Completing Stage 1 of ISO/IEC 27001 is all about preparation. The process evaluates whether your Information Security Management System (ISMS) is documented and structured in alignment with ISO/IEC 27001 standards including policies, procedures, and the scope of your controls.

Clients can use this audit to understand their current situation and where improvements are needed before proceeding. This stage is critical for documenting and laying the groundwork for the ISMS to be integrated into real-life scenarios.

After Stage 1, the priority is preparing for Stage 2 by ensuring the ISMS is fully implemented following ISO/IEC 27001 requirements. Any issues identified in Stage 1 must be addressed before proceeding. The focus now shifts from documentation to operational execution.

Key next steps include:

These actions help pave the way for a smooth Stage 2 audit.

Stage 1 concerns constructing a strong foundation for the ISMS. Stage 2 evaluates the effectiveness of the implementation (hence why it must be fully implemented beforehand). Auditors examine how your organization applies its policies and whether your controls are effective and implemented within the set standards.

This involves interviews with ISMS stakeholders, testing the ISMS against the ISO/IEC 27001 requirements, and evaluating all applicable Annex A controls to ensure they are appropriately justified for inclusion or exclusion, and implemented accordingly.

ISO/IEC 27001 places a strong emphasis on risk assessment. During Stage 2, auditors will review how your organization identifies, evaluates, and responds to risks. You’ll want to:

A thoughtful and proactive approach to risk demonstrates your commitment to protecting information assets.

In Stage 1, you presented your Statement of Applicability outlining which Annex A controls you’ve deemed relevant. For Stage 2, those controls must be implemented and supported by evidence. Ensure your documentation shows how these controls are applied and maintained across your organization.

Your ISMS is not just guidelines for the IT team; it is everyone’s responsibility. A well-informed team is vital to the success of your ISMS. Auditors will want to see that employees understand their role in maintaining security.

 These initiatives help embed security into your organizational culture.

Internal audits are a key tool for continuous improvement because they allow you to uncover and resolve issues before the external audit.

Ensure your internal audit program is:

There’s no set timeframe between Stage 1 and Stage 2. The only requirement in that regard is that you’ve completed one full cycle of your ISMS and have implemented the applicable controls.

You’re ready for the ISO/IEC 27001 Stage 2 audit if you can demonstrate:

Stage 2 is your opportunity to prove that your ISMS is not only well-designed but also effectively integrated into daily operations. Beyond certification, this process helps build a culture of security and trust—a culture that protects your business and supports long-term success.

Have questions about getting ready for Stage 2? We’re here to help.

With over 22,000 ISO standards in existence, it’s easy to feel overwhelmed by the alphanumeric combinations. However, for organizations focused on cybersecurity, privacy, and responsible AI, just a handful of ISO standards truly matter. Here’s a simplified look at the key frameworks and how they build on one another.

At Sensiba, we focus on the following information security-related ISO Standards:

Traditionally, ISO standards are hard to digest. We’ve found the best way to break them down is to consider each standard as its own house that you can extend, subdivide, or build next to. Some standards listed above can be considered stand-alone homes, while others are extensions of existing homes.

Let’s take a look around each house!

General Overview:

Compliance:

What if my house has an existing framework (e.g., SOC 2)? Can I still build an ISMS?

Does my house need ISO/IEC 27017 and ISO/IEC 27018? If so, what will happen if I add them?

General Overview:

Compliance:

Does my PIMS have to be a standalone home, or can it be part of my ISMS?

PIMS, GDPR, HIPAA… A lot of letters, can any of them be mashed together?

General Overview:

Compliance:

Does my AI Management System have to be a standalone home, or can it be part of my ISMS?

Like any new build, getting started can often be confusing. That is why we are here to help navigate your journey. If you’re ready to start building your ISO dream home, contact us today.

Certified B Corporations know earning the certification is not a one-time finish line; it’s an ongoing commitment to improvement. With B Lab rolling out the most significant update to B Corp Certification standards in nearly two decades on April 8, 2025, companies due for recertification in the next year or two face a game-changing opportunity.

Starting your recertification journey now, well ahead of your submission date, can pay dividends. From staying aligned with global sustainability standards to gaining a marketing edge and making the process painless, the value proposition is clear.

B Lab’s updated standards were designed to raise the bar for responsible business by providing clearer and more consistent expectations. Historically, B Corps needed to score 80 points on a flexible assessment, allowing for various paths to certification.

Now, the new framework sets defined performance requirements across critical impact areas. Every company must meet foundational requirements, such as stakeholder governance and legal accountability, and take action on seven core Impact Topics such as climate action, fair work, and justice, equity, diversity, and inclusion.

These changes ensure certified B Corps are walking the talk, tackling the world’s most urgent social and environmental challenges with structure and intention. For example, companies must develop climate action plans aligned with the 1.5°C global goal and conduct human rights due diligence aligned with the UN Guiding Principles.

B Lab is also introducing a continuous improvement model that requires a company to meet Year 0 requirements upon recertification and to show progress at Year 3 and Year 5. The model helps companies build a more dynamic and forward-looking path to impact that is more trustworthy and resilient.

B Lab’s updated standards were designed to raise the bar for responsible business by providing clearer and more consistent expectations. Historically, B Corps needed to score 80 points on a flexible assessment, allowing for various paths to certification.

