NDB offers SOC1 SSAE 18 Type 1 and Type 2 audit reports for fixed-fee for Texas businesses located in Austin, Houston, Dallas, San Antonio, and other surrounding regions. Been bit by the regulatory compliance bug and need to produce an annual SOC 1 SSAE 18 report? NDB can help, as we’re Texas’ cloud compliance experts with years of experience working with businesses all throughout Austin, Dallas, Houston, and San Antonio.
SOC 1 SSAE 18 Services for Texas Businesses
NDB offers the following SOC 1 SSAE 18 services to Texas businesses in Austin, Dallas, Houston, San Antonio, and other surrounding locations:
Readiness & Gap Assessments: If you’re new to the world of cloud computing and SOC 1 SSAE 18 compliance – then starting with a readiness & gap assessment is highly recommended. There are numerous benefits to be had in performing a SOC 1 SSAE 18 readiness & gap assessment, such as the following:
- Properly assess and confirm scoping parameters regarding business processes, information systems, people, third-party providers, physical locations, and more.
- Properly identifying the IFCR concept – “Internal Controls over Financial Reporting” for service organizations that need to report on such controls. Simply stated, if YOU, as a service organization, are performing certain financial activities (i.e., calculations, etc.) that can impact the financial reporting of YOUR clients, then the ICFR concept must be addressed within the scope of a SOC 1 SSAE 18 audit.
- Identifying control gaps and deficiencies and the necessary steps to take in correcting them. Note that most remediation activities fall under two (2) critical areas: documentation (i.e., information security policies and procedures) and security/technical remediation (i.e., acquiring and implementing various security tools and solutions, etc.)
- Putting in place a plan-of-action for ensuring all scoping issues are confirmed and agreed upon, remediation activities are identified and being resolved, while also developing dates for various audit deliverables.
Determination of ICFR Scope: As just discussed, if you’re undergoing a SOC 1 SSAE 18 assessment, then identifying ICFR – Internal Controls over Financial Reporting,”, is absolutely critical to the audit. Points to consider for IFCR are the following:
- What exactly is our business function and how does it impact our clients, from a financial perspective?
- What services do we perform that actually result in the impact of our client’s financial reporting?
- What calculations, financial reporting activities, and other related activities, are performed by us that can impact our client’s financial reporting?
Remember, for a SOC 1 SSAE 18 audit to be considered comprehensive in terms of scope, you’ll need to assess, inspect, and ultimately test (for a Type 2 audit) the relevant ICFR element of your control environment. NDB can assist in helping to develop all your ITGC controls, so call CPA Christopher Nickell at 1-888-447-2209, ext. 701 to learn more.
Determination of Information Technology General Controls (ITGC): You’ll also need to assess your Information Technology General Controls, more commonly known as ITGC. While auditors differ in terms of the exact ITGC scope, it generally revolves around the following core information security domains:
- Access Control
- Change Control/Change Management
- Configuration Management
- Data Backup and Recovery
- Incident Response
- Business Continuity/Disaster Recovery/Contingency Planning
Again, these are just examples of commonly tested ITGC domains. Some auditors may choose more, some may choose less. Regardless, you’ll want to have documented policies and procedures in place for your security domains. This is something that service organizations undergoing SOC 1 SSAE 18 struggle with, luckily, NDB can assist, as we offer a SOC 1 Compliance Toolkit available for instant download. But remember, policies are meaningless without processes and procedures in place. “Talk is cheap” – as the old saying goes – is a phrase that can definitely be applied to the world of regulatory compliance.
Bottom line; put in place policies and procedures, and then make sure you’ll actually doing what they say.
Determination of Amazon Tools and Features to be Utilized: There is a lengthy list of tools and features that can be – and often, need to be – enabled for helping put in place necessary auditing functionalities, security best practices, and more. Consider the following security tools and solutions as necessary in today’s world of regulatory compliance:
- Two-factor authentication
- File Integrity Monitoring (FIM)
- Audit trails and audit logging
- Vulnerability scanning solutions (both internal and internal)
- Intrusion Detection Systems (IDS)
Policy Documentation Remediation: Authoring information security policies and procedures is process most organizations loathe, and understandably so. After all, who wants to spend dozens upon dozens of hours writing information security policy and procedural documents? Not you, so do what thousands of businesses all throughout North America – and the world do – and that’s rely on NDB's industry leading policy toolkits and templates.
