Chris Nickell today at This email address is being protected from spambots. You need JavaScript enabled to view it. or by calling him at 1-800-277-5415, ext. 706, to learn more about SOC 2 compliance and receive a competitively priced, fixed fee.

SOC 2 Type 1 & Type 2 Audit Reports | Orange County, California
It’s important to understand 3 critical components for SOC 2 audit success for Orange County, California businesses: (1). Scope is critical. (2). Determining which of the five (5) Trust Services Principles (TSP) to include within a SOC 2 audit. (3) Information Security Policies and Procedures are critical for SOC 2 audit success.

SOC 2 Type 1 & Type 2 Audit Reports | Orange County, California | 3 Key Points
As for scope, Orange County service organizations will need to assess and ultimately determine what business functions are to be included with their SOC 2 reporting. More specifically, is it the entire company processes, or is it a certain segment within one’s business? This is critical for obvious reasons, such as SOC 2 pricing, along with internal operational commitments for undertaking and completing the audit itself. The larger the scope, the larger the fee and the more you’ll be spending on the audit, thus it’s important to strike a balance between cost and what your client’s are looking for in terms of SOC 2 reporting.

SOC 2 Type 1 & Type 2 Audit Reports | Which Trust Services Principles (TSP)?
Most service organizations obviously include the “Security” Trust Services Principles (TSP) and then decide which of the remaining four (4) are they to include within a SOC 2 audit, and this is where expert recommendation from your auditor is very helpful, so contact Christopher Nickell today at This email address is being protected from spambots. You need JavaScript enabled to view it. or by calling him at 1-800-277-5415, ext. 706. As for the actual TSP’s, they consist of the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Furthermore, regardless of which of the five (5) TSP’s are included within the scope of a SOC 2 report, one thing’s for certain – information security policies and procedures are essential for SOC 2 compliance. That’s right, documentation is very large part of any SOC 2 audit, and it’s why NDB provides a complimentary SOC 2 Policy Packet to each of our clients. The SOC 2 Policy Packet provides literally hundreds of pages of professionally researched and written, easy-to-use documentation that helps Orange County service organizations save thousands of dollars on compliance costs. From access control policies to change management, risk assessment templates, security awareness training manuals – and more – the NDB SOC 2 Policy Packet is a must have for Orange County businesses. 

  4020 Hits

SOC 2 Type 1 & Type 2 Audit Reports | Charlotte, Raleigh, North Carolina

SOC 2 Type 1 & SOC 2 Type 2 audits for Charlotte, Raleigh | Durham, North Carolina businesses – and other surrounding areas – are offered by NDB Accountants & Consultants, LLP (NDB), the Carolinas’ leading provider of high-quality, competitively priced compliance services. From SOC 2 readiness assessments to the actual SOC 2 onsite audits, NDB has built a lock-step framework consisting of highly efficient phases and deliverables resulting in audits that are on time and on budget – nothing less. Call and speak with Christopher G. Nickell, CPA, at 1-800-277-5416, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

NDB also has built a highly efficient, lockstep process for SOC 2 audits for North Carolina businesses that consists of the following:

1. SOC 2 Scoping & Readiness Assessment. Want to avoid the dreaded “scope creep” and associated cost overruns, then conduct a SOC 2 readiness assessment from a reputable CPA firm, one that provides true insight and value into your internal control environment. NDB’s SOC 2 readiness assessment examines a service organization’s internal control environment, related policies and procedures, and much more. When done correctly, a SOC 2 readiness assessment is extremely valuable. Additionally, another benefit of NDB’s SOC 2 readiness assessment for North Carolina businesses is identifying what businesses processes are included for the audit, what physical locations, and the supporing personnel – all of which are significant items that require examination and confirmation. After all, “cost-containment” is essential for today’s compliance audits, and a readiness assessment helps achieve this.

2. SOC 2 Remediation & Implementation. Once the gaps and deficiencies are found – and very company has them – it’s time to roll up the sleeves and begin remediating all findings, which often means developing comprehensive documents and strengthening internal control activities. NDB provides complimentary SOC 2 Policy Packet documents to each of our valued clients, helping them save thousands of dollars and hundreds of hours on critical remediation issues. Additionally, NDB provides onsite assistance for assisting with strengthening and formalizing internal controls, ranging from general I.T. issues to daily operational best practices.