Now, the new framework sets defined performance requirements across critical impact areas. Every company must meet foundational requirements, such as stakeholder governance and legal accountability, and take action on seven core Impact Topics such as climate action, fair work, and justice, equity, diversity, and inclusion.

These changes ensure certified B Corps are walking the talk, tackling the world’s most urgent social and environmental challenges with structure and intention. For example, companies must develop climate action plans aligned with the 1.5°C global goal and conduct human rights due diligence aligned with the UN Guiding Principles.

B Lab is also introducing a continuous improvement model that requires a company to meet Year 0 requirements upon recertification and to show progress at Year 3 and Year 5. The model helps companies build a more dynamic and forward-looking path to impact that is more trustworthy and resilient.

In addition to being about performance, the new B Corp standards are also about staying relevant by aligning with global expectations, frameworks, and regulations. The revised B Corp framework helps companies stay ahead by addressing:

B Lab has even designed the new B Impact Assessment to better harmonize with major reporting frameworks like GRI, CDP, and SBTi.

Companies that begin their recertification prep now will not only meet B Corp expectations, they’ll simultaneously advance readiness for evolving ESG disclosures and regulatory shifts around the world. Early adopters can position themselves as credible, values-driven leaders in a market increasingly flooded with unverified claims.

The shift to the new standards is significant, and the worst strategy is waiting until your recertification deadline is staring you in the face. Even if your renewal is one to two years away, beginning now ensures you won’t be caught off-guard by new requirements or scrambling to implement them at the last minute.

Start early, and you gain the advantage of thoughtful integration. You’ll have the time and space to update internal policies, build buy-in across teams, and implement programs in a way that fits your culture and operations.

You also open the door to better outcomes: companies that consistently engage with the B Impact Assessment over time tend to improve their alignment and deepen their impact, rather than just meeting the minimum.

You’ll also be positioning your sustainability roadmap with upcoming domestic and international compliance and disclosure requirements. In an environment where ESG regulations are intensifying, that’s not just a good idea, it’s a competitive necessity.

Taking proactive steps in your B Corp recertification process is more than just smart planning, it’s a powerful brand move that demonstrates leadership, transparency, and a genuine commitment to your values.

Early action also creates opportunities for internal and external storytelling. Externally, you can reaffirm your transparency and integrity by sharing your journey of improving operations and aligning with some of the most rigorous, transparent sustainability standards in the world—all before other companies have even begun discussing it.

For internal teams, it creates opportunities to deepen employee pride and commitment to the company’s mission. It simply pays to lead, and doing it first is even better.

You also avoid the bottlenecks that are sure to come as thousands of companies rush to meet the new requirements in the same short window. By acting now, you give yourself—and your team—the space to do it right. No scrambling. No stress. Just steady, confident progress.

The new B Corp standards are an invitation to level up, and the companies that start now will be the ones best positioned to lead. Whether you’re due for recertification in a year or two or want to get ahead of the curve, Sensiba is here to support your success.

Schedule a discovery call with our team to learn what your journey could look like. We’ll walk you through building a roadmap that works with your goals, your timeline, and your budget. The next chapter of your B Corp story starts now. Let’s write it together.

Reflecting B Lab’s commitment to social and environmental responsibility, service providers working with (or in) industries designated as “controversial” face a more rigorous B Corp certification process. 

B Lab’s Pathway 2 for B Corp certification offers a compliance route for companies that have clients in controversial or ineligible industries, are linked to (or contribute to) adverse impacts, and generate less than 1% of their revenue from these industries.  

Industries designated as controversial by B Lab include: 

These are industries whose operations can cause adverse social and environmental impacts. B Lab classifies these industries on a global basis, so activities that are legal within some countries, such as the production or sale of recreational marijuana, can be considered as having adverse impacts.  

Ineligible industries go against B Lab’s theory of change, which is centered on transforming the global economic system into one that is inclusive, equitable, and regenerative. Affected industries include: 

For companies active in these designated industries, the certification process involves additional disclosures, risk assessments, and sometimes stricter eligibility thresholds compared to companies in non-controversial sectors. 

In some instances, this may include minimizing interaction or decommissioning of customers. But rather than automatically precluding companies that serve companies in these industries from certification, B Lab encourages conversation and collaboration during the assessment process. 

Companies have different routes to certification or recertification that depend, in part, on the industries they serve and how they work with customers in those industries. B Lab has three levels of industry involvement:  

This involvement will influence a company’s pathway to certification. Companies must disclose the industries they serve and their level of interaction (associated, linked, or contributing), and implement specific whistleblower and grievance policies.  

The following graphic illustrates how B Lab helps companies determine their pathway based on industry type and interaction level: 

Pathway 1 is suitable for companies interacting only with adverse impact industries at an associated level, and with no direct theory of change clients for at least the past five years. This pathway is simpler and mainly requires disclosure of industries and associations. 

Pathway 2, the most common, is for companies with clients in controversial industries (primarily adverse impact, possibly a few against theory of change), where revenue from these industries is under 1% of total revenue. 

A company pursuing Pathway 2 needs to complete a B Lab spreadsheet detailing its client interactions, services, and other relevant information. This spreadsheet, different from the Impact Verification Template (IVT), asks about the nature of work, position on working with clients, and due diligence processes.  

