Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

The SOC 2 standard includes reporting that allows for the issuance of a SOC 2 Type 1 and/or Type 2 assessment, for which NDNB offers to businesses throughout North America and other select regions. Compliance with the SOC 2 standard requires in-depth technical knowledge and auditing expertise in today’s challenging and complex business arena. All the more reason to trust the experts at NDNB for all your SOC 2 reporting needs.

So out with the old and in with the new – as the old saying goes, as the AICPA SOC framework has successfully replaced the well-aged, one size fits all SAS 70 auditing standard for reporting periods on or after June 15, 2011. And now the SSAE 16 standard has been replaced with the SSAE 18 standard for May 1, 2018. It’s a new world of regulatory compliance, one filled with heavy mandates for annual audits, for which you’ll need to know the following regarding the SOC 2 standard:

SOC 2 Standard – Type 1 and Type 2 Reports – What you Need to Know and Why

SOC 1 vs. SOC 2: Many service organizations shifted from SAS 70 immediately to SSAE 16 SOC 1 reporting, and now to SSAE 18 SOC 1 reporting – but not so fast – as the SOC 1 framework is actually geared towards companies providing services that could impact their clients’ actual financial reporting. SOC 2, on the other hand, is heavily weighted towards today’s tech companies, such as cloud computing vendors, data analytics, SaaS models, data centers, managed services providers, and more. There is a big difference between SOC 1 and SOC 2 – differences you need to be aware of before embarking on either one of these audits.

Trust Services Principles and Criteria: SOC 2 assessments require testing against the following five (5) AICPA Trust Services Principles and Criteria (TSPC): (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy. As to which one of the five (5) TSPC to test against, that depends on a number of factors, such as client expectations, market demands, and more. While every SOC 2 candidate tests against the baseline “Security” TSPC, after that, there’s much discussion to be had as to the remaining four (4) TSP’s.

Audit Scope and Business Process: A critical element for ensuring your SOC 2 assessment is successful is identifying the relevant business processes to be included within the audit itself. Is the entire enterprise-wide operations included, or just a subset of the service organization’s businesses. Are you clients expecting – and demanding – that certain processes be included, or are they requesting a SOC 2 audit with no real specifics? These are questions that need to be addressed, and answered.

Remediation is Key: Correcting and enhancing operational, security, and infrastructure deficiencies is critical for ensuring a successful SOC 2 audit, and every service organization will have some type of remediation to undertake – trust on this one. From inadequate processes to missing security controls – and more – remediation is a large part of the SOC 2 landscape, and it’s also the main reason why businesses undertake a SOC 2 readiness assessment for helping identify internal control weaknesses.

Operational controls are Critical: A successful SOC 2 assessment – one that allows a service organization to obtain a clean, “unqualified opinion” simply doesn’t happen without having formalized processes and procedures in place. Developing formalized processes can be incredibly time-consuming and expensive, and it’s why NDNB offers extensive services and solutions for helping businesses become SOC 2 compliant. Businesses don’t have hundreds of hours to allot to time-consuming process development – we get it – so turn to the experts today at NDNB.

I.T. Controls are Critical: Remember that the actual SOC 2 assessment framework – which includes the Trust Services Principles Criteria (TSPC) – is an ideal assessment process for technology oriented service organizations, which means one’s I.T. controls will be thoroughly assessed during the actual audit process. This means that all information security related elements – formalized procedures, and processes – must be well documented and functioning and designed. This often requires remediation in a number of areas, most notably regarding system configuration changes, such as enhancing firewall rulesets, strengthening access controls, developing formalized incident response procedures, and much more. NDNB can assist in providing hands-on expertise as needed for ensuring the safety and security of one’s I.T. infrastructure.

  • SOC 2 audit reports are an important element of the AICPA Service Organization Control (SOC) reporting framework.
  • Organizations can opt for a SOC 2 Type 1 or a SOC 2 Type 2 report.
  • SOC 2 reports are different from SOC 1 reports.
  • SOC 2 audit reports are geared towards many of today’s technology oriented companies.

Speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it., and receive a competitively priced fixed fee for SOC 2 audit reports and to learn more about SOC 2 standard.