3. SOC 2 Testing and Compliance. While SOC 2 Type 1 assessments are for a specific date in time, such as August 27, 20xx, SOC 2 Type 2 reporting encompasses what’s known as an actual test period – generally six (6) months. Many service organizations begin by conducting a SOC 2 Type 1, then move towards annual SOC 2 Type 2 compliance, so speaking with a well-qualified CPA firm that’s been providing years of service to Charlotte, Raleigh | Durham, North Carolina businesses is smart move.

4. Report Issuance. Once the heavy lifting and hard work has been done by both NDB and your internal personnel, the next step is putting together all the pieces of the puzzle for drafting the SOC 2 report. This means putting the documentation through an incredibly extensive quality assurance program, and once that’s complete, it’s time to move forward with an official closing meeting and discuss all administrative items for effectively “closing out”” the audit for the current year.

SOC 2 Type 1 & Type 2 Audit Reports | Charlotte, Raleigh, North Carolina
When it comes to providing North Carolina businesses with the very best SOC 2 services – highly-quality assessments for fixed fee pricing – the only name you need to know is NDB. Call and speak with Christopher G. Nickell, CPA, at 1-800-277-5416, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

  4703 Hits

SOC 2 Type 1 & Type 2 Audit Reports | Washington DC, Baltimore, Northern Virginia

NDB offers comprehensive SOC 2 Type 1 and SOC 2 Type 2 audit reports for businesses in and around the Washington, DC, Baltimore, and Northern Virginia metropolitan area. From SOC 2 readiness assessments to policy writing, along with conducting the actual assessment itself, NDB is your total solution provider for today’s demanding regulatory compliance services, such as SOC 1, SOC 2, and much more.

The Washington, D.C., Baltimore, and Northern Virginia metropolitan region is an absolute mecca for information technology, entrepreneurship, start-ups, and more, and it’s actually known as the second Silicon Valley. With all the technology placed into one regional area, the demand for regulatory compliance mandates has absolutely skyrocketed, and understandably so, as many of these businesses provides services to the federal government and other big corporations. Unfortunately, regulatory compliance is not generally high on the “to do” list with many businesses – but that’s all changed – thanks largely to the growth of cybersecurity concerns and threats for the North American economy.

The result – enter the politicians, pundits, and regulators who now are pouring out laws and regulations at a pace never seen before. It means that SOC 2 compliance is now a mandate for many Washington, DC, Baltimore, and Northern Virginia metropolitan area businesses, so now’s the time to learn in-depth details about the SOC 2 framework, courtesy of NDB, North America’s leading provider of SOC 2 compliance audits.

SOC 2 Type 1 & Type 2 Audit Reports | Washington DC, Baltimore, Northern Virginia
From nonprofits in the District of Columbia to technology startups in Reston, VA, wherever you are in the Washington, D.C., Baltimore, and Northern Virginia metropolitan region, NDB is ready and willing to assist with your growing compliance needs. We’re often asked what it takes to become SOC 2 compliant – a checklist, that is – for ensuring an efficient process from day one.

Let’s take a look at the following elements for helping you gain a greater understanding of SOC 2 Type 2 and SOC 2 Type reports:

AICPA Framework: The American Institute of Certified Public Accountants (AICPA) – in an effort to align their reporting framework with internationally driven standards, while also putting to rest the often misused SAS 70 auditing standard – launched the AICPA Service Organization Control (SOC) reporting platform in 2011. It was a much-needed change, one that allowed the AICPA to keep pace with the ever-changing and complex global business environment, where the use of third-party services continues to grow rapidly. The SOC framework has three (3) reporting options – SSAE 16 SOC 1 assessments, SOC 2 assessments, along with SOC 3 assessments. As a service organization, you’ll need to be cognizant of the SOC background for ensuring the “correct” audit is chosen - which often is the source of confusion that’s fueling the SOC 1 vs SOC 2 debate!

Readiness Assessment: Want to gain a greater understanding of your control environment and learn about important issues and gaps that require immediate attention prior to the actual SOC 2 audit? Then it’s critical to undertake a SOC 2 readiness assessment with NDB – a highly beneficial and proactive exercise for ensuring all necessary gaps, deficiencies and internal control failures are corrected before the audit begins. It’s not just another expense or added fee to the SOC 2 process – rather – a readiness assessment is a long-term investment yielding substantial savings in terms of operational man-hours for years to come.