The spreadsheet requires details for each client, which can be time-consuming to compile. To protect service providers who cannot disclose client names, such as accountants or lawyers, B Lab allows internal client numbers to be used. 

Companies must disclose publicly the nature of their involvement with clients in controversial or ineligible industries, and work to ensure it generates less than 1% of its revenue from ineligible industries.  

B Lab also mandates companies pursuing Pathway 2 post-grievance and whistleblower policies:  

The grievance policy must outline the company’s process for accepting grievances, handling them, and escalation if the initial response is unsatisfactory. It also requires a live, responsive contact method (email or hotline) that B Lab will verify, must state freedom from retaliation, and should include an open-door policy or suggestion box (especially for workers without computer access). The policy must apply to all stakeholders in the company’s value chain or ecosystem, not just internal workers. 

Whistleblower Policy 

The whistleblower policy needs to outline the complaint process, to guarantee no retaliation, and to prevent negative repercussions by ensuring the confidentiality of the whistleblower’s identity.  

To meet these mandates, companies can consider hiring an outside service provider to accept and investigate grievance and whistleblower complaints. Along with reducing administrative overhead, outsourcing provides third-party objectivity that can improve the effectiveness of the process. 

For us at Sensiba, for instance, we completed Pathway 2 for the following reasons:  

Beyond helping with our recertification, this process plays an important role in our ability to manage risk more effectively and to meet our goals of serving clients and using our business as a force for good.  

To learn more about B Corp certification, contact us.   

When preparing for a SOC 2 audit, defining the scope is one of the most critical and often-misunderstood elements. Clients frequently ask what “scope” means in this context, and why it matters.

Understanding scope is essential for delivering a meaningful SOC 2 report that meets stakeholder expectations and provides assurance around the systems and services in use. 

Earlier standards like SAS 70 and FRAG 21 were criticized for giving organizations too much flexibility in setting the boundaries of their reports. Companies could highlight what they did well while omitting areas that raised concerns—without having to disclose what was left out or why.

SOC 2 tightened these rules, but the definition of scope remains a key limitation and area of discretion. Ultimately, a SOC 2 report is only as useful as the scope it covers.

At its core, the SOC 2 scope should include the systems and services your customers rely on. That typically means:

Client agreements often offer helpful insight into what customers depend on, but because SOC 2 reports are designed for a broad audience, they usually exclude highly customized or client-specific services. They also omit anything deemed immaterial to users.

Once the service boundaries are defined, the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and/or Privacy) must be applied to the relevant systems.

If your service depends on third-party vendors, such as AWS, Google Cloud, or Microsoft Azure, they are considered sub-service organizations. These vendors often provide infrastructure, backup, and other key functions.

You must identify whether these sub-service organizations are included in your report using either the “carve-in” or “carve-out” method. Most SOC 2 reports use the carve-out approach, meaning the third party’s controls are excluded from your report, even though your system depends on them.

For example, suppose your SaaS platform is hosted on AWS. In that case, their infrastructure controls are critical to your service delivery but are likely not included in your SOC 2 audit unless you explicitly choose to “carve them in.”

Complementary User Entity Controls (CUECs) outline the responsibilities of your customers. Even if a system is fully within the report’s scope, some control objectives may depend on end users taking specific actions.

For instance, if your system provides access controls, users are still responsible for managing access rights within their organization. If they fail to do so, it could lead to security breaches—even if your controls are functioning as designed

Ultimately, management defines the scope of a SOC 2 report. That flexibility allows organizations to align the report with their service offerings and risk profile, but they must disclose the boundaries clearly and fairly. The service auditor then evaluates whether the scope is appropriate and accurately presented.

While organizations can choose to include only some of their services, they cannot “cherry-pick” within a selected service. Once a service is in scope, all relevant components must be included.

Want help defining or optimizing your SOC 2 scope? Contact us to speak with our compliance experts and ensure your SOC 2 report meets the needs of your customers and stakeholders.

For startups and growing organizations, implementing a human resources information system (HRIS) can significantly improve operations, support compliance goals, and ease the burden on overstretched teams. But when is the right time to introduce one?

For many founders, especially those with teams under 20 employees, a dedicated HR function may not be feasible early on. Yet HR responsibilities still need to be addressed—often falling to founders, operations leads, or finance managers. Even without a formal organizational department, consistent HR practices remain important.

Beyond managing people, HR plays a foundational role in information security and compliance. From hiring individuals with ethical integrity to supporting onboarding, training, performance reviews, and policy acknowledgment, many activities are critical to meeting audit requirements under compliance standards like SOC 2, ISO/IEC 27001, CSA STAR, HIPAA, or Consumer Data Right (CDR) accreditation.

Some startups outsource HR in the early stages, while others adopt HR software to streamline and scale their internal processes. Tools like BambooHR, Employment Hero, or similar systems can help centralize:

These features not only enhance your HR capabilities but also make it easier to meet compliance requirements—often at a lower cost than full-service security or GRC platforms.

If you’re pursuing a compliance framework and haven’t yet implemented an HRIS, now may be the time. A well-integrated HRIS can bridge critical gaps and serve as a key enabler for your internal controls.