SOC 2 report assessments and services are offered by NDNB Accountants & Consultants (NDNB), North America’s premier provider of high-quality, fixed-fee SOC 2 reporting. Take note of the following best practices for ensuring a smooth, highly-efficient, and cost-effective SOC 2 reporting process from day one:

A SOC 2 Readiness Assessment is Essential

New to the SOC 2 assessment process, then we highly suggest going through a brief, yet comprehensive readiness assessment for identifying critical gaps, deficiencies, along with important audit scope considerations. Every company – and we mean every – has always benefited from a SOC 2 readiness assessment – why – because we always find issues that demand immediate attention prior to the actual audit commencing. From missing documents to inadequate processes and internal controls, correcting such items before the audit begins is an absolute must, no question about it. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today to learn more.

Identifying the Relevant TSP’s and Business Process is Critical

The SOC 2 framework utilizes the following five (5) Trust Services Principles for reporting: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Look upon them as distinct silos in today’s world of SOC 2 compliance – mandates that require procedures and processes for ensuring adherence to each applicable TSP. Along with identifying which of the TSP’s should be included in a SOC 2 assessment, it’s also imperative to identify the relevant business processes to be covered.

As for the business process, is the entire organizational service offering included within the scope of a SOC 2 assessment, or just a sub-category of it? Many companies actually have multiple SOC 2 reports conducted on various business lines, so this is an important issue to assess and come to an agreement on in the early stage of audit preparation and planning. Talk to Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today to learn more about important business process and scoping considerations for SOC 2 compliance.

Operational Processes are Critical

Yes, it is, very critical, so much so that companies often hire consultants for the main purpose of helping assist with SOC 2 compliance, along with other regulatory compliance mandates. This can often take hundreds of hours and thousands of dollars, and it’s why NDNB highlights the need for ensuring highly competent personnel are on board, ready to assist

Remediation is a Must

Every service organization going through SOC 2 compliance will have some amount of remediation to undertake, no question about it. From developing processes and procedures to strengthening various operational and I.T. internal controls, remediation is a big part of SOC 2 compliance. For some, it can take quite a bit of time as they quickly find out that missing processes and procedures will amount to dozens of hours of work, while other service organizations simply need to do marginal enhancements – it all comes down to the maturity of one’s internal control environment. Take note of the following regarding SOC 2 report assessments:

  • SOC 2 audit reports are an important element of the AICPA Service Organization Control (SOC) reporting framework.
  • Organizations can opt for a SOC 2 Type 1 or a SOC 2 Type 2 report.
  • SOC 2 reports are different from SOC 1 reports.
  • SOC 2 audit reports are geared towards many of today’s technology oriented companies.

Speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it., and receive a competitively priced fixed fee for SOC 2 audit reports and to learn more about SOC 2 report services from a proven and trusted firm.

Why Choose NDNB for SOC 2 Report Assessments?

NDNB has spent years performing SOC 2 reports assessments for a wide-variety of companies. Name the industry – from agriculture to technology – and we can safely say that we’ve touched almost every type of sector, which means NDNB has the expertise and know-how for getting the SOC 2 audit done. Looking for a fixed-fee for SOC 2? Need expertise from highly competent, qualified CPA’s? Want SOC 2 straight-talk? Then talk to the experts today at NDNB by contacting Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today to learn more. Regulatory compliance is only going to continue to growth as we move forward to a more digital world, so get ready with the coming compliance wave by contacting NDNB today.

Trust the experts at NDNB when it comes to providing expert SOC 2 guidelines and other supporting information for ensuring you achieve SOC 2 compliance quickly and cost-effectively. As part of every SOC 2 audit performed by NDNB, organizations receive a free consultation regarding all of your SOC 2 needs from a highly-qualified CPA with years of SOC 2 expertise.

Want to learn more about SOC 2 and obtain a true SOC 2 guide on what’s becoming one of the most recognized assessments throughout the entire world, then take note of the following items for ensuring a successful SOC 2 audit from day one:

1. Compliance is here to stay. SOC 2 audits are being requested annually from many technology driven businesses that are providing material services to their clients. It means that YOUR clients want to gain a greater understanding – and confidence level – of your internal controls, which they can do by requesting annual compliance audits, such as SOC 2. So forget about the notion of a “one and done” SOC 2 audit – not in today’s world, as compliance is now an annual commitment for service organizations.