Trust Services Principles: Simply known as the TSP’s, the Trust Services Principles are the criteria based provisions which form the very fabric of a SOC 2 assessment, and they include the following: (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy. While the vast majority of services organizations do NOT assess against all five (5) of the TSP’s, you’ll no doubt need the expert advice of a well-qualified CPA firm – such as NDB – in helping to determine which of them to include in the scope of your SOC 2 assessment. Call and speak with CPA Christopher G. Nickell today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Business Processes: It’s also important to pick and choose what specific business functions and services are going to be included within the scope of a SOC 2 assessment – the entire organizational service offerings, or just a micro-component of what your business offers? The greater the scope, the larger the audit cost, the longer it will take to complete, and the more likely that control deficiencies will be found in the report.

Remediation: Fixing problems under the hood – as the old saying goes – is without question one of the most important things to be accomplished during the SOC 2 auditing process. Look, every business will have some type of remediation to perform – some more than others – from updating policies to making system enhancements. Not only is remediation necessary for hopefully achieving a clean bill of health during the audit process, it’s also a best practice for helping secure critical organizational assets. NDB provides comprehensive remediation services, from policy writing to system configuration procedures – and more – so let’s talk today.

Washington DC, Baltimore, Northern Virginia SOC 2 Audit Experts
Talk to the trusted SOC 2 experts today at NDB when it comes to superior services and fixed fee pricing for Washington DC, Baltimore, and Northern Virginia businesses. Call and speak with CPA Christopher G. Nickell today at 1-800-277-5415, ext. 706 to learn more.

  3979 Hits

SOC 2 Type 1 & Type 2 Audit Reports | DC, Maryland, and Northern Virginia

SOC 2 Type 1 & SOC 2 Type 2 audits for Washington, DC, Maryland, and Northern Virginia business are available from the global compliance experts at NDB Accountants & Consultants, LLP (NDB). With years of working in the DC metro area, NDB has built a household name and also a reputation as a firm that provides exceptional service, along with reasonably priced, fixed-fee SOC 2 assessments. Compliance mandates – be it from the halls of the mighty U.S. Congress to industry specific mandates – are just going to continue to grow aggressively as the digital world moves ever forward with new products and technologies. It means that businesses in the tech rich industry within Washington, DC, Maryland, and Northern Virginia can be expected to see continued requests for annual SOC 2 assessments.

Outside of Silicon Valley, the Washington, DC, Maryland, and Northern Virginia is considered possibly the world’s premier technology area, even surpassing highly coveted Silicon Valley, according to some experts. As a result of such massive technology in one region, it’s brought about huge compliance mandates, particularly for SOC 2 reporting. From managed services providers to data centers, cloud computing – and more – companies in the Washington, DC, Maryland, and Northern Virginia are turning to NDB for such services, so call and speak with Christopher G. Nickell at 1-800-277-5415, ext. 706 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

NDB offers the following SOC 2 services to the greater Washington, DC, Maryland, and Northern Virginia area:

1. SOC 2 Readiness Assessments: Understanding one’s entire landscape for purposes of SOC 2 reporting is critical, and it’s why Washington, DC, Maryland, and Northern Virginia service organizations should conduct a SOC 2 readiness assessment. Look upon it as a proactive and insightful exercise for learning about your control environment and what weaknesses exist. As for weaknesses and gaps, think policies and procedures – that’s right – documentation is highly critical for SOC 2 compliance and NDB Provides a complimentary SOC 2 Policy Packet to our valued Washington, DC, Maryland, and Northern Virginia client base. After all, who really wants to spend hundreds of hours writing compliance documentation? It’s just one of many reasons why Washington, DC, Maryland, and Northern Virginia businesses turn to NDB for SOC 2 compliance.

2. SOC 2 Remediation: Becoming compliant with SOC 2 often means climbing some big hurdles in terms of remediation, such as developing comprehensive security policy documentation, along with making system changes to critical I.T. resources. NDB has years of experience working with service organizations in both authoring technical documents, along with enhancing system settings, and we have in-depth documentation available for both mandates. From our highly coveted SOC 2 Policy Packet – free to all NDB clients – along with detailed provisioning forms and checklists, we have Washington, DC, Maryland, and Northern Virginia businesses covered when it comes to SOC 2 remediation.

3. SOC 2 Type 1 and Type 2 Assessments: SOC 2 Type 1 assessments are a great “stepping stone” towards SOC 2 Type 2 compliance. After all, most businesses are interested in a service organization’s internal control environment over a defined period – such as six (6) months, or longer – and this is exactly what SOC 2 Type 2 audits are intended for.