Most HRIS platforms offer onboarding support and prebuilt templates to help you get started. If your team has previously managed HR processes manually, migrating those activities into the system brings consistency, visibility, and audit readiness.

Use the following checklist to implement compliance-focused HR practices within your HRIS:

Step 1: Define your onboarding workflow.
Map out the onboarding process—from candidate screening to day-one tasks—using interactive checklists that assign ownership, deadlines, and sign-offs.

Step 2: Upload and link policies and contracts.
Store your employee handbook, policies, and employment contracts within the HRIS. Link these documents to onboarding steps so new hires can access and acknowledge them easily.

Step 3: Set up performance reviews and training.
Most standards require periodic performance reviews and security awareness training. Your HRIS may offer built-in modules or partner integrations. Set them up as recurring tasks and track completion.

Step 4: Maintain an organization chart.
Some HRIS platforms allow you to build and update your org chart directly. Others let you upload external versions. Keep it current as part of your onboarding and offboarding routines.

Step 5: Define the offboarding process.
Create a checklist for offboarding that includes IT access removal, return of equipment, and an exit interview. Documenting this flow ensures nothing slips through the cracks during employee transitions.

A modern HRIS can do more than support your people—it can help you build a compliant, resilient, and scalable business. Implementing a strong HR foundation is a great place to start if you’re considering SOC 2, ISO/IEC 27001, HIPAA, or CDR accreditation. To learn how an HRIS can support your compliance journey, contact us.

A growing number of platforms claim to “automate SOC 2 compliance.” These tools often include system monitoring, security configuration management, policy templates, audit support features, and full-scale governance, risk, and compliance (GRC) platforms.

Many of these solutions are valuable. They can simplify evidence collection, strengthen your security posture, and streamline audit preparation. But here’s the bottom line:

No tool automates SOC 2 compliance fully.

To understand why, it helps to revisit what SOC 2 compliance means. SOC 2 is based on 33 Trust Services Criteria (TSC) under the category of security, and sometimes others like availability or confidentiality. “Compliance” in this context means demonstrating:

These criteria are not simple checklists. They aren’t limited to system settings, and they don’t prescribe one-size-fits-all control activities. Most organizations include between 80 and 150 controls in their SOC 2 report, covering a mix of:

Critically, SOC 2 reports must be issued by an independent CPA firm. That requires having the right controls in place, undergoing an audit, and producing a final report that supports the criteria clearly.

While no tool can “automate” SOC 2 compliance end-to-end, many can support and accelerate the journey. Here’s how:

When combined, these tools can significantly reduce the time and effort involved in preparing for a SOC 2 audit. But technology alone isn’t enough. You still need people to make sense of the data, review logs, respond to incidents, and continuously improve your processes.

Remember that automation is powerful, but it’s not magic. Even the best tools require oversight and integration into your broader governance framework. If your system logs are never reviewed, or your policies are out of date, you’re not truly compliant, regardless of what software you’ve installed.

Our SOC 2 Readiness Assessment tool offers a smart starting point. It helps you evaluate your current state, document your control environment, and identify any gaps. It’s free, tailored to your business and scope, and designed to help you determine where additional tools or support may be needed.

SOC 2 isn’t a box to check—it’s a journey toward building trust. Automation can support that journey, but it can’t take the wheel.

To learn how to streamline your SOC 2 efforts without compromising quality, contact us.

Maintaining robust internal controls and ensuring SOX compliance are non-negotiable for financial integrity and regulatory confidence. But for many small to mid-sized companies, building and sustaining an in-house audit function can be a costly and resource-intensive endeavor.

That’s why more organizations are turning to outsourced or co-sourced internal audit and SOX compliance solutions—a strategic move that offers agility, expertise, and cost-efficiency.

Outsourced internal audit involves hiring an external firm to conduct audit activities. In a co-sourced model, organizations retain control over key or low-risk areas while outsourcing complex or high-risk tasks, combining internal insights with expert support for optimal balance.

Here are 7 compelling reasons why outsourcing your internal audit and SOX compliance could be a game-changer for your business:

Maintaining a full-time internal audit team involves salaries, benefits, training, and technology investments. Outsourcing transforms these fixed costs into variable ones, allowing you to pay only for what you need—freeing up budget for other strategic initiatives.

SOX compliance and internal audits require deep knowledge of financial controls, IT systems, and evolving regulations. Outsourced partners bring seasoned professionals with cross-industry experience, eliminating the need for costly hiring and training.

Top-tier audit firms leverage automation, data analytics, and agile methodologies to deliver faster, more accurate audits. Their up-to-date regulatory knowledge ensures your compliance efforts are always aligned with the latest standards.

An external team offers a fresh, unbiased perspective on your internal controls. Their insights can uncover hidden vulnerabilities—such as fraud risks or cybersecurity gaps—before they become costly issues.

As your business grows or faces new regulatory demands, your audit needs will evolve. Outsourcing gives you the flexibility to scale resources up or down without the delays and commitments of hiring full-time staff.

Internal teams may overlook inefficiencies due to familiarity. An independent audit partner provides impartial assessments, reinforcing accountability and enhancing the credibility of your financial reporting.

Outsourcing allows your leadership and finance teams to focus on driving growth and innovation, while compliance and risk management remain in expert hands.