2. Technical Remediation is Critical. Information security remediation a very, very big part of SOC 2 compliance, so much so that businesses often hire independent consultants to assist with such an undertaking, that’s right. The Trust Services Principles (TSP), which consist of Security, Availability, Processing Integrity, Confidentiality, and Privacy – all require a heavy dose of technical controls for ensuring successful SOC 2 compliance. NDNB offers technical remediation services, which is one the biggest reasons we’re the preferred provider of SOC audits throughout North America.

3. Invest in a SOC 2 Readiness Assessment. When performed correctly, a SOC 2 readiness assessment is extremely valuable, providing much-needed insight and understanding of a service organization’s gaps and deficiencies for purposes of SOC auditing. From missing documentation to critical security gaps – and more – a SOC 2 readiness assessment effectively lays the foundation for long-term auditing success. It’s not just another expense – rather – a beneficial exercise that’s highly recommended to any service organization new to SOC 2 reporting.

And while the vast majority of remediation for SOC 2 audits is predominantly that of documentation, let’s not forget the importance of actually implementing all the necessary changes that are stated in such documents. This is a big step for many service organizations, but it has to be done for purposes of regulatory compliance for SOC 2, and it’s also in the spirit of security best practices for today’s complex, cybersecurity world.

4. Learn about SOC 2. Hey, if you’re going to be spending large sums of money each year on SOC 2 reporting, then it’s probably a good idea to start learning about the technical merits of the AICPA Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2 and SOC 3. Additionally, SOC 2 compliance requires a description of a service organization’s “system”, along with a written statement of assertion by management, two critical reporting elements in which NDNB can provide more information on.

  • SOC 2 audit reports are an important element of the AICPA Service Organization Control (SOC) reporting framework.
  • Organizations can opt for a SOC 2 Type 1 or a SOC 2 Type 2 report.
  • SOC 2 audit reports are geared towards many of today’s technology oriented companies.

Speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it., and receive a competitively priced fixed fee for SOC 2 audit reports.

Call the proven and trusted SOC 2 framework experts today at NDNB as we provide incredibly comprehensive, cost-effective, “fixed-fee” engagements for the SOC 2 framework. From coast to coast, NDNB has been offering high-quality, industry leading compliance services and solutions for not only SOC 2 audits, but for many of today’s regulations, such as SOC 1 SSAE 18, SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more

SOC 2 Framework and 4 Important Points to Know

The SOC 2 framework, which is effectively part of the AICPA Service Organization Control (SOC) reporting platform, represents a true willingness to develop and implement an assessment methodology geared towards technology oriented service organizations. With that said, the following four (4) points are critical to note regarding SOC 2:

1. Scope is Critical: Ever heard of the term “scope creep”, let’s just say it’s not something you want to happen during a SOC 2 assessment, which is why properly scoping the audit at the very beginning is highly critical. With that said, there are two (2) important aspects to scoping – the first being identifying the business process to assess, and the second being which of the five (5) Trust Services Principles & Criteria (TSP/C) are to be included within the actual scope of the assessment. Sounds rather straightforward – and it is when working with a high-quality, well-respected CPA firm – but diving into SOC 2 audits with little or no insight regarding scope is not recommended. Here are some helpful tips for assessing SOC 2 scope:

First, determine what the actual business process is that will be included for a SOC 2 assessment, is it everything the organization does or just a specific business unit or division? Second, identify which of the five (5) Trust Services Principles & Criteria (TSP/C) are to be used for reporting, for which you should confer with a well-qualified CPA firm on this. Nobody wants the awful “scope creep” dilemma to come calling, so plan accordingly and speak to knowledgeable professionals today.

Second, documentation is essential: In today’s world of regulatory compliance, documentation is often the key to audit success – and failure – thus the importance of information security documents cannot be overlooked for SOC 2 compliance. In fact, whichever of the five (5) Trust Services Principles & Criteria (TSP/C) you choose for the audit (one, a few, or all of them), they all require documentation to be in place - it is just that simple.

Appropriately configuring firewall rules, implementing complex password policies, and instituting formalized change control practices, and more – they’re all important, no question about it – but don’t forget that accompanying documentation for such initiatives is incredibly essential for SOC 2 audits. Remember, auditors are always on the lookout for information security documents, so keep that in mind.

