SOC 2 Compliance Audits - 9 Things to Know

SOC 2 compliance is quickly becoming a very hot topic in today’s world of regulatory compliance, particularly for cloud computing vendors – SaaS, PaaS, an IaaS – and other technology businesses. It’s therefore highly important that service organizations should take note of these nine (9) important items regarding this specific Service Organization Control (SOC) reporting framework.

1. SOC 2 compliance is part of the AICPA Service Organization Control (SOC) reporting platform. In an effort to reflect a trend towards globally accepted accounting principles, the American Institute of Certified Public Accountants (AICPA) launched the SOC reporting platform, for which there are three (3) reporting options: SOC 1, SOC 2, and SOC 3. The intent of this shift is to dramatically revamp reporting on controls at service organizations. Say goodbye to the historical, one-size fits all auditing standard known as SAS 70, and hello to SSAE 16 SOC 1, AT 101 SOC 2 and SOC 3. With three different reporting options – each unique in their own right – service organizations now have the ability to pick and choose from a platform that truly meets their reporting needs, and their client’s expectations.

2. Documentation is Critical. When we say “documentation”, we’re speaking about information security policies and procedures that need to be in place for validating compliance. Auditors will ask for them, so you’ll need to determine what gaps and deficiencies exist and how they can be corrected. NDB offers a comprehensive SOC 2 Policy Packet for helping our clients have hundreds of hours on tedious policy documentation creation. Just stop and think about how much time it would take to develop information security policies and procedures from scratch – incident response policies, data backup policies, access control policies, change management policies, and more – the time would be staggering, and it’s why businesses turn to NDB and utilize our SOC 2 Policy Packet. Call and speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today. 

3. SOC 2 compliance is conducted in accordance with AT 101. AT 101 is a less-known professional standard that has now been given the spotlight, thanks in part to the requirement that SOC 2 reports utilize this "attestation standard" for purposes of reporting.

4. Understand the differences between SOC 1, SOC 2 and SOC 3. SOC 1 compliance is generally intended for service organizations that have a nexus with the concept of ICFR, which stands for Internal Control over Financial Reporting. Meanwhile, SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations. SOC 3, much like SOC 2, utilizes the five (5) Trust Services Principles (TSP) as the general framework for conducting this type of engagement (SysTrust | WebTrust). And while SOC 2 permits reporting on any number of the TSPs, SOC 3 requires that all five (5) TSPs be included for issuing a report.

The five (5) TSPs are the following:

• Security: The system is protected, both logically and physically, against unauthorized access.
• Availability: The system is available for operation and use as committed or agreed to.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
• Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

5. SOC 2 requires a written statement of assertion and a description of one's "system". The written statement of assertion is required by management of the service organization, along with a description of one's "system". While the historical SAS 70 auditing standard required a description of “controls”, an organization’s description of their "system" for SOC 2 compliance (and SOC 1) is considered to be more comprehensive.

6. SOC 2 compliance is gaining traction for technology-based service organizations. After the implementation of the SOC framework, SOC 2 was generally overshadowed by SOC 1. However, as more technology and cloud computing companies begin to realize the value of SOC 2, this is certain to shift. In the future, expect many non-ICFR type service organizations to seek SOC 2 compliance reports. Interestingly, a number of service organizations are opting for both SOC 1 and SOC 2 compliance. From data centers to cloud computing – and more – any company exhibiting a true relationship with technology is going the SOC 2 route, so keep this in mind.

7. Conducting a Readiness Assessment is Critical. So you’ve got a better understanding on SOC 2 compliance with the above points – great – now it’s important to know that performing a readiness assessment is the first official step towards SOC 2 compliance. Specifically, a SOC 2 readiness assessment helps unearth, clarify, and assess one’s current internal control environment, allowing both you and your auditor to gain a greater understanding of what challenges lie ahead, if any. Look, every business going through a SOC 2 audit needs to know exactly what the scope is, what areas require remediation, what personnel are involved in the entire audit process, and much more. That’s exactly what you’ll receive when performing a SOC 2 readiness assessment with NDB, so speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

8. Understand that Remediation is a Must. Correcting operational deficiencies prior to the audit – such as developing missing policies and procedures, correcting processed based activities, and more – is a highly essential component of audit remediation. In fact, developing documentation is often the most time-consuming and challenging aspects of regulatory compliance, no question about it. What differentiates NDB from other providers is our ability to offer clients a SOC 1 or SOC 2 Policy Packet containing dozens of much-needed information security policies and procedures templates for helping ensure rapid and complete SOC 1 and/or SOC 2 compliance.  Such operational weaknesses that must be corrected before the audit also include technical/security issues, such as weak provisioning guideline and procedures for systems, deficient password complexity rules and access control measures, and much more. Much like remediating policies and procedures, technical/security remediation efforts can take time, and it’s why you’ll need guidance from experts, such as the regulatory compliance auditors at NDB.

9. We're the SOC 2 Experts. Whatever your SOC 1 and SOC 2 reporting needs are, we can assist, offering a wide spectrum of services and solutions, from scoping & readiness assessments to policy and procedure writing, remediation services, and much more. Talk to the experts today at NDB We’ve been the unquestioned leaders in providing SOC 1 and SOC 2 audits and assessments for businesses all throughout North America, offering fixed fee pricing, superior audit services, along with a laundry list of complimentary tools for helping ensure audit success. Time is money – a concept we truly grasp at NDB – so when it comes to audit efficiencies and high-quality reports, trust the CPA’s at NDB.

Moreover, we’ve been performing regulatory compliance audits for years, and have built an incredibly efficient and scalable model, one that includes all services and solutions for helping enable rapid and complete compliance. Specifically, NDB offers comprehensive SOC 1 and SOC 2 readiness assessments, along with policy and procedural & technical remediation services, along with performing all necessary assessments for your business. Additionally, we provide HIPAA, GLBA, and PCI DSS compliance services – and much more – so speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

From I.T.consultants to seasoned regulatory compliance auditors, our firm's wide expertise is diverse, cross-functional, and highly experienced in all our service lines.

From I.T.consultants to seasoned regulatory compliance auditors, our firm's wide expertise is diverse, cross-functional, and highly experienced in all our service lines.