To maximize value from your outsourced internal audit or SOX compliance program, it’s essential to approach the partnership strategically. The best practices outlined below are backed by industry experts and proven to drive success:

Outsourcing internal audit and SOX compliance is not just about reducing costs; it’s about gaining access to top-tier expertise, improving efficiency, and strengthening risk management.

If your company struggles with staffing, compliance complexity, or operational inefficiencies, outsourcing could be the key to a more cost-effective, scalable, and reliable audit process.

Looking for expert SOX compliance and internal audit solutions? Our consulting team specializes in helping businesses like yours navigate compliance with confidence and ease.

The signing of HR 1, the One Big Beautiful Bill Act (OBBBA) legislative package, introduced a variety of changes and planning opportunities for businesses and individuals. While many provisions will require additional guidance, taxpayers should have conversations with their advisors to understand the changes, the effective dates, and the implications for their situations. 

Here are some of the key provisions to consider:

The OBBBA permanently reinstates 100% bonus depreciation for qualified business property placed in service after January 19, 2025. Companies can immediately deduct the full cost of eligible property rather than spreading deductions over future years.

Qualified property generally includes machinery, equipment, and specific software with a recovery period of 20 years or less. Nonresidential real estate does not qualify, except under a new rule for “qualified production property” (parts of commercial buildings used directly in manufacturing or production).

For these, businesses can elect 100% bonus depreciation if construction starts after January 19, 2025, and is completed before January 1, 2031. However, if the property stops being used for production within 10 years, some deductions may be subject to recapture.

Additionally, Section 179 expensing limits are increasing. Starting in 2025, companies can fully expense up to $2.5 million in qualifying assets, with phaseouts beginning at $4 million, both indexed for inflation.

Note: Review your upcoming equipment, software, and facility investments to take advantage of the increased bonus depreciation and the higher Section 179 expensing limits starting in 2025. Consult your tax advisor to structure purchases and construction projects to maximize immediate deductions and avoid potential recapture rules for production property. 

The act included the highly anticipated repeal of the 2017 Tax Cuts and Jobs Act (TCJA) requirement to capitalize and amortize foreign and domestic research and experimental (R&E) expenditures.

This long-desired fix to Section 174 of the Internal Revenue Code will significantly benefit innovative U.S. businesses by enabling immediate expensing of domestic R&E expenditures. This change does not apply to foreign R&E.

Note: Read our detailed summary of these changes: OBBBA Delivers Section 174 Capitalization Relief.

New tax rules permanently calculate interest deduction limits based on EBITDA (earnings before interest, taxes, depreciation, and amortization), which generally allows for larger interest deductions. Additionally, certain international tax items, including Net CFC Tested Income (formerly GILTI) and subpart F income, are excluded from adjusted taxable income when calculating interest deduction limits, effective in 2026.

Interest limitations now apply whether you deduct or capitalize the interest. Any allowed business interest deduction is first applied to capitalized interest amounts, except for specific farming and carrying cost interest.

Note: Review your company’s financing strategy to maximize interest deductions under the new EBITDA-based limits starting in 2026. Work with your tax advisor to understand how the exclusion of Net CFC Tested Income, subpart F income, and the treatment of capitalized interest may affect your overall tax planning. 

The Act permanently extends the 20% deduction for Qualified Business Income (QBI) for domestic businesses operated as sole proprietorships, partnerships, S corporations, trusts, or estates. It also continues the 20% deduction for REIT dividends and publicly traded partnership (PTP) income.

Key changes effective after 2025:

Limitations remain for specified service trades or businesses (SSTBs) above income thresholds.

Note: These permanent and enhanced QBI provisions offer continued tax savings for business owners and investors. Review your structure and income planning to maximize benefits under the updated Section 199A rules. 

Starting in 2025 through 2028, individuals in occupations that customarily receive tips can claim a new deduction for qualified tips, even if they don’t itemize their deductions. Qualified tips are voluntary amounts not negotiated in advance.

The deduction is capped at $25,000 and phases out for incomes over $300,000 ($150,000 for single filers). A valid Social Security number is required.

Employers must include qualified tip amounts in tax statements furnished to the IRS. Specifically, payments reportable on Forms 1099-K, 1099-MISC, or 1099-NEC must:

These changes apply to businesses with tipped employees and to payors processing contractor or platform payments, increasing reporting complexity.

Additionally, the Act expands the FICA tip tax credit to include beauty service businesses such as barbering, hair and nail care, esthetics, and spa treatments, provided tipping is customary. This helps employers offset Social Security taxes on employee cash tips in these industries.

A list of eligible tipped occupations will be published within 90 days of enactment. A transition rule applies for returns or statements required before January 1, 2026.

Note: Employers should prepare to update payroll systems and reporting processes to comply with these new detailed requirements.

From 2025 to 2028, qualified employees can claim a new deduction for qualified overtime pay (overtime wages under the Fair Labor Standards Act above regular pay rates). The deduction is up to $12,500 ($25,000 for joint filers) and phases out for incomes over $150,000 ($300,000 for joint filers). Highly compensated employees are excluded.

Key employer responsibilities:

Note: Employers should review payroll and reporting systems to ensure compliance with these new requirements, which support employees’ ability to claim this deduction.  

