SSAE 18 SOC 1 Audit Checklist

An SSAE 18 SOC 1 audit checklist is a great tool for helping ensure service organizations in the Atlanta, Georgia area – or anywhere else throughout the country – have a strong technical understanding and working knowledge of the AICPA Service Organization Control (SOC) 1 reporting option. After all, if you’re being mandated to spend thousands of dollars each year on SOC 1 SSAE 18 assessments, it’s probably a really good idea to begin with an in-depth checklist for covering all important issues before you being the actual audit process. Therefore, NDB has provided the following SSAE 18 SOC 1 audit checklist for service organizations.

NDB also offers SOC 1 and SOC 2 audit reports for businesses using Amazon AWS, Microsoft Azure and Google GCP.  And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits.

SSAE 18 SOC 1 Checklist for Atlanta, GA Businesses

Work with SOC 1 Experts: Performing SSAE 18 SOC 1 audits in an efficient, cost-effective manner and producing exceptionally high-quality reports is what NDB does better than anyone else, so trust your compliance needs to the experts. As one of the largest metropolitan areas in North America, Atlanta, GA is a financial and technology hotspot – no question about it – requiring many businesses to undertake annual SSAE 18 SOC 1 – and SOC 2 – assessments, for which NDB offers fixed fees for both services. There’s no denying the regulatory compliance movement – it’s big, strong, and growing larger each year – so now’s the time to hitch your wagon to the compliance experts in the Southeast, and that’s NDB.

Assess the SOC 1 vs. SOC 2 Landscape: There’s much to be said about the SOC 1 vs. SOC 2 audit debate, but just remember that SSAE 18 SOC 1 audits are for service organizations exhibiting a true nexus to the internal controls relating to financial reporting, while SOC 2 is geared towards technology-oriented service organizations. Many service organizations are still performing SSAE 18 SOC 1 audits when they should be performing SOC 2 audits – we’re talking about data centers, managed services providers, SaaS vendors, and others.

Keep in mind that SOC 2 is highly geared towards technology companies as its reporting framework – which utilizes the Trust Services Criteria (TSP) is a natural fit for I.T. businesses. Determining which reporting framework is the right one begins by speaking with a competent professional, so contact Chris Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Define the Business Process: What is the SOC 1 audit covering? What people, places, and activities will be involved? Are there client considerations that need to be assessed as part of the business process? These are just a few of the questions to ask yourself when looking to gain greater insight into the actual scope of an SSAE 18 SOC 1 assessment. Many companies offer multiple services and solutions, so it’s important to determine what exactly is to be included in the scope of a report.

Assess ICFR: What’s ICFR, it stands for “Internal Controls over Financial Reporting”, which is essential for purposes of SSAE 18 SOC 1 reporting. Specifically, as a service organization, you’ll need to determine what services you provide that could impact the financial reporting for your clients. Once that’s been identified, you’ll also need to develop and assess the relevant control objectives related to ICFR. Speak with ICFR expert and CPA Chris Nickell at 1-800-277-5415, ext. 705 to learn more, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Conduct a Readiness Assessment: Thinking of diving into an SSAE 18 SOC 1 audit before conducting any type of pre-audit assessment, don’t! A readiness assessment, when properly performed, will help your businesses identify material issues, weaknesses, and other deficiencies requiring immediate attention for ensuring a successful SSAE 18 SOC 1 assessment. Sure, it means committing more money to the overall audit process, but it is well worth it.

One of the topics that will surface during the SSAE 18 SOC 1 readiness assessment is an asset inventory – specifically – do you have a current, accurate, and complete list of all your information systems? We’re talking about a detailed list that documents the hostname, location, serial/asset tag, and purpose of your network devices, servers – any and all company-owned devices and systems. If not, it’s time to put one together, and for a number of reasons. First, it’s a best practice every company should be doing, and second, auditors will request a list of your information systems for purposes of sampling and testing of systems.

Get Ready to Remediate: Keep in mind that no internal control environment is ever perfect – never – which means remediation is often required prior to beginning an actual SSAE 18 SOC 1 audit. As to what areas require remediation, it’s often policies and procedures, along with strengthening of a number of technical controls, such as improving password rules, stronger configuration file settings for firewalls, etc. Remediation can take time, no question about it, and its’ why NDB provides helpful guidance – and other supporting documentation – for ensuring quick resolution to critical remediation issues.

Determine I.T. General Controls and Supporting Control Objectives: While it’s technically the responsibility of the service organization to develop and define the control objectives, it’s often seen as a more of a collaborative effort. CPA firms conducting SSAE 18 SOC 1 assessments often have a baseline of pre-determined controls to use for such audits, with the service organizations themselves also providing valuable input. Both general controls and specific business process controls – along with the supporting tests of each control – must ultimately be developed and agreed upon.

ICFR Control Objectives: Remember that the true intent of SSAE 18 SOC 1 reports are for service organizations exhibiting applicability to the “Internal Controls over Financial Reporting” (ICFR) concept. Therefore, such controls should be evaluated as part of one’s annual SSAE 18 SOC 1 assessment, whatever they may be. Ask yourself this question as a service organization: “What functions and services are we performing that could impact the financial reporting of our clients?”

Develop Policies and Procedures: I.T. policies and procedures are quite possibly the most challenging and daunting aspect of SSAE 18 SOC 1 compliance. Surprised – don’t be – as today’s growing regulatory compliance mandates call for comprehensive policy and procedural documentation – it’s just the world we live in. Change control, data backup, incident response – and more – they’re all a large art of SOC 1 compliance, thus such areas must be documented accordingly with policies and procedures. NDB has proven experience in developing policy materials, helping save businesses both time and money.

NDB – Georgia’s Leading Provider of Fixed-Fee SOC 1 and SOC 2 Audits

When it comes to SSAE 18 SOC 1 compliance for businesses throughout the Atlanta, GA area, the Southeast – and anywhere around the nation – the proven and trusted experts at NDB are ready and willing to assist. From SSAE 18 SOC 1 readiness assessments to policy writing – and more – we’re you’re “go to” firm for regulatory compliance. NDB also offers SOC 2, SOC 3, PCI DSS, HIPAA compliance services, and more. Call and speak with CPA Chris Nickell at 1-800-277-5415, ext. 705 to learn more, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.