NDBis California’s leading provider of SSAE 18 SOC 1, SOC 2, and SOC 3 compliance services, offering fixed-fee pricing, along with additional supporting services for helping businesses complete their annual assessment on time and within budget. From scoping & readiness assessments to policy writing, assistance with technical remediation, and more, we’re a household name in California.
California businesses new to SSAE 18 SOC 1 compliance would be well-served in using NDB’s industry leading checklist for ensuring auditing success from day one. SOC audits – be it SOC 1, SOC 2, and even SOC 3 – can be challenging and time-consuming, making proper planning and preparation incredibly important, as thousands of dollars are potentially at stake with SSAE 18 audits. Understanding what SSAE 18 SOC 1 really is, pitfalls and roadblocks to avoid – and other essential issues – is why NDB developed the following SSAE 18 SOC 1 audit checklist for California businesses:
1. Find a Competent CPA Firm to work with: There are hundreds of firms all throughout North America providing SSAE 18 SOC 1 services – and many do a commendable job at it – but look to a firm that’s been a leader for more than a decade in regulatory compliance services, and that’s NDB. With fixed-fee pricing, complimentary policy templates, expert audit judgement – and more – NDB is California’s “go to” CPA firm for SSAE 18 SOC 1 services, along with SOC 2 and SOC 3 reporting and even PCI DSS compliance.
Hosting in Amazon AWS and Need a SOC 1 or SOC 2? Let's Talk.
2. Assess the SOC 1 vs. SOC 2 Landscape: So, which is the right assessment for your business, SSAE 18 SOC 1 or SOC 2? Good question, thus just remember for an ounce of clarity that SOC 2 audits are being performed on technology companies, while SOC 1 audits are more financially driven. Specifically, data centers, SaaS vendors – those in the technology space – are excellent SOC 2 candidates, while SOC 1 assessments are for service organizations providing services that impact their client’s financials. There are clear differences between SOC 1 and SOC 2, so talk to Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 to learn more about the SOC 1 vs. SOC 2debate.
3. Define the Business Process: Determining scope for an SSAE 18 SOC 1 report ultimately means what specific organizational and business processes are going to be included within the scope of the report. Is it one’s entire business or just a subset of the business? This is ultimately determined by client needs, market drivers, and other internal and external factors. Determining the business process is without question the biggest scope issue to conquer.
4. ICFR Component: Interestingly, many service organizations undertaking annual SSAE 18 SOC 1 audits are unaware of the ICFR component, which stands for “Internal Controls over Financial Reporting”. Simply stated, if your business is performing critical functions that have the ability to impact your client’s financial reporting, then such controls should be examined for purposes of SSAE 18 SOC 1 reporting. Talk to the experts at NDB about the merits of ICFR by calling Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, today.
5. Conduct a Readiness Assessment: Want a surefire way for having a highly successful SSAE 18 SOC 1 assessment from day one – then conduct a readiness assessment with NDB. Why? Because NDB’s SSAE 18 SOC 1 readiness assessment proactively identifies internal control issues and failures prior to the actual audit, allowing you to correct them in advance, ultimately saving time, money, while hopefully obtaining a “clean” report, one void of audit exceptions.
6. Correcting Deficiencies: Businesses are generally very good at what they do, but often times lack the documentation that expresses and validates their daily operations, hence the need for remediating critical policies and procedures becomes essential. This can be a time-consuming process, but thankfully NDB offers a SOC 1 Policy Packet complete with dozens of essential I.T. policies and other necessary forms. “Going it alone” on remediation can be incredibly challenging, but at NDB, we’ve got you covered on what’s one of the most time-consuming elements of SSAE 18 SOC 1 compliance.
7. Develop an Asset Inventory List: An important component of today’s regulatory compliance mandates is having a complete and accurate asset inventory list in place, specifically, a document or some type of repository that details all your information systems in place. From network devices to servers, laptops, and any other systems, it’s important to have a solid understanding of such devices. Not only is it a best-practice, but auditors often request a full asset inventory list for helping determine population and sampling for SOC 2 assessments. Think about it, how can you protect your I.T. landscape if you don’t even know what systems are in place?
8. Determine I.T. General Controls and Supporting Control Objectives: A critical component for SSAE 18 SOC 1 compliance is assessing and testing against the control objectives for which the service organization is ultimately responsible for developing. Look upon the development of the control objectives as a mutual process between both the CPA firm and the actual service organization.
9. Documentation: Question: What’s the most often overlooked, yet can be an incredibly tedious mandate for SSAE 18 SOC 1 audits? Answer: policies and procedures. In a world full of growing regulations and industry mandates, policy documentation stands tall as one of the largest and most demanding mandates for not only SOC 1 and SOC 2 compliance, but also HIPAA, PCI DSS, FISMA, and much more. What you need are easy-to-use, high-quality templates, and NDB provides such material to all our valued California clients.
Need an Audit – Call the SOC 1 and SOC 2 Experts today at NDB