Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

Businesses in Denver and all throughout Colorado and the Rockies can now gain a comprehensive introduction and overview of SOC 1 SSAE 18 audits, courtesy of NDNB, Colorado’s leading provider of SOC 1, SOC 2, and SOC 3 assessments. With regulatory compliance mandates growing larger and larger each year for Colorado businesses – especially when it comes to SOC 1 SSAE 18 compliance, SOC 2, PCI DSS, FISMA, HIPAA, and ISO mandates – a proven and trusted firm is needed for navigating the rough waters of compliance.

NDNB also offers comprehensive SOC 1 and SOC 2 audits for businesses using Amazon AWS, Microsoft Azure, and Google GCP.  And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits.

NDNB is that very firm, offering exceptional service and fixed fee pricing on all engagements. Colorado’s tech industry is experiencing massive growth – which is great for our state – but it also means large regulatory compliance mandates are looming just around the corner, so get prepared and talk to the experts today at NDNB.

We’re a Household Name in the Rockies for Regulatory Compliance

NDB has spent years offering regulatory compliance services and solutions to businesses all throughout the state of Colorado, and with the growing technology corridor in Denver and Boulder, our services are expanding also. Whatever your compliance needs are, from SOC 1, SOC 2 and SOC 3 audits to FISMA compliance, we’ll be with you every step of the way for ensuring an efficient and comprehensive audit process from beginning to end – that’s the NDNB difference.

SOC 1 Essentials Colorado Businesses Need to Know

Want to ensure an efficient and cost-effective SOC 1 SSAE 18 audit process from beginning to end, then take note of the following points:

SOC Framework: The AICPA SOC framework – which technically stands for System and Organization Controls (SOC) reports – was put forth due to a number of changes facing the world of third-party assurance reporting. First, the now defunct SAS 70 standard was largely being misused, and advances in business processes and technology necessitated a need for a new reporting tool. Finally, globally accepted accounting principles, such as those from IFAC and its ISAE 3402 framework (similar to SSAE 18) were on their way.

Enter the SOC framework, which offers three (3) different reports: SOC 1, SOC 2, and SOC 3. While SOC 1 is for financially driven entities (those that can impact their client’s financials), SOC 2 and SOC 3 are for technology minded service organizations.

ICFR Concept: ICFR officially stands for “Internal Controls over Financial Reporting” and it’s a concept closely associated with service organizations that conduct business activities that have the ability to impact their client’s financial reporting. Thus, any type of business involved in activities closely associated with the ICFR concept should be utilizing the SOC 1 reporting option, which in turn relies on the SSAE 18 AICPA professional standard for the assessment itself.  SOC 2, conversely, is largely about technology and has been developed to help assess the likes of data centers, SaaS entities, cloud computing, and the dozens of other technology sectors currently in the marketplace.

Scope Considerations and Control Objectives: SOC 1 SSAE 18 audits can be challenging, time-consuming, and operationally taxing, and its why Colorado service organizations new to SOC compliance should always undertake an initial readiness assessment. Conducted by expert auditors at NDNB, our SOC 1 SSAE 18 readiness assessment helps assess audit scope, internal control and documentation deficiencies, along with best practices in today’s world of cybersecurity. Hey, we’re more than auditors – that’s right – we’re about helping ensure the safety and security of an organization’s environment in the complex world we all live in.

SOC 1 or SOC 2 Reporting: There’s seems to be quite a bit of chatter going on in the auditing world regarding SOC 1 vs. SOC 2 – specifically – which assessment should a Colorado service organization undertake and why? As just discussed, SOC 1 SSAE 18 reporting is “technically” geared towards entities that exhibit a true relationship with ICFR, while SOC 2 reporting is for many of today’s emerging technology industries and sectors. Is this straight and narrow advice always followed – no – as various factors come into play forcing service organizations to undertake an assessment that is not ideally the correct reporting option.

Documentation:  What’s the most important component of a SOC 1 SSAE 18 audit? Providing the auditor with all the necessary audit evidence as requested, which at times can be a comprehensive list of items. For simplicity, remember that auditors often ask for the following: policy documentation, screenshots from various information systems, reconciliation reporting, memos signed by management, log books and records, and much more. Hey, it’s an audit, after all, which means documentation is the key, so expect to provide this to your auditors.

Policy Documents: While SOC 1 SSAE 18 audits are technical in nature – and all require a good bit of operational testing of controls – please don’t forget that the biggest set of deliverables for such audits are policy documents. More specifically, security policies and procedures, operational documents, and other supporting materials are high on the list of auditor demands, no question about it.

Service Organization Requirements: With all that’s being discussed regarding SOC 1 SSAE 18 compliance for Denver, Colorado businesses, it’s also important to note that management of the service organization (i.e., the company undergoing the actual audit) will need to develop and provide the following two materials:

(1). Description of the System and (2). Management Assertion. Both of these items can be explained in greater detail by the experts at NDNB, thus please contact Christopher G. Nickell, CPA, at 1-800-277-51415, ext. 706, to learn more, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Common Challenges and Roadblocks for SOC 1 SSAE 18 Audits

Yet with all the advice, recommendations, and best practices provided to service organizations, SOC 1 SSAE 18 can become challenging, due to the following:

  • Poor planning and understanding of critical facets of the audit, such as testing, scoping parameters, and more.
  • Clear lack of security policy documentation and other operational policies and materials, all of which are essential for mandated audit evidence.
  • Failing to perform a SOC 1 SSAE 18 readiness assessment BEFORE the audit, as it’s often seen as just another expense, with minimal ROI.

NDNB – Colorado’s Premier Provider of SOC 1 & SOC 2 Audits

From Boulder to Colorado Springs – and all other areas throughout the greater Denver metropolitan area – NDNB provides superior audit services, coupled with reasonable fixed-fees, so speak with Christopher. G. Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it.. NDNB also offers SOC 2 and SOC 2 assessments, along with FISMA and NIST compliance, and also PCI DSS and HIPAA reporting.

Since 2006, NDNB has been setting the standard for security & compliance regulations