Denver, Colorado area service organizations seeking to become SOC 1 compliant can now use NDNB’s in-depth SOC 1 SSAE 18 audit checklist for helping plan and execute an audit process that’s efficient, cost-effective, and delivered on-time. With thousands of dollars being spent on annual regulatory compliance assessments in today’s business world – and SOC 1 being one of the most well-known audits – it’s a really good idea to learn more about SOC 1 SSAE 18 reporting, while also having a detailed, easy-to-use checklist for ensuring proper planning from day one.
1. Pick the Right CPA Firm: While the vast majority of Certified Public Accountants (CPA) in North America don’t specialize in SOC 1 SSAE 18 SOC 1 and SOC 2 audits, a few do, such as NDNB, and it means we’re very efficient, cost-effective, and good at what we do. In fact, going back to the early days of service organization auditing with the original SAS 70 auditing standard, NDNB has successfully issued hundreds of audit reports all throughout North America, effectively creating a household name from coast to coast. In all honesty, there’s a number of highly reputable firms offering SOC 1 SSAE 18, SOC 2, and SOC 3 services to Colorado businesses, and we’re one of them.
2. Assess the SOC 1 vs. SOC 2 Landscape: We’re often asked “which audit should I perform, SOC 1 or SOC 2”, and it’s a good question. There’s some confusion still in the marketplace about which audit is the best fit, so remember that SOC 1 SSAE 18 reports are for service organizations impacting their client’s financials, while SOC 2 reports are heavily weighted towards technology businesses. For SOC 1 SSAE 18 audits, think Third Party Administrators (TPA), trust departments, actuaries, and other businesses performing critical services that impact client financials. As for SOC 2 reports, think data centers, SaaS, PaaS, IaaS, managed services, and almost any other conceivable technology-oriented business.
In fact, SOC 2 is gradually beginning to outpace and outshine it’s SOC 1 SSAE 18 sibling in terms of acceptance in use as there are simply thousands of service organizations now functioning in the technology arena. This number is only going to grow in years, so accept the continued adoption of SOC 2 audits in the marketplace. As for SOC 1 SSAE 18 audits, they’ll always have their defined user base – the financial sector – so expect to see a consistent use and application of this auditing standard also.
3. Define the Business Process: Identifying what’s included in an actual SOC 1 SSAE 18 report for Colorado businesses – such as business process, physical locations, personnel, systems, etc. – is one of the most important tasks to do. After all, having scope and audit creep is not something you’ll want to entertain, so identify what’s in scope early on. Something else to think about also are control objectives, and the supporting control specifications.
4. Client Financial Reporting: Are you aware of the concept called “ICFR”, which stands for “Internal Controls over Financial Reporting?” Businesses providing material outsourcing services that can impact their client’s financials must assess their ICFR controls for SOC 1 SSAE 18 compliance. Many businesses opting for SOC 1 SSAE 18 compliance are unaware of the ICFR concept, but it should be a part of every SOC 1 SSAE 18 report.
Also, keep one thing in mind regarding the scoping & readiness assessment; the topic of an asset inventory will surface. What’s an asset inventory, it’s your list of information systems that includes hostnames, locations, and purposes of the following: firewalls, routers, switches, servers (both virtual and physical), and any other company-owned systems. Auditors want to know what systems are in scope for SOC 1 SSAE 18, and that’s what an asset inventory provides. Also, it’s a good security practice to have such a list in place anyways – after all – how can you protect your I.T. landscape if you don’t even know what’s in place and where it’s located?
6. Remediation: Question – what’s always the most time-consuming and demanding aspect of going through a SOC 1 SSAE 18 assessment? Answer – Remediation. That’s right, every service organization – and we many “every” – must undertake some form of remediation, such as developing missing documents to enhancing security controls, and more.
7. Control Objectives: The basis for any SOC 1 SSAE 18 assessment are the control objectives that must be developed, assessed – and possibly tested – for operating effectiveness (if a SOC 1 SSAE 18 Type 2). While it is primarily the responsibility of the service organization – i.e., the company undertaking the audit – the service auditor – i.e., the CPA firm performing the audit – is often heavily involved in the development of such controls.
8. Financial Impact for Clients: Do you offer services that can actually impact financial reporting for clients – if so – it’s important to test and report on such controls when undertaking an annual SOC 1 SSAE 18 assessment. The concept is called ICFR – “Internal Controls over Financial Reporting”– so talk to a well-qualified CPA firm to learn more about this important provision for SOC 1 compliance.
Colorado’s Leading Provider of Compliance Audits