2. Annual Compliance is often mandatory: Call it the “new norm” in the world we all live in regarding regulatory compliance for any business providing critical outsourcing services to other businesses. In today’s world of cost-savings and business efficiencies, outsourcing is happening everywhere –and for good reason – but just remember that heavy compliance mandates come along with it. From cloud computing providers to data centers – and more – SOC 2 compliance is here to stay, so get prepared for annual audit commitments to your customers.

3. Mapping of Audit Controls is Crucial: In today’s world of growing regulatory compliance mandates, a large number of companies are being faced with multiple compliance audits – it’s just the new norm of business – and if that’s you, then it’s time to talk to NDNB about our compliance mapping services that help businesses put in place effective controls and policy documents for all major regulations. A large number of core information security and operational frameworks, procedures, and processes are very similar, thus implementing controls and developing documentation that speaks to such efficiencies is critical. We can assist – it all begins by contacting Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or emailing him at This email address is being protected from spambots. You need JavaScript enabled to view it., and receive a competitively priced fixed fee for SOC 2 audit reports.

4. Where to begin? With a SOC 2 scoping & readiness assessment from NDNB, that’s where. Performed by licensed and certified auditors, our SOC 2 scoping & readiness assessment engagements are an incredibly helpful tool for evaluating your organization. Learn more about the SOC 2 framework by visiting socreports.com.

NDNB provides SOC 2 compliance audit reports for data analytics businesses, which are one of the fastest growing segments in the North American services economy. From mining “big data” to developing unique tools for data modeling, such entities are now being required to undertake annual SOC 2 compliance audit reports, and NDNB can help, providing both SOC 2 Type 1 and SOC 2 Type 2 reporting. It’s important to understand all critical key elements within the SOC 2 auditing world – from scoping to pricing, and more – so take note of the following topics regarding SOC 2 compliance for data analytics companies:

1. Understand the SOC 1 vs. SOC 2 Debate. Which assessment should a data analytics business undertake, SOC 1 (SSAE 18) or SOC 2? It’s a valid question – and one we receive all the time – so let’s clear the air on the SOC 1 vs. SOC 2 debate. SOC 1 reporting, which uses the SSAE 18 professional standard – is geared towards service organizations exhibiting a true relation to the ICFR element – “Internal Controls Over Financial Reporting”.

Simply stated, if a service organization is performing function for clients that could impact the client’s financial reporting, then SOC 1 is the preferred assessment. However, if your company is more technology driven – for which data analytics entities are – then the AICPA SOC 2 framework is much better assessment solution than SOC 1. Furthermore, not only is SOC 2 become the standard, de facto assessment for technology companies, it’s also become very well-known and respected in the world of regulatory compliance.

2. Pick the CORRECT Trust Services Criteria (TSC). If it’s SOC 2 that you’ve decided upon, then it’s time to determine which of the five (5) Trust Services Criteria (TSC) to include for purposes of audit scope – one, two, all of them? The best answer to this is first finding out what legal and contractual requirements you may have, then identifying any other significant issues that could help in picking the correct TSC’s. As for data analytics businesses, the two (2) most commonly tested TSC’s are security and availability. “Security” in that the entire platform is safe and secure, and “availability” in that the service provided are available, void of downtime, particularly in a cloud based model. The remaining three (3) TSC’s – confidentiality, processing integrity, and privacy, can possibly be added if needed.

3. Be aware of Remediation and Documentation. A big part of SOC 1 and SOC 2 success is the ability for service organizations to actively identify and remediate various operational and I.T. processes. This often requires comprehensive documentation to be in place, which ultimately means developing InfoSec documents. Remember that technical remediation can be a time-consuming process, so keep this in mind.

Also, note that making infrastructure and security setting changes to system resources – such as enhancing firewall rulesets, implementing a more formalized data backup plan, and more – are all part of remediation when it comes to SOC 1 and SOC 2 compliance. In summary, look upon both the SOC 1 and SOC 2 assessment frameworks as those that test a multitude of internal controls relating to a service organization’s I.T., operational, and infrastructure environment.

