Skip to main content

SOC 2 Standard – Type 1 & 2 Overview for Colorado Businesses

By NDB
28 June 2018

Need a Compliance Expert? Let's Talk.

Want to learn more on how to achieve Cyber Resilience?

SOC 2 Standard – Type 1 & 2 Overview

Colorado businesses seeking to become SOC 2 compliant will no doubt benefit from a brief, yet in-depth primer on essential subject matter relating to the American Institute of Certified Public Accountants (AICPA) System and Organization Control (SOC) reporting framework. Colorado’s tech sector is growing like never before, ultimately requiring businesses to perform annual compliance audits, such as SOC 2. From Denver to Boulder, Fort Collins to Colorado Springs – and all other surrounding areas – NDB is Colorado’s leading provider of fixed-fee audit services, so take note of the following important points regarding SOC 2 compliance.

NDB also offers SOC 1 and SOC 2 audit reports for businesses using Amazon AWS, Microsoft Azure and Google GCP.  And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits.

 

Important Points Regarding SOC 2 Compliance for Colorado Businesses

It’s about Technology: The SOC 2 Standard, which actually utilizes the little-known AT 101 professional accounting standard, allows service organizations to undertake a SOC 2 Type 1 and/or SOC 2 Type 2 assessment for evaluating one’s internal controls. Additionally, the SOC 2 standard for reporting is generally heavily geared towards service organizations in the technology arena, those such as managed services providers, data centers, software as a service (SaaS), data analytics, and many others.

While the historical SAS 70 audit was a “one size fits all approach” the new AICPA Service Organization Control (SOC) framework provides vastly different reporting options (i.e., SSAE 18 SOC 1, SOC 2, and SOC 3), and this is without question a breath of fresh air, one that was much needed. With today’s complex business models, you know have three (3) different reporting options, for which SOC 2 is gaining much recognition.
Trust Service Criteria (TSP): Please note that recent updates and enhancements regarding the SOC 2 standard includes revisions to the Trust Services Criteria (TSP). More specifically, for reporting periods on or after December 15, 2014, the new TSP framework is to be utilized, which consists of the following 7 general areas:

1) Organization and management
2) Communications
3) Risk management and implementation of controls
4) Monitoring of controls
5) Logical and physical access controls
6) System operations, and
7) Change management

However, the SOC 2 standard still incorporates the following five (5) long-standing Trust Services Criteria (TSC):

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Start with a SOC 2 Scoping & Readiness Assessment

One of the biggest challenges in undertaking SOC 2 compliance is understanding audit scope, identifying gaps and deficiencies, remediating essential control weaknesses, and more. How do you get a grasp on such issues, confidently moving forward with your SOC 2 audit? Be performing a much-needed SOC 2 scoping & readiness assessment. No, it’s not other fee added to the audit – not at all – it’s a highly useful exercise for ensuring long-term audit efficiency and cost-savings. In fact, we perform SOC 2 scoping & readiness assessments on every new client we engage in, even if they’ve had a prior SOC 2 report from another firm.

 

Remediation is Critical

In today’s world of regulatory compliance – especially SOC 2 auditing – every business has some type of remediation to perform. After all, no company ever has a picture-perfect internal control environment. Because of this, it’s important to (A). know that remediation is common and expected, and (B). NDB offers a number of tools and solutions for assisting Colorado businesses with remediation. Perhaps you need documentation in the forms of policies. Perhaps you need assistance in sourcing and implementing security tools and solutions. We can help, no question about it. Call Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

SOC 2 Roadmap to Compliance

Knowing the important elements of SOC 2 compliance – specifically, the steps needed for getting your audit done on time and within budget – is critical. Take note of the following SOC 2 roadmap to compliance, courtesy of NDB, Colorado’s leading provider of SOC 1, SOC 2, and SOC 3 audits:

1. Begin with a SOC 2 Scoping & Readiness Assessment: As a service organization, you need to identity scope, personnel, any gaps and deficiencies within one’s control environment, and more.
2. Remediation of Documentation: Information security policies and procedures are critical for SOC 2 compliance, so expect to spent time enhancing your InfoSec documentation.

