NDNB Accountants & Consultants (NDNB) offers industry leading SOC 2 reports for Canada service organizations seeking to comply with the AICPA Service Organization Control (SOC) reporting framework. In joint collaboration with the Chartered Accountants of Canada (CICA), the American Institute of Certified Public Accountants (AICPA) developed the Trust Services Principles, which are an integral component of SOC 2 reports. More specifically, the TSP’s are criteria based provisions that consist of the following:
The security of a service organization's system.The availability of a service organization's system.The processing integrity of a service organization's system.The confidentiality of the information that the service organization's system processes or maintains for user entities.The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
Moreover, included within the TSP’s are the following 7 areas:
Organization and managementCommunicationsRisk management and implementation of controlsMonitoring of controlsLogical and physical access controlsSystem operations, andChange management
So take note of the following important points regarding SOC 2 reports in Canada, brought to you by NDNB Accountants & Consultants – North America’s leading providers of SOC 2 compliance reporting:
Understand Scope. There are essentially two (2) important scope considerations to think about regarding SOC 2 reports. First, what specific business processes and/or business platform will your company be including within the actual SOC 2 assessment. Second, which of the five Trust Services Principles will you include within your SOC 2 assessment – one, a few, or all of them? This can be somewhat confusing at first, but give Chris Nickell, CPA, a call at 1-800-277-5415, ext. 706, and he’ll be glad to clarify and help you better understand these two important scope issues.SOC 2 is vastly different than SOC 1. Though they are often clumped together as similar audits, there are considerable differences, the most important being that SOC 1 (which utilizes the SSAE 16 reporting standard) is generally geared towards internal controls over financial reporting (ICFR concept), while SOC 2 is primarily aimed at technology oriented service organizations (i.e., data centers, managed services providers, SaaS models, etc.).There are two (2) types of SOC 2 reports. Service organizations can obtain a SOC 2 Type 1 and/or a SOC 2 Type 2. So what’s the difference? A SOC 2 Type 1 is for reporting a service organizations’ controls for a “point in time”, a specific date, that is. As for a SOC 2 Type 2, it reports on a service organizations for a state time period, usually a six (6) month period. Most organizations new to SOC 2 reporting in Canada undertake a SOC 2 Type 1 the first year, followed by SOC 2 Type 2 reporting in subsequent years.Welcome to Regulatory Compliance. Once you begin the process of an initial SOC 2 report, it really becomes an annual process, so say hello to the world of regulatory compliance. It means finding a high-quality CPA firm to work with, one that offers a fixed-fee engagement for a multi-year commitment. After all, changing auditors year after year makes no sense at all, so call Chris Nickell, CPA at 1-800-277-5415, ext. 706, or email him at
This email address is being protected from spambots. You need JavaScript enabled to view it..
Follow