+ 001 0231 123 32



All demo content is for sample purposes only, intended to represent a live site. Please use the RocketLauncher to install an equivalent of the demo, all images will be replaced with sample images.

Trusted Advisors to Businesses throughout North America

6 minutes reading time (1266 words)

SOC 2 Standard – Type 1 & 2 Overview for Colorado Businesses

Colorado businesses seeking to become SOC 2 compliant will no doubt benefit from a brief, yet in-depth primer on essential subject matter relating to the American Institute of Certified Public Accountants (AICPA) System and Organization Control (SOC) reporting framework. Colorado’s tech sector is growing like never before, ultimately requiring businesses to perform annual compliance audits, such as SOC 2. From Denver to Boulder, Fort Collins to Colorado Springs – and all other surrounding areas – NDNB is Colorado’s leading provider of fixed-fee audit services, so take note of the following important points regarding SOC 2 compliance.

NDNB also offers SOC 1 and SOC 2 audit reports for businesses using Amazon AWS, Microsoft Azure and Google GCP.  And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits.

Important Points Regarding SOC 2 Compliance for Colorado Businesses

It’s about Technology: The SOC 2 Standard, which actually utilizes the little-known AT 101 professional accounting standard, allows service organizations to undertake a SOC 2 Type 1 and/or SOC 2 Type 2 assessment for evaluating one’s internal controls. Additionally, the SOC 2 standard for reporting is generally heavily geared towards service organizations in the technology arena, those such as managed services providers, data centers, software as a service (SaaS), data analytics, and many others.

While the historical SAS 70 audit was a “one size fits all approach” the new AICPA Service Organization Control (SOC) framework provides vastly different reporting options (i.e., SSAE 18 SOC 1, SOC 2, and SOC 3), and this is without question a breath of fresh air, one that was much needed. With today’s complex business models, you know have three (3) different reporting options, for which SOC 2 is gaining much recognition.
Trust Service Criteria (TSP): Please note that recent updates and enhancements regarding the SOC 2 standard includes revisions to the Trust Services Criteria (TSC). More specifically, for reporting periods on or after December 15, 2014, the new TSP framework is to be utilized, which consists of the following 7 general areas:

1) Organization and management
2) Communications
3) Risk management and implementation of controls
4) Monitoring of controls
5) Logical and physical access controls
6) System operations, and
7) Change management

However, the SOC 2 standard still incorporates the following five (5) long-standing Trust Services Criteria (TSC):

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Start with a SOC 2 Scoping & Readiness Assessment

One of the biggest challenges in undertaking SOC 2 compliance is understanding audit scope, identifying gaps and deficiencies, remediating essential control weaknesses, and more. How do you get a grasp on such issues, confidently moving forward with your SOC 2 audit? Be performing a much-needed SOC 2 scoping & readiness assessment. No, it’s not other fee added to the audit – not at all – it’s a highly useful exercise for ensuring long-term audit efficiency and cost-savings. In fact, we perform SOC 2 scoping & readiness assessments on every new client we engage in, even if they’ve had a prior SOC 2 report from another firm.

Remediation is Critical

In today’s world of regulatory compliance – especially SOC 2 auditing – every business has some type of remediation to perform. After all, no company ever has a picture-perfect internal control environment. Because of this, it’s important to (A). know that remediation is common and expected, and (B). NDNB offers a number of tools and solutions for assisting Colorado businesses with remediation. Perhaps you need documentation in the forms of policies. Perhaps you need assistance in sourcing and implementing security tools and solutions. We can help, no question about it. Call Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

SOC 2 Roadmap to Compliance

Knowing the important elements of SOC 2 compliance – specifically, the steps needed for getting your audit done on time and within budget – is critical. Take note of the following SOC 2 roadmap to compliance, courtesy of NDNB, Colorado’s leading provider of SOC 1, SOC 2, and SOC 3 audits:

1. Begin with a SOC 2 Scoping & Readiness Assessment: As a service organization, you need to identity scope, personnel, any gaps and deficiencies within one’s control environment, and more.
2. Remediation of Documentation: Information security policies and procedures are critical for SOC 2 compliance, so expect to spent time enhancing your InfoSec documentation.
3. Security and Technical Remediation: You may also have to re-configure I.T. systems for ensuring they meet minimum security baselines for audit testing.
4. Operational Remediation: Performing a risk assessment, undertaking security awareness training – and more – are just a few examples of remediation commonly needed for various operational areas.
5. Performing the Audit: Time to bring the auditors in for testing – and only after you’ve successfully remediated all gaps and deficiencies within your control environment. Make sure to communicate with your auditor on issues such as onsite visits, testing expectations, and much more. Again, communication is key.
6. Assessing, Reviewing and Finalizing Results: Once the actual SOC 2 audit is complete, it’s time to review the results of testing, review a draft report from the auditors, and then move forward with your final SOC 2 audit report. Some things to remember: It is perfectly acceptable - the norm, to be honest – to have a few testing exceptions. After all, no organization ever has a picture-perfect control environment, and we mean nobody. Also, for exceptions that are exhibited in the report, service organizations are allowed to give their full comments and explanations on what’s being done for remediating such issues.
7. Engaging in Continuous Monitoring: Once you’ve successfully completed your annual SOC 2 report, remember that assessing, monitoring, and enhancing one’s internal controls – a concept known as “Continuous Monitoring” is absolutely critical. In fact, the continuous monitoring aspect of regulatory compliance is often one of the more challenging and time-consuming tasks. You need to either assign an internal auditor such tasks, or outsources these functions to a reputable CPA firm, such as NDNB. We’ve been helping Colorado businesses from Denver to Boulder, Fort Collins to Colorado Springs – and all other surrounding areas – with continuous monitoring initiatives, so contact us today to learn more.

NDNB. Colorado’s Leading Provider of SOC 2 Services

When it comes to offering fixed-fess, high-quality services, and professionalism second-to-none, NDNB stands above other providers. We’ve been helping Colorado businesses in Denver, Fort Collins, Boulder – and beyond – for years, starting with the original SAS 70 auditing standard in 1992. And while times have definitely changed since then, the same concept holds true for our firm – Trust. Integrity. Audit Knowledge.
To learn more about the SOC 2 standard and to obtain a fixed fee rate for SOC 2 Type 1 and SOC 2 Type 2 assessments & reporting, call Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

SSAE 18 SOC 1 Audit Checklist for Atlanta, Georgia...
SOC 2 Compliance Overview for Atlanta, GA – Fixed ...

Get A Free Quote Today!

Fill out my online form.