+ 001 0231 123 32



All demo content is for sample purposes only, intended to represent a live site. Please use the RocketLauncher to install an equivalent of the demo, all images will be replaced with sample images.

Trusted Advisors to Businesses throughout North America

7 minutes reading time (1367 words)

SOC 1 SSAE 18 Audit Checklist for Auditing Success for Denver, CO Businesses

Denver, Colorado area service organizations seeking to become SOC 1 compliant can now use NDB’s in-depth SOC 1 SSAE 18 audit checklist for helping plan and execute an audit process that’s efficient, cost-effective, and delivered on-time. With thousands of dollars being spent on annual regulatory compliance assessments in today’s business world – and SOC 1 being one of the most well-known audits – it’s a really good idea to learn more about SOC 1 SSAE 18 reporting, while also having a detailed, easy-to-use checklist for ensuring proper planning from day one.

NDB also offers SOC 1 and SOC 2 audit reports for businesses using Amazon AWS, Microsoft Azure and Google GCP.

SOC 1 SSAE 18 Checklist for Colorado Businesses

1. Pick the Right CPA Firm: While the vast majority of Certified Public Accountants (CPA) in North America don’t specialize in SOC 1 SSAE 18 SOC 1 and SOC 2 audits, a few do, such as NDB, and it means we’re very efficient, cost-effective, and good at what we do. In fact, going back to the early days of service organization auditing with the original SAS 70 auditing standard, NDB has successfully issued hundreds of audit reports all throughout North America, effectively creating a household name from coast to coast. In all honesty, there’s a number of highly reputable firms offering SOC 1 SSAE 18, SOC 2, and SOC 3 services to Colorado businesses, and we’re one of them.

2. Assess the SOC 1 vs. SOC 2 Landscape: We’re often asked “which audit should I perform, SOC 1 or SOC 2, and it’s a good question. There’s some confusion still in the marketplace about which audit is the best fit, so remember that SOC 1 SSAE 18 reports are for service organizations impacting their client’s financials, while SOC 2 reports are heavily weighted towards technology businesses. For SOC 1 SSAE 18 audits, think Third Party Administrators (TPA), trust departments, actuaries, and other businesses performing critical services that impact client financials. As for SOC 2 reports, think data centers, SaaS, PaaS, IaaS, managed services, and almost any other conceivable technology-oriented business.

In fact, SOC 2 is gradually beginning to outpace and outshine it’s SOC 1 SSAE 18 sibling in terms of acceptance in use as there are simply thousands of service organizations now functioning in the technology arena. This number is only going to grow in years, so accept the continued adoption of SOC 2 audits in the marketplace. As for SOC 1 SSAE 18 audits, they’ll always have their defined user base – the financial sector – so expect to see a consistent use and application of this auditing standard also.

3. Define the Business Process: Identifying what’s included in an actual SOC 1 SSAE 18 report for Colorado businesses – such as business process, physical locations, personnel, systems, etc. – is one of the most important tasks to do. After all, having scope and audit creep is not something you’ll want to entertain, so identify what’s in scope early on. Something else to think about also are control objectives, and the supporting control specifications.

More specifically, what control objectives are to be included within the scope of the audit, who is developing them, are they applicable and relevant, and what audit evidence can be provided to suffice for them? Call and speak with Christopher. G. Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about important scope and business process considerations for SOC 1 SSAE 18 assessments for Colorado businesses.

4. Client Financial Reporting: Are you aware of the concept called “ICFR”, which stands for “Internal Controls over Financial Reporting?” Businesses providing material outsourcing services that can impact their client’s financials must assess their ICFR controls for SOC 1 SSAE 18 compliance. Many businesses opting for SOC 1 SSAE 18 compliance are unaware of the ICFR concept, but it should be a part of every SOC 1 SSAE 18 report.

5. Conduct a Readiness Assessment: If there’s one area that Colorado businesses should commit additional financial resources to, it’s undertaking a SOC 1 SSAE 18 readiness assessment before the audit actually begins. Why? For purposes of identifying and assessing critical gaps and issues requiring immediate attention so as to avoid audit roadblocks. From missing documents to operational and security control failures, NDB’s SOC 1 readiness assessment is a must for ensuring a successful audit, so call and speak with Christopher. G. Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

What is SOC 1 SSAE 18 and the importance of a Scoping and Readiness Assessment

Also, keep one thing in mind regarding the scoping & readiness assessment; the topic of an asset inventory will surface. What’s an asset inventory, it’s your list of information systems that includes hostnames, locations, and purposes of the following: firewalls, routers, switches, servers (both virtual and physical), and any other company-owned systems. Auditors want to know what systems are in scope for SOC 1 SSAE 18, and that’s what an asset inventory provides. Also, it’s a good security practice to have such a list in place anyways – after all – how can you protect your I.T. landscape if you don’t even know what’s in place and where it’s located?

6. Remediation: Question – what’s always the most time-consuming and demanding aspect of going through a SOC 1 SSAE 18 assessment? Answer – Remediation. That’s right, every service organization – and we many “every” – must undertake some form of remediation, such as developing missing documents to enhancing security controls, and more.

SOC 1 SSAE 18 and SOC 2 Policy Templates and Information Security Policies

7. Control Objectives: The basis for any SOC 1 SSAE 18 assessment are the control objectives that must be developed, assessed – and possibly tested – for operating effectiveness (if a SOC 1 SSAE 18 Type 2). While it is primarily the responsibility of the service organization – i.e., the company undertaking the audit – the service auditor – i.e., the CPA firm performing the audit – is often heavily involved in the development of such controls.

8. Financial Impact for Clients: Do you offer services that can actually impact financial reporting for clients – if so – it’s important to test and report on such controls when undertaking an annual SOC 1 SSAE 18 assessment. The concept is called ICFR – “Internal Controls over Financial Reporting” – so talk to a well-qualified CPA firm to learn more about this important provision for SOC 1 compliance.

Colorado’s Leading Provider of Compliance Audits

Businesses struggle with regulatory compliance issues, mainly due to audit costs, operational commitments, along with understanding the complexities of the laws and regulations themselves. Compliance has been a painful issue for many service organizations in and around the Denver, CO area, but let’s change that by calling NDB and speaking with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or emailing him at This email address is being protected from spambots. You need JavaScript enabled to view it. today. Whatever one’s compliance mandates are, from SOC 1 SSAE 18, SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, PCI DSS assessments, internal audits, and more, the proven and trusted compliance experts at NDB stand ready to assist Colorado businesses in Denver, Boulder, Fort Collins, and other surrounding areas, so let’s talk today.

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

SOC 2 Compliance Checklist for WDC, MD, and Northe...
SSAE 18 SOC 1 Audit Checklist for California Busin...

Get A Free Quote Today!

Fill out my online form.