The Act makes Opportunity Zones (QOZs) permanent, with new designations every 10 years starting July 1, 2026. It narrows eligibility to census tracts with poverty rates over 20% or median family incomes under 70% of the area median.

Key benefits remain:

For rural investments, the gain reduction increases to 30%, and the substantial improvement requirement for buildings drops to 50%, making rural projects easier to qualify.

Note: Employers, investors, and fund managers should note new reporting requirements aimed at increasing program transparency and demonstrating economic impact. Evaluate potential investments in new or existing Opportunity Zones to take advantage of permanent tax deferral and exclusion benefits. Consider targeting rural projects to benefit from the enhanced 30% gain reduction and easier building improvement requirements. 

The Act enhances the Qualified Small Business Stock (QSBS) gain exclusion:

Additionally, no AMT adjustment applies to stock acquired under these changes. To qualify, companies must still meet QSBS requirements, including the gross asset test.

Note: These changes apply to stock acquired on or after enactment and are permanent. Business owners and investors should assess planning opportunities under this expanded exclusion. Review your current and planned investments in QSBS to take advantage of the higher exclusion caps and new tiered holding period benefits. Ensure your company meets QSBS eligibility requirements to maximize these permanent tax savings opportunities. 

The Act increases the Advanced Manufacturing Investment Credit (Section 48D) from 25% to 35% for property placed in service after December 31, 2025, enhancing incentives for U.S. manufacturing investments.

It also updates rules for the Advanced Manufacturing Production Credit (Section 45X). Taxpayers can now treat a component as sold to an unrelated party if:

However, at least 65% of the secondary component’s material costs must come from primary components mined, produced, or manufactured in the U.S.

These changes support expanded tax benefits for manufacturers investing in U.S.-based production and integrated component assembly.

Note: Assess upcoming manufacturing investments to capitalize on the increased 35% Advanced Manufacturing Investment Credit starting in 2026. Review your supply chain and production processes to ensure at least 65% of secondary component material costs come from U.S. sources to qualify for the updated production credit benefits. 

Starting after December 31, 2025, the basic exclusion amount—the amount each U.S. citizen or domiciliary can transfer during life or at death without paying estate or gift tax—will increase from $13.99 million to $15 million (before inflation adjustments).

Unlike the current temporary higher exemption (scheduled to drop after 2025), this $15 million threshold is permanent and will be indexed for inflation starting in 2027.

The Act retains the current estate, gift, and generation-skipping transfer (GST) tax system but makes a significant change to exemption amounts. The GST exemption will also increase to $15 million, allowing transfers to grandchildren or other “skip persons” outright or in trust without triggering GST tax.

Individuals and families can transfer greater wealth tax-free under this expanded and permanent exemption. It provides more certainty for estate planning, eliminating concerns about future sunset reductions.

Note: Review your estate and gifting plans to align with the new permanent $15 million exemption starting in 2026. Consider accelerating wealth transfer strategies to maximize tax-free transfers under these expanded limits. 

The Act temporarily increases the state and local tax (SALT) deduction cap to $40,000 from 2025 through 2029. After 2029, the cap will permanently revert to $10,000.

For 2025, the full $40,000 cap applies, but starting in 2026, the cap phases down for individuals with modified adjusted gross income over $500,000, decreasing by 1% each year through 2029 (though it will never drop below $10,000). The applicable cap is always halved for married individuals filing separately.

The Act does not address SALT deductions for passthrough entities. Existing treatments for PTET (pass-through entity tax) workarounds remain unchanged, though PTET workaround validity continues to rely on IRS Notice 2020-75 and could change with future Treasury guidance.

These new SALT cap provisions apply to tax years beginning after December 31, 2024.

Note: Review your projected state and local tax payments to maximize deductions during the temporary $40,000 SALT cap window from 2025 to 2029. Consult your tax advisor to evaluate PTET election strategies and plan for the phase-down if your income exceeds $500,000. 

The Act makes permanent the pre-TCJA Pease limitation, which reduces itemized deductions for high-income taxpayers. Specifically, taxpayers in the highest income tax bracket will see their allowable itemized deductions, including charitable contributions and SALT deductions, capped under this provision. This limitation does not affect the qualified business income (QBI) deduction under Section 199A.

For standard deductions, the Act:

These amounts apply for tax years after December 31, 2024, and will be adjusted for inflation annually.

For tax years 2025 through 2028, taxpayers can claim a $6,000 deduction for each qualified individual. A qualified individual is:

The deduction is reduced by 6% of modified adjusted gross income (MAGI) exceeding:

However, the deduction cannot be reduced below zero. To claim it, the Social Security number of each qualified individual must be included on the tax return.

Note: This temporary senior deduction offers meaningful tax relief for older taxpayers but begins phasing out at moderate income levels. It is available only for tax years 2025 through 2028. Review your income levels with your tax advisor to manage MAGI phase-out impacts and ensure Social Security numbers are correctly reported to qualify. 

The Act creates Trump accounts, similar to traditional IRAs but designed for children under 18. Key features include:

The Act also establishes a government-funded pilot program providing a $1,000 credit into a Trump account for each qualifying child born between 2025 and 2028 who is a U.S. citizen at birth.

Employers may set up tax-free contribution programs for employees or their dependents, similar to Dependent Care Assistance Programs, if established through a written plan meeting specific requirement.

