Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

As auditors, a common question we receive almost daily is “What is SOC 2 Compliance?” And naturally, with today’s growing regulatory compliance mandates being pushed onto thousands of businesses across North America, it’s a question that’ll keep being asked. So, “What is SOC 2 Compliance?” It’s a process whereby an organization (i.e., service organization) undertakes various measures for putting in place all necessary policies, procedures, processes and related internal controls in accordance with stated AICPA Trust Services Criteria (TSP).

Here's what you need to know when asking the question, “What is SOC 2 Compliance?”

What is the Trust Services Criteria?

So, what is the Trust Services Criteria? Good Question. It’s essentially a set of principles used in evaluating controls relevant to security, availability, processing integrity, confidentiality, or privacy of the system. And for a point of reference the “Trust Services Criteria” was previously called the “Trust Services Principles and Criteria”, yet even with the slight name change, they’ve kept the acronym the same – TSP.

Ok, got that? So next question is probably the following: “What is security, availability, processing integrity, confidentiality, or privacy of the system”?

These are essentially the criteria-based principles used for evaluating the controls within your organization. As a service organization undergoing the SOC 2 compliance process, you can pick and choose which of the five (5) TSP’s you’ll want to include within the scope of your report – one, a few, all of them? It’s best to discuss this with a reputable CPA firm that’s issued SOC 2 reports for years, so contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

What’s the Best Way to Prepare and Begin the SOC 2 Process?

If you’re new to the SOC 2 auditing framework, then the very first step any service organization should take is to perform a SOC 2 Scoping & Readiness Assessment. Why? Because you’ll need to understand important elements of the overall SOC 2 auditing process, such as the following:

Assessing Scope: Determining what business processes are to be included within the scope of a SOC 2 audit, along with personnel, physical locations to assess, relevant third-parties to include in terms of assessing controls, and more. Having this information clearly understood and identified will go a long way in ensuring the overall success of your SOC 2 audit.

Identifying and Correcting Control Gaps: As a service organization undergoing SOC 2 compliance, you’ll no doubt find any number of control gaps and deficiencies requiring remediation. Don’t be alarmed as it’s quite the norm and very common to find these issues. The bigger challenge is correcting them, and that’s where NDNB can assist. Specifically, we offer policy templates and other supporting documentation when it comes to SOC 2 compliance, so contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Laying out a Roadmap: Once you’ve successfully completed the SOC 2 Scoping & Readiness Assessment, you’ll have a crystal-clear picture on business scope, controls requiring remediation, next steps, and final deliverables. Think about it, having clarity and a clear roadmap to follow is immensely important when it comes to SOC 2 compliance, no question about it.

What Else Do I Need to Know About the SOC 2 Auditing Process?

Remediation is Essential: Every business undertaking a SOC 2 audit will have some type of remediation to perform, no question about it. Perhaps its authoring policies and procedures, or correcting security control weaknesses. Bottom line – expect some form of remediation.

Policies and Procedures are Critical: One of the more time-consuming and demanding measures of becoming SOC 2 compliant is developing all the required documentation needed. Specifically, information security policies and procedures are highly essential when it comes to being SOC 2 compliant. Here’s one thing you can definitely count on; your auditors will ask for your InfoSec policies, so be sure you have them, they’re complete, accurate, and truly represent your control environment.

Authoring information security policies and procedures can be incredibly tedious, and NDNB has two (2) options for you: (1). We offer a set of complimentary policy templates for you to use, or (2). We can author all of your SOC 2 policies and procedures for you. With NDNB, we give you the tools – and the choices – for ensuring a successful SOC 2 audit from beginning to end. Please contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Implement Necessary Operational Initiatives: SOC 2 compliance also requires that service organizations undertake an annual risk assessment program, a process which is much more than just having a policy document in place. To be clear, you need to actually perform a risk assessment of your in-scope environment, document the results, and provide such evidence to auditors. NDNB offers a complimentary risk management program to all of our SOC 2 clients.

Be Aware of What Auditors are Requesting in Terms of Evidence: Here’s what you can expect in terms of what a SOC 2 auditor will ask for regarding audit evidence:

  • Screenshots of system settings
  • Information security policies and procedures
  • Evidence of a risk assessment performed
  • Log reports
  • Signed memos
  • Physical inspection of a facility

Compliance is an Annual Commitment: There’s no “one-and-done” with today’s world of regulatory compliance. Once you’ve entered into the world of compliance, expect your customers, prospects, and other intended users of an audit report to continue to request annual compliance. That’s just the new world we live in, thus, it’s extremely important to find a capable, proven CPA firm for performing annual compliance audits. NDNB is that firm. We’ve successfully helped businesses all throughout North America in completing a wide-range of compliance audits. Please contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Why Choose NDNB for SOC 2 Audits?

Experience & Knowledge: We’ve performed hundreds of SOC 2 audits since the initial launch of the AICPA SOC program. Moreover, we’ve worked in literally dozens of different industries and sectors, ranging from agriculture to manufacturing, healthcare, and more. Our experience and knowledge allow us to save you hundreds of hours and thousands of dollars on annual SOC 2 reporting. We also offer a wide-range of additional compliance services, including SOC 1 SSAE 18 audits, PCI DSS compliance, and more. Please contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Helpful Documentation: Information security policies and procedures are a big part of SOC 2 compliance, and NDNB offers complimentary policy templates for helping service organizations put in place all necessary documentation. Authoring InfoSec policies can be an incredibly demanding and time-consuming process, and it’s why NDNB provides our templates, along with policy writing services also.

Additionally, we offer a comprehensive risk assessment program, security awareness training, along with other supporting material for ensuring your SOC 2 audit is a success. Contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.

Fixed-Fees: When we say fixed-fees for the auditing process, we mean it. No hidden costs, no out-of-pocket travel expenses, and no fees for additional report preparation and delivery. With NDNB, fixed-fees truly mean fixed-fees. We also offer fixed-fee services for all other regulatory compliance assessment procedures, such as SOC 1 SSAE 18, PCI DSS, HIPAA, GLBA, GDPR, FISMA reporting, and much more.

Continuous Monitoring: Becoming SOC 2 compliant is a big accomplishment, so congratulations, but there’s more to be done. You now have to monitor your controls and ensure they’re operating as designed. NDNB offers continuous monitoring services for service organizations all throughout North America.

Since 2006, NDNB has been setting the standard for security & compliance regulations