SOC 1 SSAE 18 audit preparation, when done correctly, is an extremely proactive and beneficial process for helping service organization in planning, preparing executing, and successfully completing a SOC 1 SSAE 18 engagement.  Many entities are new to the entire SOC 1 SSAE 18 reporting landscape, requiring direction and guidance on a number of important issues, such as finding an auditor, conducting a readiness assessment, identifying gaps and weaknesses, just to name a few notable items.  With that said, take note of the following brief SOC 1 SSAE 18 audit preparation list of items compiled by NDNB, a nationally recognized IR CPA Firm specializing in SOC 1 SSAE 18 and SOC 2,  SOC 3 AT 101 SysTrust | WebTrust reporting:

Begin with an SSAE 16 Readiness Assessment - This process alone is one of the most fundamentally important steps an organization can take, thus look at it as a useful and proactive undertaking for ensuring you’re actually ready for a SOC 1 SSAE 18 Type 1 or Type 2 assessment.  A SOC 1 SSAE 18 Readiness Assessment – when conducted properly – should provide valuable information regarding audit scope, (i.e., systems being tested, physical locations to visit, the number of control objectives, etc.), remediation items (i.e., areas of deficiency, from an operational and technical perspective, such as policies and procedures, etc.), audit sampling and deliverables expected for the CPA firm conducting the engagement, and more.

Moreover, if your organization is to completely new to the SOC 1 SSAE 18 process, then a Readiness Assessment is a must.  High-quality CPA firms – those with years of regulatory compliance reporting – often include the cost of a SOC 1 SSAE 18 Readiness Assessment into their overall fixed-fee pricing model, so be sure to inquire about such services.

Remediate Technical Constraints – Real SOC 1 SSAE 18 audit preparation means finding areas of remediation, along with actually following through with remediation efforts themselves, such as re-configuring system parameters for one’s SOC 1 SSAE 18 control objectives and related tests.  Because most SOC 1 SSAE 18 assessments focus on what’s known as “general Information Technology (I.T.) controls, remediation efforts are commonly seen in provisioning and hardening computer systems, such as removing default settings, insecure services, etc.  Remember, auditors will want to see evidence of one’s remediation efforts for technical issues, so roll up those sleeves and get to work. It can be challenging, but it’s necessary, not only for SOC 1 SSAE 18 ompliance, but many other mandates, such as PCI, HIPAA, etc.

Remediate Operational Areas – SOC 1 SSAE 18 audit preparation also entails remediation that’s not just technical in nature - it also requires comprehensive measure for correcting many operational deficiencies, such as strengthening best practices as necessary. 

Work With Your Auditors – Remember something very important - your SOC 1 SSAE 18 auditor is there to help assist and facilitate compliance, not be an adversarial roadblock in the overall process. Though they still have to be “independent” in judgment and objective in their findings, they still have a vested interest in issuing a “clean” SOC 1 SSAE 18 opinion.  This means being upfront, open, and transparent at all times with the entire audit process, no matter what the issue is. 

The more proactive and open you are, the less likely confrontations, constraints, and issues will arise. Talk about audit scope, remediation, testing concerns - whatever’s relevant to the SOC 1 SSAE 18 assessment - and work it out. Call Christopher Nickell, CPA, today at 1-800-277-5415, ext. 706 to receive a competitive, fixed fee for all your SOC 1 SSAE 18, SOC 2 AT 101, and SOC 3 SysTrust | WebTrust needs. NDNB Also provides PCI DSS reporting (onsite audits), and numerous other compliance services.