Note: Consider setting up Trump accounts for your children or dependents to build tax-advantaged savings before they turn 18. Employers should evaluate establishing a written contribution program to provide tax-free benefits to employees or their dependents under these new rules. 

To learn more about these provisions and how they apply to your circumstances and planning opportunities, contact us.

In today’s threat landscape, proactive security testing is essential for protecting sensitive data and maintaining regulatory compliance. Frameworks like SOC 2, ISO/IEC 27001, and HITRUST require organizations to demonstrate their systems can withstand potential attacks.

But when it comes to testing your defenses, one size doesn’t fit all.

Penetration testing and red team exercises simulate real-world attacks, but they serve different purposes and require different levels of security maturity. How do you know which is right for your business?

Understanding these methods can help you make informed decisions about your security investments and protect your business more effectively from evolving cyber threats.

Penetration testing, often called “pen testing,” is a controlled simulation of a cyberattack designed to uncover vulnerabilities in your systems, applications, or networks. A pen test is usually conducted over a set period and targets specific assets, such as your external web applications, internal infrastructure, or cloud environments.

Examples might include testing a customer portal for SQL injection flaws, probing internal systems for segmentation gaps, or evaluating misconfigured access privileges.

Think of a pen test as a targeted security check-up with clear boundaries and objectives, making them practical for organizations with defined security concerns. Pen tests may be conducted with varying degrees of knowledge about your environment, ranging from “white box” (full access and visibility) to “gray box” (limited knowledge).

Common goals of penetration testing include:

Typical engagement durations range from a few days to a couple of weeks, providing actionable results within a reasonable timeframe.

A red team exercise takes security testing to another level by conducting a full-scope, goal-oriented simulation that mirrors real-world cyberattacks. Unlike penetration testing, red teaming employs the tactics, techniques, and procedures used by threat actors to create a realistic adversarial scenario.

The aim isn’t just to find weaknesses, but to discover how far an attacker can go without being detected.

Unlike traditional pen tests, red team operations are stealthy and persistent. They unfold over several weeks or even months, often without alerting your defenders. These exercises test your organization’s detection capabilities, incident response procedures, and overall security resilience.

Red teams use a wide range of attack vectors: phishing emails, social engineering, privilege escalation, and even physical entry. A successful red team exercise might end when the attacker gains domain admin access, exfiltrates sensitive data, or bypasses all security layers to reach a protected business asset.

Red-team assessments are ideal for evaluating how well your security team detects, responds to, and recovers from real-world attack scenarios. But they require a mature cybersecurity program and a willingness to expose gaps in detection and response capabilities.

Companies must align their security testing approach with their business needs, regulatory requirements, cybersecurity maturity, and incident response capabilities.

Penetration testing offers a strong starting point if:

Red team exercises may be more appropriate if:

These approaches aren’t mutually exclusive. Many companies begin with regular penetration testing and introduce red teaming as their security programs mature. Layering both techniques provides a broader picture of your defenses, from identifying weak spots to understanding how your team responds under the pressure of an attack.

It’s important to remember security testing isn’t a one-time exercise, but an ongoing process that evolves with your business and the threat landscape. Penetration testing can provide a strong foundation by uncovering technical weaknesses and informing remediation efforts. Red team exercises build on that foundation by testing how well your organization responds when it matters.

If you’re unsure where to begin, a trusted cybersecurity partner can help assess your current maturity and guide your next steps. Whether you’re aiming for compliance or preparing for the unexpected, proactive security testing is an investment in resilience and your organization’s long-term success.

To learn more about pen testing and red-team exercises, contact us.

As retailers, manufacturers, and consumers address a wider array of expanded tariffs, a common question is whether they’re being taxed twice on imported goods. The answer to this question is generally yes, but typically not in a way that is clearly discernible on a purchase invoice or receipt.

Because sales tax is charged on the sales price of taxable goods or services to consumers after import duties have been imposed, the result is a compounding tax effect in which sales tax is charged on a sales price that has been increased to recoup tariff costs.

While new or increased tariffs ultimately compound the tax burden of consumers due to higher prices and/or surcharges subject to sales tax, sellers are at an increased risk of sales tax exposure. Sellers will need to ensure sales tax calculations are accounting for new tariff surcharges and price changes correctly.

New or increased tariffs can also lead consumers and businesses who have historically relied on importing goods to begin buying or selling in new states, which can create sales and use tax responsibilities in these states and local jurisdictions.

Tariffs are taxes or duties imposed on imported goods. Nations use them to protect domestic industries, generate revenue, and provide leverage in trade negotiations. Tariffs are based on the declared value of an item when it’s imported.

When goods arrive at a port of entry, the importing company must pay the tariff (a percentage of the product’s value or a set fee) to customs authorities before the goods are released for sale or further distribution. The government of the importing country collects these payments, not the country where the goods were produced.

Different methods can be used to calculate declared values, with some approaches including insurance, freight, and shipping charges.

Sales taxes are levied by state and local jurisdictions on the sale of goods and services or the transfer of goods or services for consideration. The seller collects them at the point of sale on taxable goods and services for remittance to the appropriate jurisdictions.

