Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

Call the proven and trusted SOC 2 framework experts today at NDNB as we provide incredibly comprehensive, cost-effective, “fixed-fee” engagements for the SOC 2 framework. From coast to coast, NDNB has been offering high-quality, industry leading compliance services and solutions for not only SOC 2 audits, but for many of today’s regulations, such as SOC 1 SSAE 18, SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more

SOC 2 Framework and 4 Important Points to Know

The SOC 2 framework, which is effectively part of the AICPA Service Organization Control (SOC) reporting platform, represents a true willingness to develop and implement an assessment methodology geared towards technology oriented service organizations. With that said, the following four (4) points are critical to note regarding SOC 2:

1. Scope is Critical: Ever heard of the term “scope creep”, let’s just say it’s not something you want to happen during a SOC 2 assessment, which is why properly scoping the audit at the very beginning is highly critical. With that said, there are two (2) important aspects to scoping – the first being identifying the business process to assess, and the second being which of the five (5) Trust Services Principles & Criteria (TSP/C) are to be included within the actual scope of the assessment. Sounds rather straightforward – and it is when working with a high-quality, well-respected CPA firm – but diving into SOC 2 audits with little or no insight regarding scope is not recommended. Here are some helpful tips for assessing SOC 2 scope:

First, determine what the actual business process is that will be included for a SOC 2 assessment, is it everything the organization does or just a specific business unit or division? Second, identify which of the five (5) Trust Services Principles & Criteria (TSP/C) are to be used for reporting, for which you should confer with a well-qualified CPA firm on this. Nobody wants the awful “scope creep” dilemma to come calling, so plan accordingly and speak to knowledgeable professionals today.

Second, documentation is essential: In today’s world of regulatory compliance, documentation is often the key to audit success – and failure – thus the importance of information security documents cannot be overlooked for SOC 2 compliance. In fact, whichever of the five (5) Trust Services Principles & Criteria (TSP/C) you choose for the audit (one, a few, or all of them), they all require documentation to be in place - it is just that simple.

Appropriately configuring firewall rules, implementing complex password policies, and instituting formalized change control practices, and more – they’re all important, no question about it – but don’t forget that accompanying documentation for such initiatives is incredibly essential for SOC 2 audits. Remember, auditors are always on the lookout for information security documents, so keep that in mind.

2. Annual Compliance is often mandatory: Call it the “new norm” in the world we all live in regarding regulatory compliance for any business providing critical outsourcing services to other businesses. In today’s world of cost-savings and business efficiencies, outsourcing is happening everywhere –and for good reason – but just remember that heavy compliance mandates come along with it. From cloud computing providers to data centers – and more – SOC 2 compliance is here to stay, so get prepared for annual audit commitments to your customers.

3. Mapping of Audit Controls is Crucial: In today’s world of growing regulatory compliance mandates, a large number of companies are being faced with multiple compliance audits – it’s just the new norm of business – and if that’s you, then it’s time to talk to NDNB about our compliance mapping services that help businesses put in place effective controls and policy documents for all major regulations. A large number of core information security and operational frameworks, procedures, and processes are very similar, thus implementing controls and developing documentation that speaks to such efficiencies is critical. We can assist – it all begins by contacting Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or emailing him at This email address is being protected from spambots. You need JavaScript enabled to view it., and receive a competitively priced fixed fee for SOC 2 audit reports.

4. Where to begin? With a SOC 2 scoping & readiness assessment from NDNB, that’s where. Performed by licensed and certified auditors, our SOC 2 scoping & readiness assessment engagements are an incredibly helpful tool for evaluating your organization. Learn more about the SOC 2 framework by visiting socreports.com.

