“So which audit do we need, a SOC 1 or a SOC 2” is a very common question fielded from Denver businesses, and rightfully so as there’s general confusion and misguidance on SOC 1 vs. SOC 2. For purposes of simplicity, SOC 1 assessments – which utilize the SSAE 18 professional standard – are for companies that display a true nexus to the concept known as Internal Controls over Financial Reporting – ICFR – think banks, actuarial businesses, trust departments, and others.
Moreover, services performed by service organizations can often impact the financial reporting for their clients, thus furthering the need for SOC 1 reporting. As for SOC 2, it’s geared towards technology driven companies, such as managed services providers, ISPs, Software as a Service (SaaS) entities, and more. There’s clear differences between SOC 1 and SOC 2, and you need to be aware of them.
Are you a service organization in the greater Denver, Colorado area new to SOC reporting and are being required to undertake an annual SSAE 18 SOC 1 assessment? If so, the very first move to make is performing a SOC 1 readiness assessment, a helpful and proactive initiative that properly identifies audit scope, policy and procedural gaps, and other items requiring remediation prior to commencing with an actual audit.
While some Denver service organizations can bypass a readiness assessment – if they’ve been doing annual SSAE 18 SOC 1 assessments for quite some time – companies new to SOC reporting should are advised to not forgo such an important step in the overall auditing process. Here’s what Colorado service organizations receive when undertaking an NDNB SSAE 18 SOC 1 readiness assessment:
Scope Evaluation:What businesses processes are to be assessed for the audit – the entire company or just a segmented or specific service – as this needs to be identified very early on for ensuring no “scope creep” occurs during the audit. Second, does the service organization perform any activities that impact their client’s financial statement reporting – a concept known as “Internal Controls over Financial Reporting”, or simply ICFR. Remember that the SSAE 18 professional standard should “technically” include controls relating to ICFR – and we preface “technically” because there are a number of entities that have limited and/or no real ICFR relationship (i.e., data centers, etc.), but are still receiving SOC 1 reports, and not SOC 2 reports.
Control Objective Determination: Denver, Colorado service organizations will also need to assess, define, and ultimately agree upon which control objectives will be included within the scope of an SSAE 18 SOC 1 report. Working with a well-qualified CPA during a readiness assessment is an excellent time to conduct this activity, and it’s also an important component of the overall audit. Things to consider are the following: (1). Develop control objectives that include (a). Business process controls. (b). ICFR controls, if necessary, along with (c). information technology general controls, known as ITGC.
Where to Test: Many service organizations have multiple locations across the country or within a certain geographic area. Because of this, one of the goals of an SSAE 18 SOC 1 readiness assessment is to determine which locations are in scope, what activities are to be conducted for the audit, and how there can be efficiencies and cost savings built into the assessment for mitigating travel as much as possible, ultimately reducing costs.
Policy Materials: If you’ve been through an audit – any type of audit – then you are well aware of the importance of documentation – specifically – information security policies and procedures, and other supporting materials. What’s interesting to note is that often times the absence of adequate, current, and relevant security and operational policies are the biggest gaps identified during an SSAE 18 SOC 1 readiness assessment – that’s right. The solution is working with NDNB, which provides Colorado businesses an extensive packet of SOC 1 policy documents for helping ease the compliance burden.
Break the Compliance Mindset: One of the true rewards for Colorado service organizations undertaking an SSAE 18 SOC 1 readiness assessment with NDNB is that we go way beyond the minimum compliance mandates when providing expert guidance. TRUE security is about protecting your entire landscape regardless if you have to do an audit or not – it is – and it’s why NDNB is a chosen provider of many businesses throughout the Denver area.