4. Other Regulatory Compliance Services: NDB offers much more than just SOC 2 compliance for Washington, DC, Maryland, and Northern Virginia businesses, we also provide SSAE 16 SOC 1 compliance reporting, along with PCI DSS certification, HIPAA compliance, and much more. Additionally, we offer numerous national security and federal compliance services also. It’s a complex and highly charged, bureaucratic world we live in, so turn to the experts in the nation’s capital for SOC 2 compliance, or any other type of regulatory mandate that’s been mandated by your company.

5. Fixed-Fees for Multi-Year Contracts: Providing annual assessment reports – such as SOC 2 audits – to client’s means it just makes sense to find a high-quality, proven, and well-known CPA firm for which you can partner with for years. After all, why make changes from one auditor to another, as this just results in operational headaches and cost overruns. NDB offers fixed fees for multi-year engagements, ultimately saving Washington, DC, Maryland, and Northern Virginia businesses thousands of dollars and hundreds of internal man hours due to our audit efficiencies each year. Call Christopher G. Nickell at 1-800-277-5415, ext. 706 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today to learn more.

  4050 Hits

SOC 2 Type 1 & Type 2 Audit Reports | Dallas, Texas

SOC 2 Type 1 & SOC 2 Type 2 audits for Dallas, Texas businesses are available from North America’s leading regulatory compliance experts, and that’s NDB Accountants & Consultants, LLP (NDB). The Dallas, TX economy is booming like no other city, creating thousands of jobs and immense opportunities for all, yet big compliance mandates also come along with such success. Technology is a big part of Dallas’ growth, and SOC 2 audits are in great demand for the likes of cloud computing providers, data centers, and more.

NDB offers the following SOC 2 services to the greater Dallas Fort-Worth (DFW) Metroplex area:

SOC 2 Readiness Assessments: It’s important for Dallas businesses to clearly assess and understand critical SOC 2 issues relating to cardholder data scope, policies and procedures documentation, and more. Companies are generally quite good at what they do – after all – you wouldn’t be in business, right? Unfortunately, documentation is often lacking for many businesses, and it’s why a readiness assessment is critical for identifying such gaps and policy weaknesses.

SOC 2 Remediation: Every company will have at least some element of remediation necessary for ensuring a successful SOC 2 assessment. While some service organizations have a highly mature control environment, others will have to develop comprehensive policies, procedures, and processes as part of one’s remediation efforts. Interestingly, most businesses that require remediation are in need of documentation – specifically – information security policies and procedures, and it’s why NDB provides each client with our industry leading SOC 2 Policy Packet.

SOC 2 Type 1 and Type 2 Assessments: Ultimately, what many of your client want from you is an annual SOC 2 Type 1 and SOC 2 Type 2 report, and NDB provides such services for fixed fees, along with offering our well-known SOC 2 Policy Packets. Remember something very important – documentation is a critical component of regulatory compliance, so turning to NDB and utilizing our SOC 2 Policy Packets – which are complimentary to every one of our clients – is a smart move.

Fixed-Fees for Multi-Year Contracts: Deciding on an auditing firm, then engaging with them for multiple years, is a big financial commitment, no question about it. With that said, NDB offers highly competitive, fixed-fee pricing for multi-year contracts for SOC 1 assessments. Look, no one really wants to change auditors every year – that can be an operational nightmare – so finding and choosing a firm that provides exceptional service and pricing is critical, and that’s exactly what NDB offers. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today to learn more.

As stated earlier, policies and procedures are a big part of SOC 2 compliance, often requiring companies to spend thousands of dollars on policy writing experts, which is another reason service organizations in the Dallas, TX metroplex turn to NDB. With years of experience writing information security policies and procedures, NDB can help businesses save hundreds of hours and large sums of money on SOC 2 compliance.

SOC 2 Type 1 & Type 2 Audit Reports | Dallas, Texas
In search of a high-quality, well-recognized CPA firm in Dallas that provides superior service and fixed fee pricing for SOC 2 assessments, then talk to the experts today at BNO. We call it Texas straight talk, and that’s being open, honest, and upfront with your needs, what we can provide, and how both parties can work together. Whatever you regulatory compliance needs are – from SOC 2 audits to PCI DSS certification, HIPAA compliance, FISMA and NIST consulting, and more – the regulatory compliance experts at BNO are ready to assist in every way possible. Our team of experts are well-trained, knowledgeable, and incredibly competent, so contact us today to learn more.  Call and speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it.