NDNB provides SOC 2 compliance audit reports for data analytics businesses, which are one of the fastest growing segments in the North American services economy. From mining “big data” to developing unique tools for data modeling, such entities are now being required to undertake annual SOC 2 compliance audit reports, and NDNB can help, providing both SOC 2 Type 1 and SOC 2 Type 2 reporting. It’s important to understand all critical key elements within the SOC 2 auditing world – from scoping to pricing, and more – so take note of the following topics regarding SOC 2 compliance for data analytics companies:

1. Understand the SOC 1 vs. SOC 2 Debate. Which assessment should a data analytics business undertake, SOC 1 (SSAE 18) or SOC 2? It’s a valid question – and one we receive all the time – so let’s clear the air on the SOC 1 vs. SOC 2 debate. SOC 1 reporting, which uses the SSAE 18 professional standard – is geared towards service organizations exhibiting a true relation to the ICFR element – “Internal Controls Over Financial Reporting”.

Simply stated, if a service organization is performing function for clients that could impact the client’s financial reporting, then SOC 1 is the preferred assessment. However, if your company is more technology driven – for which data analytics entities are – then the AICPA SOC 2 framework is much better assessment solution than SOC 1. Furthermore, not only is SOC 2 become the standard, de facto assessment for technology companies, it’s also become very well-known and respected in the world of regulatory compliance.

2. Pick the CORRECT Trust Services Criteria (TSC). If it’s SOC 2 that you’ve decided upon, then it’s time to determine which of the five (5) Trust Services Criteria (TSC) to include for purposes of audit scope – one, two, all of them? The best answer to this is first finding out what legal and contractual requirements you may have, then identifying any other significant issues that could help in picking the correct TSC’s. As for data analytics businesses, the two (2) most commonly tested TSC’s are security and availability. “Security” in that the entire platform is safe and secure, and “availability” in that the service provided are available, void of downtime, particularly in a cloud based model. The remaining three (3) TSC’s – confidentiality, processing integrity, and privacy, can possibly be added if needed.

3. Be aware of Remediation and Documentation. A big part of SOC 1 and SOC 2 success is the ability for service organizations to actively identify and remediate various operational and I.T. processes. This often requires comprehensive documentation to be in place, which ultimately means developing InfoSec documents. Remember that technical remediation can be a time-consuming process, so keep this in mind.

Also, note that making infrastructure and security setting changes to system resources – such as enhancing firewall rulesets, implementing a more formalized data backup plan, and more – are all part of remediation when it comes to SOC 1 and SOC 2 compliance. In summary, look upon both the SOC 1 and SOC 2 assessment frameworks as those that test a multitude of internal controls relating to a service organization’s I.T., operational, and infrastructure environment.

4. It’s an Annual Commitment. Understand the today’s world of regulatory compliance continues to grow and evolve, which means service organizations can expect client requestd for SOC 2 audits on an annual basis. Therefore, it’s imperative to work with a CPA firm that offers in-depth services, ranging from SOC 2 readiness assessments to technical assistance, and much more. In short, find a quality, cost-effective firm that you can work with for a number of years, such as NDNB. Contact Chris Nickell today at NDNB at 1-800-277-5415, ext. 706, or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

5. Work with Industry Leaders. You don’t trust your oil changes, dry cleaning, baby sitting – and other essential life duties to just anyone, do you – so think in the same way when choosing a provider for annual SOC 2 compliance, which means looking to the experts at NDNB. As compliance experts for decades, NDNB has issued hundreds of SOC 1 and SOC 2 reports, so let’s talk! From technical remediation to fixed-fee assessments, we offer the very best service and solutions for today’s growing regulatory compliance mandates, no question about it. Remember something very important – and obvious – regulatory compliance is here to stay, so now’s the time to find a firm you can work with for years to come, and that’s NDNB!

NDNB provides SOC 2 compliance for software development entities for ensuring rapid and comprehensive adherence to the AICPA Service Organization Control (SOC) platform.  With today’s ever-growing regulatory compliance mandates – coupled with increasing cybersecurity risks – software development businesses are being required to undertake annual SOC 2 compliance, which can be a challenging endeavor for many.  NDNB provides SOC 2 compliance for software development entities for ensuring rapid and comprehensive adherence to the AICPA Service Organization Control (SOC) platform.  With today’s ever-growing regulatory compliance mandates – coupled with increasing cybersecurity risks – software development businesses are being required to undertake annual SOC 2 compliance, which can be a challenging endeavor for many.  

