Looking for a straightforward approach and understanding regarding SOC 1 SSAE 18 compliance for Austin, Dallas, Houston, and San Antonio, Texas businesses? Then it’s truly important to source a firm with years of experience performing regulatory compliance assessments. After all, annual SOC 1 SSAE 18 compliance is the new norm for compliance, so doesn’t it just make sense in building a long-term relationship with a firm you can trust?
Texas Compliance, LLC is the recognized leader for SOC 1, SOC 2, and SOC 3 audits for Texas, as we’ve performed hundreds of compliance assessments over the last decade, and have an incredibly strong presence in Austin, Dallas, Houston, and San Antonio, Texas.
SOC 1 SSAE 18 Checklist for Texas Businesses
A checklist is without question one of the best items any business can have with regards to undergoing an annual SOC 1 SSAE 18 assessment. With so many complexities and moving parts involved, it’s important to not leaving anything behind as you travel down the road of regulatory compliance. Take note of the following initiatives for helping ensure an efficient audit process from day one.
1. Assess the SOC 1 vs. SOC 2 Landscape: Which assessment is right for your business – SOC 1 SSAE 18 or SOC 2? This is a question we often receive, so let’s provide you with some guidance on this. SOC 1 SSAE 18 assessments should be performed on service organizations exhibiting a nexus with the Internal Control over Financial Reporting (ICFR) concept. Specifically, if you’re performing services that can impact your client’s financial reporting, then SOC 1 SSAE 18 is the right choice. However, if you’re a technology driven business – data centers, software developers, data analytics, and others – then SOC 2 is the preferred choice, no question about it.
2. Define the Business Process: Remember that “audit scope” is an important cost and time factor when conducting SOC 1 SSAE 18 assessments, so it’s critical to clearly identify what business functions, people, and locations are to be included for the assessment. As a service organization, are you assessing your entire environment, or just a subsection of your business component, and what personnel are going to be involved in working with the auditors for retrieving and providing audit evidence?
4. Conduct a Readiness Assessment: Getting a health checkup on your internal control environment PRIOR to a SOC 1 SSAE 18 audit is a best practice, and also crucial for ensuring you hopefully receive a clean, “unqualified” audit opinion. From policies and procedures to critical information system processing functions, Texas Compliance, LLC’s readiness assessment will properly identity audit scope, while also determining what challenges and issues exist – if any – within one’s internal control environment. The ability to readily detect – and correct – all issues before the audit begins is the single most important reason why a SOC 1 SSAE 18 readiness assessment should be performed.
As part of the SOC 1 SSAE 18 readiness assessment, the topic of an “asset inventory” or listing of information systems will no doubt surface. More specifically, auditors will request the full details of your I.T. systems, their hostnames, where are they located, their purpose, etc. If you don’t have such a list in place, now’s the time to begin putting one together, and we provide a free asset inventory list spreadsheet to our clients. An asset inventory list is therefore necessary for two (2) reasons; for helping auditors assess scope and choosing systems for audit sampling, and for helping businesses keep track of their systems.
5. Get Ready to Remediate: No company has a perfect internal control environment, which means some degree of remediation should be considered acceptable, such as developing missing documentation to enhancing system settings – as just a few examples. Remediation is a vital component of SOC 1 SSAE 18 compliance as it helps set in motion all necessary policies, procedures, and applicable processes for the actual assessment itself. The degree to which remediation is needed will largely depend on the maturity of one’s control environment, therefore, remediation can be marginal to extensive.
6. Policy Remediation: Without question the largest – and often most time-consuming – component of remediation is developing all required policies and procedures, such as I.T. policies and any other specific documents. It can be time-consuming, and it’s why Texas Compliance, LLC provides InfoSec policy documentation for helping save hundreds of hours and thousands of dollars on SOC 1 SSAE 18 compliance for Texas businesses.
7. Technical and I.T. Remediation: You’ll often find that firewalls need configuration rules modified, access controls need to be stronger, incident response measures need to be more comprehensive – just a few examples of technical remediation you may run into. While SOC 1 SSAE 18 is a financially driven assessment, a large part of the audit is fundamentally technology driven, so keep this in mind. Texas Compliance, LLC offers comprehensive provisioning and hardening forms and checklists for all major I.T. platforms – documentation essential when it comes to properly provisioning and deploying systems onto a network.
8. Determine I.T. General Controls and Supporting Control Objectives: ITGC – Information Technology General Controls, are the technology areas that will be included in a SOC 1 SSAE 18 audit, which often consist of the following:
- Change Management | Change Control
- Logical Assess and other Access Control Parameters
- Network Security
- Data Backup | Incident Response | System Maintenance
These are just a few examples of the core areas considered in-scope for ITGC when it comes to SOC 1 SSAE 18 compliance. Remember that the control objectives are “technically” developed by the service organization, but in all honesty, it’s a collaborative effort by both the CPA firm conducting the assessment and the service organization.
Texas’ Leading Provider of Fixed-Fee SSAE 16 SOC 1 Audits