We’re talking about world-class documentation available for instant download, and we’ve even developed a SOC 1 Compliance Toolkit – an incredibly in-depth, comprehensive set of information security, operational, and organizational policies, procedures, forms, and other supporting templates for today's demanding businesses.
Security and Technical Remediation: While documentation is incredibly important for SOC 1 compliance, don’t forget about the need for security and technical remediation. Often times, organizations will need to re-configure network systems, enhance access control rules, and much more. NDB can assist with all efforts, as we have capable I.T. and audit staff on board.
Operational Remediation: If you’re operating in the Amazon AWS cloud, then there are a number of what we call “operational initiatives” you’ll need to be aware of. Specifically, these are tasks deemed essential to one’s SOC 1 SSAE 18 audit, and they include the following:
- Performing an annual risk assessment: SOC 1 SSAE 18 (and also SOC 2) audits require that organizations perform an annual risk assessment for gaining a stronger understanding of the relevant risks they face in relation to a wide-range of actual risk factors. From information security risks to market risks, and more, there’s an almost endless list of risks that organizations can assess.
However, for businesses operating in the Amazon AWS cloud, they should focus primarily on information security risks, thus a comprehensive risk assessment program, one complete with forms and templates, is essential. NDB offers a wide-range of risk assessment programs.
- Implementing security awareness training: Having employees – and all other in-scope personnel aware of their roles and responsibilities within an organization is absolutely critical in today’s growing world of cybersecurity threats. Being “in the know” in terms of InfoSec best practices is ultimately what helps ensure the safety and security of organizational assets, no question about it. NDB offers comprehensive security awareness training programs consisting of in-depth training manual developed by security and compliance experts with years of experience.
- Putting in place necessary incident response measures: Amazon AWS has various incident response measures they invoke for helping protect your data and platform, but it’s not a completely one-sided approach; you as a business operating in the cloud still have roles and responsibilities.
What businesses need to do is document their incident response policies, procedures, and processes in a manner that aligns with Amazon AWS’ incident response measures.
- Monitoring third-party access to your Amazon AWS environment
SOC 1 SSAE 18 Type 1 Reports: Reporting on controls in operation – without any testing of operating effectiveness – is essentially a SOC 1 SSAE 18 Type 1 report. Many organizations new to the world of regulatory compliance – especially SOC 1 SSAE 18 reporting – begin the audit process with an actual Type 1 report. And why? Because laying the groundwork for internal controls – your security, technical, and operational policies, procedures, and processes – can take time, can be a challenging process, and it’s why a Type 1 report (which is less demanding than a Type 2 report) is the best place to start.
SOC 1 SSAE 18 Type 2 Reports: Reporting on controls in operation AND tests of operating effectiveness – is essentially a SOC 1 SSAE 18 Type 2 report. Most organizations do NOT start with a Type 2 audit as they can be demanding because they require a prescribed test period, usually six (6) months. This means that auditors will be testing controls via sampling of various control areas for the six (6) month period. From testing of change management tickets to hiring and termination of employees, data backups, and more, the SOC 1 SSAE 18 Type 2 audit process is a big step up from the introductory Type 1 audits, so please keep this in mind.
Are you in the Cloud – We’re AWS, Azure, and Google Experts!
Tens of thousands of businesses have made the switch to cloud computing, with many of them migrating to Amazon AWS, and understandably so as the actual Amazon AWS platform is the recognized leader in many areas of cloud computing. We also offer Google GCP and Azure auditing expertise for SOC compliance.
While a large majority of businesses that utilize Amazon’s AWS services are likely to be in the technology space – thus resulting in SOC 2 audit reports being performed on them – a fair number of businesses are no doubt performing duties related to the IFCR concept – “Internal Controls over Financial Reporting”. This ultimately requires SOC 1 SSAE 18 compliance reporting.
NDB. Texas’s SOC 1 SSAE 18 Leaders
When it comes to fixed-fee pricing, high-quality audit services and attention to detail, NDB is the unquestioned leader for SOC 1 SSAE 18 audits. Contact us today to learn more about our proven services and solutions. We’ve been helping businesses all throughout Austin, Dallas, Houston, San Antonio – and other surrounding areas – for years, and we’re ready to help your business succeed. Compliance can be complex, time-consuming, and expensive, but not with NDB.