  4043 Hits

SSAE 16 Summary | 4 Important Points you Need to Know from NDNB Accountants & Consultants

Need a quick SSAE 16 summary or primer on the new standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA)? If so, take note of the following SSAE 16 summary areas:

1. SSAE 16 has effectively replaced SAS 70. SAS 70, which was put forth in April of 1992 is no longer an auditing standard in use.  This is critically important as it represents one of the most significant changes in reporting on controls for service organizations. For the first time in almost twenty years, we have a new "attest" standard for reporting.

2. SSAE 16 is part of a much bigger, broader change.  That's right, not only did SSAE 16 replace SAS 70, but an entirely new reporting platform for service organizations has been introduced. Known as Service Organization Control (SOC) reports, organizations can now opt for SOC 1, SOC 2, and/or SOC 3 reporting.

3. Learn about the new SOC reporting options. The new AICPA alphabet of reporting on controls at service organizations can seem a little confusing, but for an ounce of clarity, try and remember the following for your SSAE 16 summary primer:

  • SOC 1 reports are to use the SSAE 16 standard and should generally be issued when there is a true and credible link or "nexus" to the internal control over financial reporting (ICFR) concept.
  • SOC 2 and SOC 3 reports are a great choice for the growing number of cloud computing and Software as a Service (SaaS) based entities.

4. Learn about the written statement of assertion and the description of the service organization's "system".  In short, the written statement of assertion requires management to effectively "assert" to a number of clauses regarding the actual assessment performed by a practitioner (i.e., CPA). Additionally, the description of the "system" requires management of the service organization to comprehensively document their "system". That's a brief SSAE 16 summary for you, thus if you want to learn more about Statement on Standards for Attestation Engagements No. 16, visit the official SSAE 16 Resource Guide, developed by NDNB Accountants &  Consultants, a nationally recognized IR CPA firm. Lastly, if you are in need of SSAE 16 services at a competitive, fixed-fee, contact NDNB directly at 1-800-277-5415, ext. 706.

  5312 Hits

SSAE 16 Certification is NOT a Correct Phrase and here’s why!

SSAE 16 Certification is a phrase I keep hearing over and over again. It’s not really a huge issue, but for an ounce of technical clarity, there is no such thing as SSAE 16 certification, just as there was no such thing as SAS 70 certification.  Both of these phrases were born out of a true misunderstanding of the historical SAS 70 auditing standard and the current SSAE 16 attest standard.  Technically speaking, SSAE 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), for which a practitioner (i.e., service auditor) uses the standard to perform an attest engagement for a service organization, resulting in the issuance of a service auditor’s report on controls. 

There is no designation, certification, award, confirmation, or any other type of validation for an actual SSAE 16 assessment. It’s best to summarize that a service organization simply undertakes an assessment in accordance with the SSAE 16 standard, resulting in the issuance of report with a stated opinion, generally unqualified, by a CPA firm as part of the report. So, if you hear the term SSAE 16 certification, you can politely remind your colleagues or other interested parties that this technically incorrect. With that said, if your organization is seeking a well-qualified, cost-effective provider for SSAE 16 assessment services, then contact NDB Accountants & Consultants, a nationally recognized IR CPA firm, at 1-800-277-5415, ext. 706. Additionally, if you want to learn more about SSAE 16, visit the official SSAE 16 Resource Guide, developed by NDB, where you can learn more about the following essential information:

  3888 Hits

SOC 1 (SSAE 16) vs. SOC 2 (AT Section 101)|Hey, SOC 2, Where are You?

Service Organization Control (SOC) Reports, more commonly known as SOC 1, SOC 2, and SOC 3, as you may or may not be well aware of by now, represent the new framework put forth by the American Institute of Certified Public Accountants (AICPA) for reporting on controls at service organizations. 

SOC 1, is essentially tied to service organizations for which reporting is ICFR based, that is, internal controls related to financial reporting. SOC 2 and SOC 3, however, represent a sincere  and genuine attempt by the AICPA to meet the growing demands and complexities of reporting on controls for service organizations OUTSIDE that of ICFR. In essence, it's a move to correct the misguided efforts by many who used the SAS 70 standard in an incorrect manner. Will it work? Well, the early signs are not that encouraging as I've seen recent press releases for data centers and managed services entities becoming SSAE 16 "certified" or "compliant".