Here's What you Need to Know About SOC 2 for SDLC

The key to SOC 2 auditing success is understanding the following critical components, ultimately resulting in an efficient process that saves both time and money for your business:

Choose the “Correct” Assessment: If you’ve been reading up about SOC 2, then you’re probably familiar with the SOC 1 vs. SOC 2 debate and which assessment is the “correct” audit for a service organization. Let’s provide some clarity on this issue by stating the following:  SOC 1 SSAE 18 assessments are performed on organizations exhibiting a true connection to the Internal Controls over Financial Reporting (ICFR) concept, while SOC 2 assessments are primarily performed on technology businesses.  Thus, if a service organization is performing critical financial calculations and reporting for their clients, then SOC 1 SSAE 18 is the more suitable audit, while data centers, SaaS entities and other I.T. related businesses are performing SOC 2 assessments.

Learn about the Trust Services Criteria: With five (5) Trust Services Criteria (TSC) available to choose from for a SOC 2 audit, it’s important to understand what they are, what they cover, and which of the five you should consider for audit scope purposes. They are as follows:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

A competent and well-informed CPA firm – such as NDNB – can help in determining which TSC’s to include within your SOC 2 report, so call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Consider a Readiness Assessment:  When performed properly, a SOC 2 readiness assessment helps unearth material gaps and weaknesses within a service organization’s control environment, ultimately allowing for timely remediation before the actual audit commences.  From missing documentation to security system failures, there’s much that can be found with a comprehensive SOC 2 readiness assessment.  In the long run, performing such an exercise saves precious operational man-hours as it helps ensure you’ll have an efficient and streamlined auditing process from the onset. Nobody wants to start and stop an audit multiple times in order to correct and enhance an internal control failure that should have been assessed and remediated prior to the audit!

Know that Remediation is Critical: From documentation needs to system configuration changes, remediation is a major initiative when it comes to SOC 2 compliance, no question about it.  As for the degree and depth of remediation, that depends entirely on the mature of one’s internal control environment. 

NDNB | North America’s SOC 2 Compliance Leaders

When it comes to expert knowledge, fixed fee pricing, and delivering SOC 2 audit reports on time and within budget, the professionals at NDNB have you covered. We’ve been issuing SOC reports for years – even starting with the original SAS 70 auditing standard in 1992 – and we’ve developed a process that simply works.  From SOC 2 readiness assessments to remediation services – and more – NDNB is North America’s leading provider of compliance audits.  Call and speak with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Seeking to obtain SOC 2 compliance – what’s commonly called SOC 2 certification by many organizations throughout the business world, then talk to the experts at NDNB Accountants & Consultants and receive a competitively priced, fixed fee proposal for all your SOC 2 reporting needs. NDNB has been the unquestioned leader in offering high-quality, comprehensive, and cost effective SOC 2 services to organizations all throughout North America and other select regions. 

SOC 2 Certification Requirements for Fixed Fees - Nationwide Services

SOC 2 certification (actually, the phrase “SOC 2 certification” is technically incorrect, but is being used by almost everyone throughout the industry) is provided by NDNB Accountants & Consultants at competitively priced, fixed fee, from coast to coast. With more than a decade of experience in performing regulatory compliance assessment, starting with the historical SAS 70 auditing standard – and now on to the AICPA SOC 1 and SOC 2 framework – you’re in good hands with NDNB for SOC reporting!

SOC 2 Certification - What “Certified” Really Means

Regardless of what you technically call the SOC 2 reporting standard – “certification, compliance, certified” – it all comes down to essentially the same theme – testing and validating a wide array of processes and procedures for today’s technology driven service organizations. It’s thus important to note that many service organizations (i.e., businesses undertaking an actual SOC 2 assessment) require moderate to extensive remediation efforts – those often focused around documentation pertaining to information security procedures, and other related processes. Service organizations are obviously very good at what they do – or they wouldn’t be in businesses – but often fall short on the extensive documentation needed for becoming SOC 2 compliant.

