Which Compliance Audit is Right for Me?

When it comes to compliance audits, one should never follow the “one-size-fits-all” mentality. The type of audit you need often depends on your organization’s industry, specific client requests or type of data stored. With this in mind, we’ve broken down the basics of our top compliance audits in an effort to help you identify the most fitting audit for your organization.


A SOC 1 (Systems and Organization Controls) Examination is performed for companies that impact financial reporting. The companies that receive a SOC 1 report are service providers or businesses that provide a service that either directly handles financial transactions or could indirectly impact financial transactions or the general ledger statements for the company it serves—otherwise known as an end-user.

There are two types of a SOC 1 report:

SOC 1 Type 1: A SOC 1 Type 1 report tests whether your controls are designed appropriately to achieve control objectives at a specific date in time.

SOC 1 Type 2: A SOC 1 Type 2 report tests not only whether your controls are designed appropriately to achieve control objectives, but also whether they operated effectively over a period of time.

By providing either type of a SOC 1 report to your clients, you provide assurance that your controls and their financial data are secure.

SOC 1 Might Be Right for Your Organization If:

  • You process, transmit or store financial information or financial transactions, including payroll processing services, infrastructure as a services (IaaS), loan servicing or software-as-a-service (SaaS)
  • You do business with banks or financial institution
  • You manage data related to financial processes or transactions
  • You want to build trust related to processes that could impact financial reporting with current and prospective clients

Learn more: The SOC 1 Examination Process


A SOC 2 audit is completed for companies that impact security. The companies that receive a SOC 2 compliance audit are service providers or businesses that manage data, information, or hardware/software.

SOC 2 examinations are based on the defined principles and criteria published by the American Institute of Certified Public Accountants (AICPA). The purpose of a SOC 2 report is to provide a wide range of system users with control information and is intended for the internal management team and specific third-parties who need to be informed of the security and information systems of the service organization.

SOC 2 Might Be Right for Your Organization If:

  • You use technology or process data
  • You manage data for US-based companies
  • You’re looking to improve your organization’s overall security program
  • You want to increase the valuation of your organization
  • Accelerating business and market growth is on your organization’s agenda
  • You want to demonstrate your organization’s commitment to security

Download now: SOC 2 Report Types

ISO 27001

ISO 27001 is the best-known standard for providing requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. Essentially, ISO 27001 is a general security management standard that shows that a company has implemented and maintains a strong security system.

ISO 27001 Might Be Right for Your Organization If:

  • Your key clients operate in a global or international market
  • You are trying to proactively complete your first security audit
  • You want to increase your organization’s reliability and security of systems and information
  • Improving customer and business partner confidence is a goal for your organization
  • Your organization wants to improve its management processes


The HITRUST Common Security Framework (CSF) is a healthcare certification that often supersedes HIPAA. It is a robust and scalable framework for managing regulatory compliance and risk management of organizations and their business associates.  This certification is recognized, used and required by the biggest insurance carriers in the healthcare industry. While originally designed specifically for the healthcare industry, the HITRUST framework has since been adopted by organizations of all sizes across all industries due to its ability to unify multiple recognized frameworks and regulatory requirements, including:

  • ISO
  • NIST
  • GDPR

HITRUST Might Be Right for Your Organization If:

  • You manage healthcare data, specifically electronic protected health information (ePHI)
  • You manage any data related to business associates or covered entities—or you are a covered entity
  • You’re already compliant with HIPAA or trying to become compliant with HIPAA


The Payment Card Industry Data Security Standard (PCI DSS) was created for organizations that process, store or transmit credit card data. Obtaining a PCI DSS Report on Compliance (ROC) and Attestation of Compliance (AOC) shows your organization’s compliance with payment data security.

PCI DSS Might Be Right for Your Organization If:

  • You are a merchant processing transactions in high volume
  • You store, transmit or process credit card data as a service provider or as a service
  • You store, transmit or process cardholder data (CD)–any personally identifiable information (PII) associated with a person who has a credit or debit card—such as:
    • Cardholder name
    • Expiration date
    • Service code
    • Primary account number (PAN)

Even if your organization only stores one aspect of cardholder data, compliance with PCI DSS is required.

Penetration Tests

Penetration tests are designed to test the information security of the technologies and systems in place at your organization. By simulating attacks from hackers, penetration tests can help your organization identify key vulnerabilities before the bad guys do and achieve compliance. A-LIGN offers a full suite of penetration tests, including:

  • Vulnerability scanning, for both internal and external networks
  • Automated penetration testing
  • Penetration testing with either a manual or human operator
  • Web application testing
  • Mobile application testing
  • API testing
  • Social engineering tests
    • Phishing
    • Vishing
    • Wireless
    • Physical

A Penetration Test Might Be Right for Your Organization If:

  • You are required to complete these tests by your clients
  • You need to pass an audit like PCI DSS, HITRUST, FISMA (NIST), FedRAMP
  • You just made significant changes to your organization’s application
  • You are confirming a new Software Development Life Cycle (SDLC) process
  • You have suffered a breach
  • You are fearful of suffering a breach

Getting Started

Ready to start the compliance audit process? We have you covered. Our team of expert assessors understand the frameworks to help you through every step of the compliance audit process. Not to be outdone, our customer service is industry-renowned for its ability to make auditing a stress-free experience for our clients. With our knowledge, experience and skills, we are ready to help your company achieve whichever certification you require.

Interested in learning more about compliance audits and how to choose the right one for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our compliance audit professionals.