And by the way, the terms "certified" and "compliant" are grossly incorrect, for which you can learn more about how this has really irked the AICPA. Did they simply forget about SOC 2 and SOC 3? Are their clients simply sold on the merits of out with one standard (SAS 70), in with the new (SSAE 16), without being educated on the SOC framework? Have we as CPA's along with the AICPA not done enough to educate service organizations?

Well, I think it's a little of everything.  I'm still hopeful that this "problem" will correct itself. I can already see the technical arguments, or rather, excuses, for issuing a SSAE 16 Type 1 or Type 2 report for a data center, managed services entity, or some other cloud type infrastructure....and here they are: "Well, that's what our clients wanted, so we used the SSAE 16 standard". Or how about this one, for which I"m hearing alot of: "Hey, if the controls are "likely relevant" to ICFR, then we can issue an SSAE 16 Type 1 or Type 2".  Or, the one that takes the cake is this one: Nobody is taking SOC 2 and AT Section 101 seriously yet, so for now, I'll just fall in line and do what most other firms are doing and going right from SAS 70 to SSAE 16".

  3660 Hits

SOC 3 Reports and Trust Services Principles

SOC 3 Reports also addressReporting on Controls relevant to Security, Availability, Processing integrity, Confidentiality, and Privacy in accordance with general predefined criteria within theTrust Service Principles.  Please note that these reports are to be prepared using the AICPA and the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The framework for the Trust Services Principles has been around for quite some time, yet curiously, never really caught on as many would of imagined.  Lastly it is considered a general use report and comes with a public seal.  And much like SOC 2 reports, SOC 3 reports also use AT Section 101 as the professional standard for service auditor guidance.   It will be interesting in the coming years how notable SOC 3 reports become in comparison to SOC 1 and SOC 2 reports.

To learn more about SOC 3 reporting standards and all other regulatory compliance services provided, please contact Chris Nickell, CPA, at 1-800-277-5415, ext. 706.

  3492 Hits

SOC 2 Reports and AT Section 101 | Reporting on Controls Relevant to Security, Availability, Processing integrity, Confidentiality, and Privacy

SOC 2 reports, which will come to be known as Reporting on Controls Relevant to Security, Availability, Processing integrity, Confidentiality, and Privacy, are to be conducted in accordance with AT Section 101. Thus, SOC 2 will effectively insert itself as the primary reporting option to be used for service organizations reporting on controls outside the scope of financial reporting.  In simpler terms, Software as a Service (SaaS) companies, software development entities, cloud computing organizations, data centers, managed services, and many more, will be using the SOC 2 framework for reporting on controls.  And much like SOC 1 reporting, a service organization can either be issued two (2) type of SOC 2 reports, a Type 1 and a Type 2.

If you stop and think about it, this is quite significant for a number of reasons.  First and foremost, the SOC 2 framework is specifically geared towards the exponential growth of technology and security related service organizations, of which many provide outsourcing services to user entities.  Second, it hopefully will correct a huge misunderstanding within the business community at large; the myth that SAS 70 was an all-in-one reporting standard for any type of service organization.  As you now know, this is simply untrue and we now have an acceptable and viable reporting option for controls outside the scope of financial reporting.

Lastly, SOC 2 reports are designed to address generally the following key system attributes and traits:

  • Availability: That the system is available for operation and use as committed or agreed.
  • Security: That the system is protected against unauthorized access, both physically and logically.
  • Processing Integrity: That System processing is complete, accurate, timely, and authorized.
  • Confidentiality: That the information held by an organization is securely protected.
  • Privacy: That personal information is protected.

As a service organization, you will need to evaluate your current compliance requirements and commitments to your customers and start to ask yourself what reporting option do "we" fall under, SOC 1, SOC, or even SOC 3?  If you have been receiving SAS 70 audit reports from your CPA firm in the past, what do your customers expect in the future?  More importantly, what is the correct SOC reporting framework that "we" should adhere to?  NDB Accountants and Consultants can help answer these pressing questions regarding the new compliance requirements with the SOC framework. 

When you add it all up, phrases like SOC 1, SOC 2, SOC 3, SSAE 16, and AT Section 101 can become quite confusing. Get the facts and speak to an expert. Call Chris Nickell, CPA, directly at 1-800-277-5415, ext. 706 to get the answers you need.  Furthermore, you can email Chris at This email address is being protected from spambots. You need JavaScript enabled to view it..

  2734 Hits
Since 2006, NDNB has been setting the standard for security & compliance regulations