SOC 1 SSAE 18 and SOC 2 Policy Templates and Information Security Policies
3. Security and Technical Remediation: You may also have to re-configure I.T. systems for ensuring they meet minimum security baselines for audit testing.
4. Operational Remediation: Performing a risk assessment, undertaking security awareness training – and more – are just a few examples of remediation commonly needed for various operational areas.
5. Performing the Audit: Time to bring the auditors in for testing – and only after you’ve successfully remediated all gaps and deficiencies within your control environment. Make sure to communicate with your auditor on issues such as onsite visits, testing expectations, and much more. Again, communication is key.
6. Assessing, Reviewing and Finalizing Results: Once the actual SOC 2 audit is complete, it’s time to review the results of testing, review a draft report from the auditors, and then move forward with your final SOC 2 audit report. Some things to remember: It is perfectly acceptable - the norm, to be honest – to have a few testing exceptions. After all, no organization ever has a picture-perfect control environment, and we mean nobody. Also, for exceptions that are exhibited in the report, service organizations are allowed to give their full comments and explanations on what’s being done for remediating such issues.
7. Engaging in Continuous Monitoring: Once you’ve successfully completed your annual SOC 2 report, remember that assessing, monitoring, and enhancing one’s internal controls – a concept known as “Continuous Monitoring” is absolutely critical. In fact, the continuous monitoring aspect of regulatory compliance is often one of the more challenging and time-consuming tasks. You need to either assign an internal auditor such tasks, or outsources these functions to a reputable CPA firm, such as NDB. We’ve been helping Colorado businesses from Denver to Boulder, Fort Collins to Colorado Springs – and all other surrounding areas – with continuous monitoring initiatives, so contact us today to learn more.

 

NDB. Colorado’s Leading Provider of SOC 2 Services

When it comes to offering fixed-fess, high-quality services, and professionalism second-to-none, NDB stands above other providers. We’ve been helping Colorado businesses in Denver, Fort Collins, Boulder – and beyond – for years, starting with the original SAS 70 auditing standard in 1992. And while times have definitely changed since then, the same concept holds true for our firm – Trust. Integrity. Audit Knowledge.
To learn more about the SOC 2 standard and to obtain a fixed fee rate for SOC 2 Type 1 and SOC 2 Type 2 assessments & reporting, call Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Download The Report

Get the details you need

Navigate Regulatory Compliance with NDB

We take the stress out of complex policies and requirements

What you need to know

Our Top Compliance FAQs

How can organizations guard against phishing attacks?
Phishing attacks remain a prevalent threat in cybersecurity. FAQs in this category might cover topics such as how to recognize phishing emails, common tactics used by cybercriminals, and the importance of cybersecurity awareness training. Additionally, users might inquire about the effectiveness of email filters and other technological solutions in preventing phishing attacks.
How can businesses protect themselves from ransomware attacks?
Ransomware attacks pose a significant threat to businesses, and FAQs in this category might address topics such as the common entry points for ransomware, the importance of regular data backups, and the role of employee training in recognizing and avoiding potential ransomware threats. Users may also inquire about the steps to take in the event of a ransomware attack and the potential impact on business continuity.
What cybersecurity measures are essential for securing e-commerce platforms and customer data?
With the increasing reliance on e-commerce, businesses must prioritize the security of online transactions and customer information. Frequently asked questions on this topic might cover secure payment gateways, the importance of SSL/TLS encryption for data in transit, strategies for protecting customer login credentials, and compliance with industry standards such as PCI DSS. Users may also seek guidance on addressing emerging threats specific to the e-commerce sector.
How can businesses balance user convenience and cybersecurity in implementing access controls?
Access controls are critical for limiting unauthorized access to sensitive information, but businesses also need to consider user convenience. FAQs in this area might explore topics such as the implementation of role-based access controls, the use of single sign-on solutions, and strategies for ensuring secure yet user-friendly authentication methods. Users may also seek advice on mitigating insider threats through effective access management.

Build resilience, gain compliance, and prevent disruption in your business.

Need to speak with a Regulatory Compliance expert? Let's Talk.