As for NDNB’s SOC 2 Type 2 reports and assessments for Atlanta, GA businesses, it’s a good idea to get to know the SOC standard, so we’ve provided the following helpful information regarding the AICPA SOC framework:
What Georgia Businesses Need to Know About SOC 2 compliance
SOC 1 and SOC 2: There’s quite a bit of chatter regarding the SOC 1 vs. SOC 2 debate, so just remember this for simplicity and clarity: SOC 1 audits are for service organizations having an ICFR element within their internal control environment, while SOC 2 assessments are ideally suited for today’s technology companies – cloud computing, data centers, etc. Ultimately, your clients and prospects will dictate which one of these reports to undertake – and if they’re educated on the SOC 1 vs. SOC 2 topic, they’ll pick the correct one. If not, then be prepared to politely “educate” them on the technical differences between SOC 1 and SOC 2.
Type 1 vs. Type 2: A SOC 2 “Type 1” report is issued for a specific point in time, such as September 30, 20xx, while a SOC 2 “Type 2” is a report that illustrates a service organization’s control environment over an agreed time period, generally six (6) months. Most businesses – but not all – start out with a Type 1, then progress towards annual SOC 2 Type 2 compliance.
Trust Services Criteria: If you’re going to be performing annual SOC 2 audits, then now’s the time to start learning about the following five (5) Trust Services Criteria (TSP): 1. Security. 2. Availability. 3. Processing Integrity. 4. Confidentiality. 5. Privacy. They each are unique in their own right, and they each contain specific clauses relating to a service organization’s policies, procedures, and processes. Knowing which of the TSP’s to include within a report – and why – is critical, so talk to SOC 2 expert Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today.
Scope: It’s also important to properly scope what business processes are to be in included within the scope of a SOC 2 assessment. More specifically, would it include the service organization’s entire business functions, or just a subset? This is important to identify early on for ensuring you mitigate “audit scope creep” during the SOC 2 assessment process. An audit can “run away” from you very quickly, so it’s critically important to clearly define scope, effectively putting a leash on the auditors and everyone else!
Documentation: Policies and procedures are critically important when it comes to SOC 2 compliance, from essential information security policies – such as change management, data backup, and more – to operational and infrastructure documentation. It’s an area that most service organizations struggle immensely with, and it’s why NDNB provides a SOC 2 Policy Packet for helping develop all necessary policy documents for an actual SOC 2 assessment.
Remediation: It’s also important to remember that EVERY service organization will have at least some element of remediation to perform – it’s just how auditing works – after all, does every company have a picture-perfect internal control environment? The amount and time spent on remediation is ultimately determined by an upfront SOC 2 readiness assessment and gap analysis – a “pre-audit” exercise for looking into one’s operational, I.T. and infrastructure processes and procedures. NDNB has years of experience performing both SOC 2 readiness assessments and the actual audit itself, so call and speak with Christopher. G. Nickell, CPA, today at 1-800-277-5415, ext. 706.
NDNB – Atlanta’s Leading Provider of SOC 2 Audits – Fixed Fees
NDNB is Atlanta’s leading provider of regulatory compliance services, ranging from SSAE 18 SOC 1 assessments to SOC 2 audits, and more. Today’s cybersecurity world has brought about massive compliance mandates within various industries, so talk to the experts today about becoming compliant in an efficient and cost-effective manner.