NDNB - North America's Leading Provider of SOC 2 Audits - Fixed Fees

Saving hundreds of hours and thousands of dollars on SOC 2 compliance – that’s the NDNB difference and we’ve been doing it for years. The onslaught of regulatory compliance mandates – particularly that of SOC 2 compliance – will continue to grow, no question about it, so turn to the experts today for industry leading expertise and advice. Additionally, to learn more about both SSAE 16 SOC 1 and SOC 2, visit the official SSAE 16 Resource Guide, developed exclusively by NDNB.

With phrases such as “Trust Services Principles (TSP), common criteria (CC), description of the system” – and more – being thrown around in the world of SOC 2 compliance, it’s important to gain a strong understanding of the technical merits of the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) reporting platform, which consist of the following:

  • SOC 1
  • SOC 2
  • SOC 3

For simply clarity, remember that SSAE 16 SOC 1 audits are generally performed on service organizations conducing activities that could impact their clients financial statements. As for SOC 2 and SOC 3, technology companies have aggressively adopted this specific reporting standard, due in large part to the applicability of the five Trust Services Principles (TSP) of Security, Availability, Processing Integrity, and Confidentiality.

Notable elements worth discussing about SOC 2 for service organizations are the following:

  • SOC 2 audit reports are an important element of the AICPA Service Organization Control (SOC) reporting framework.
  • Organizations can opt for a SOC 2 Type 1 or a SOC 2 Type 2 report.
  • SOC 2 audit reports are geared towards many of today’s technology oriented companies.

Speak with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it., and receive a competitively priced fixed fee for SOC 2 audit reports.

NDNB Accountants & Consultants, LLP (NDNB) is one of Texas’ leading providers of SOC 2 Type 1 and SOC 2 Type 2 reports, offering high-quality compliance services, complete with fixed-fee pricing for all our solutions. Along with offering SOC 2 audits, we also provide numerous supporting services, such as readiness assessments to process improvement measures, and much more. If you’re a business in Dallas, TX offering critical services and solutions to other entities, then expect SOC 2 compliance to come calling, so get prepared and learn the facts about the AICPA Service Organization Control (SOC) framework.

Dallas’ Leading Provider of SOC 2 Audits & Assessments at Fixed Fees

There’s no better place to be than the Lone Star State – call it a Texas mindset, one we fully embrace – yet with such a stellar economy in Dallas also comes big regulatory compliance reporting mandates for many businesses. Technology is booming in Dallas, and also in Houston and Austin, with many Texas entities requiring annual SOC 2 compliance, which NDNB can assist, offering fixed fee pricing. Name an industry in Texas, from manufacturing to technology, and it’s safe to say that NDNB has a strong presence in terms of providing annual compliance audits and assessments. From the oil fields of West Texas to the technology hub in Austin, NDNB is a household name in offering SOC 2 audits, and numerous other regulatory compliance services, such as SOC 1, SOC 3, PCI DSS, HIPAA, FISMA, ISO 270000 reporting, and more.

Offering Comprehensive SOC 2 Services to Dallas, TX Businesses

For SOC 2 Compliance & Assessments, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy is the official framework of a SOC 2 report. Under the new American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) framework, this is but one of three new reporting options, which include SOC 1, SOC 2, and SOC 3. The AICPA has made great strides in replacing an aging auditing standard (SAS 70) with a vastly improved and more up-to-date service organization reporting platform. So, here’s what you need to know about SOC 2 Compliance & Assessments, courtesy of NDNB Accountants & Consultants, LLP, North America’s leading provider of SOC 1, SOC 2, and SOC 3 audits:

Since 2006, NDNB has been setting the standard for security & compliance regulations