4. It’s an Annual Commitment. Understand the today’s world of regulatory compliance continues to grow and evolve, which means service organizations can expect client requestd for SOC 2 audits on an annual basis. Therefore, it’s imperative to work with a CPA firm that offers in-depth services, ranging from SOC 2 readiness assessments to technical assistance, and much more. In short, find a quality, cost-effective firm that you can work with for a number of years, such as NDNB. Contact Chris Nickell today at NDNB at 1-800-277-5415, ext. 706, or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

5. Work with Industry Leaders. You don’t trust your oil changes, dry cleaning, baby sitting – and other essential life duties to just anyone, do you – so think in the same way when choosing a provider for annual SOC 2 compliance, which means looking to the experts at NDNB. As compliance experts for decades, NDNB has issued hundreds of SOC 1 and SOC 2 reports, so let’s talk! From technical remediation to fixed-fee assessments, we offer the very best service and solutions for today’s growing regulatory compliance mandates, no question about it. Remember something very important – and obvious – regulatory compliance is here to stay, so now’s the time to find a firm you can work with for years to come, and that’s NDNB!

NDNB provides SOC 2 compliance for software development entities for ensuring rapid and comprehensive adherence to the AICPA Service Organization Control (SOC) platform.  With today’s ever-growing regulatory compliance mandates – coupled with increasing cybersecurity risks – software development businesses are being required to undertake annual SOC 2 compliance, which can be a challenging endeavor for many.  NDNB provides SOC 2 compliance for software development entities for ensuring rapid and comprehensive adherence to the AICPA Service Organization Control (SOC) platform.  With today’s ever-growing regulatory compliance mandates – coupled with increasing cybersecurity risks – software development businesses are being required to undertake annual SOC 2 compliance, which can be a challenging endeavor for many.  

Here's What you Need to Know About SOC 2 for SDLC

The key to SOC 2 auditing success is understanding the following critical components, ultimately resulting in an efficient process that saves both time and money for your business:

Choose the “Correct” Assessment: If you’ve been reading up about SOC 2, then you’re probably familiar with the SOC 1 vs. SOC 2 debate and which assessment is the “correct” audit for a service organization. Let’s provide some clarity on this issue by stating the following:  SOC 1 SSAE 18 assessments are performed on organizations exhibiting a true connection to the Internal Controls over Financial Reporting (ICFR) concept, while SOC 2 assessments are primarily performed on technology businesses.  Thus, if a service organization is performing critical financial calculations and reporting for their clients, then SOC 1 SSAE 18 is the more suitable audit, while data centers, SaaS entities and other I.T. related businesses are performing SOC 2 assessments.

Learn about the Trust Services Criteria: With five (5) Trust Services Criteria (TSC) available to choose from for a SOC 2 audit, it’s important to understand what they are, what they cover, and which of the five you should consider for audit scope purposes. They are as follows:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

A competent and well-informed CPA firm – such as NDNB – can help in determining which TSC’s to include within your SOC 2 report, so call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Consider a Readiness Assessment:  When performed properly, a SOC 2 readiness assessment helps unearth material gaps and weaknesses within a service organization’s control environment, ultimately allowing for timely remediation before the actual audit commences.  From missing documentation to security system failures, there’s much that can be found with a comprehensive SOC 2 readiness assessment.  In the long run, performing such an exercise saves precious operational man-hours as it helps ensure you’ll have an efficient and streamlined auditing process from the onset. Nobody wants to start and stop an audit multiple times in order to correct and enhance an internal control failure that should have been assessed and remediated prior to the audit!

Know that Remediation is Critical: From documentation needs to system configuration changes, remediation is a major initiative when it comes to SOC 2 compliance, no question about it.  As for the degree and depth of remediation, that depends entirely on the mature of one’s internal control environment. 

NDNB | North America’s SOC 2 Compliance Leaders

When it comes to expert knowledge, fixed fee pricing, and delivering SOC 2 audit reports on time and within budget, the professionals at NDNB have you covered. We’ve been issuing SOC reports for years – even starting with the original SAS 70 auditing standard in 1992 – and we’ve developed a process that simply works.  From SOC 2 readiness assessments to remediation services – and more – NDNB is North America’s leading provider of compliance audits.  Call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Since 2006, NDNB has been setting the standard for security & compliance regulations

Have Questions?

Contact us for a FREE 15 Minute SOC Audit Phone Consultation

Request A Consultation