Use taxes are imposed on a taxable item’s consumption, sale, storage, or use when a sales tax isn’t collected. This may apply, for instance, to taxpayers who import products for their own use in a state and are not charged sales tax by the international seller. Use taxes are self-assessed and paid by the consumer or business.

Under the general principle followed in most jurisdictions, the cost of the imported product, which includes the tariff, becomes the basis for calculating sales or use tax.

Example #1: Sales Tax

Consider a product with a declared value of $100 imported into the United States from a nation subject to a 20% tariff rate. Due to the added tariff, the importer’s cost becomes $120. Importer purchased and imported goods for resale and therefore would not owe sales tax on its purchase. Since the importer will likely pass the tariff cost on to the buyer via a price increase or surcharge, this means that the buyer effectively pays sales tax on the tariff amount in most cases.

Example #1: Use Tax

Consider a similar example, but where the importer maintains possession of the item in the U.S. for their own use. The importer would be required to remit use tax to the state where they make use of the item. Depending on the state and which party is considered the importer of record, the amount subject to use tax would generally be for the $100 declared value of the item.

Several states have regulations regarding how tariffs are treated for sales and use tax purposes. The taxability of tariffs often depends on who pays the tariff (importer or purchaser) and how the cost is passed along in the transaction.

In most cases, if the tariff is part of the sales price charged by the seller/importer, it is taxable. If paid directly by the purchaser/importer, it is not.

California, South Carolina, Wisconsin, and Washington have issued clear guidance on how tariffs should be treated for sales and use tax purposes. The tariff’s taxability depends on who pays it and how it is invoiced.

In California, for instance, any tariff surcharge or reimbursement would be taxable if the seller is the importer of record and passes the tariff cost to the customer, regardless of whether they are stated separately on the customer’s invoice.

For example, say a California company is the importer of record who pays a tariff directly and intends to resell the product. They would provide the seller with a California resale certificate and pay no sales and use tax. On the subsequent sale, they would collect California sales tax on the taxable product and the tariff surcharge, which may be stated separately on the invoice or combined with the original product price.

An exclusion is available for a buyer who imports goods and is considered the importer of record and a consignee. In this instance, the tariff would be imposed on the buyer. Any amount paid related to the tariff is not considered part of the purchase price of the goods.

If the buyer/importer of record is the product’s end-user, they would owe use tax on the taxable product purchased. If the buyer is not the importer of record and the seller is the importer of record, the entire charge (including tariff) may be subject to use tax.

Relevant regulations that apply to California companies include:

The California Department of Tax and Fee Administration (CDTFA) offers resources for clarification.

Tariff costs are generally deductible as business expenses:

A company’s response to the imposition of tariffs may also qualify it for Research and Development Credits. If a company, for instance, is looking at onshoring production and starting to manufacture state-side while also updating or revamping the production process, that could trigger an eligible process for the R&D credit. Design changes or the construction of a new facility may warrant an R&D tax credit evaluation.

Similarly, if a company looking to reduce costs makes engineering design or manufacturing process changes as a result, that can be a qualified activity.

In dynamic trade environments, companies must understand the value and importance of accurate cost accounting. Understanding how tariffs affect their landed costs, for instance, is crucial for developing effective pricing strategies and forecasting profitability.

Companies should document their tariff payments for tax purposes:

To learn more about the sales and use tax implications of tariffs for your business, contact us.

Security and compliance qualifications, like SOC 2 and ISO/IEC 27001, demonstrate you apply good practices in your business.

They’re often classified as “security” and thought of as the technical security of your systems. However, they’re broader, focusing on organizational practices that support your security AND other objectives. That includes availability (system resilience), confidentiality of data, privacy for your users, integrity of the system processing objectives, scalable process design, and operational readiness to support large business customers. 

There are five reasons we see our clients pursue these certifications, in order of the prevalence we see them.

Each standard has different requirements, nuances in how they are applied, and perceptions in the market. This impacts which may be best for your business and how they help you achieve the goals above. When deciding between SOC 2 and ISO/IEC 27001, your primary goal often dictates the best choice. Let’s break down the key considerations:

If your goal is enterprise sales or ticking the box on a mandate, it’s important to consider your customers’ preferred standard(s). In general, more regulated industries (such as finance or healthcare) prefer the SOC standards. Less regulated customers generally prefer the ISO family of standards. SOC 2 is more prevalent in the U.S., while ISO/IEC 27001 is more common in Europe.  

For reducing due diligence, the best standard is often linked to the last point. However, it’s also important to consider that ISO/IEC 27001 provides a certificate only. SOC 2 reporting has a system description including the controls specific to your organization, your system scope, third-party responsibilities, e.g., AWS shared responsibility model, and your end users’ responsibilities when using your system.

This reporting approach in SOC 2 helps answer more “questions” for the due diligence process. It helps your customers’ vendor risk teams understand what’s relevant, the associated risks of using your services, and how those risks are addressed in your specific practices.

When improving operational practices, it’s up to your organization to pick the approach that “fits” best. The SOC 2 criteria-based approach is more flexible and focused on how the criteria are practically met in your specific context. Tech companies often see this as a better way to align operating practices with their company’s culture, size, scale, and unique nature.

ISO/IEC 27001 is a more prescriptive approach aligned to a higher standard of practice, focusing on policies and procedures. While some businesses feel this is more rigid and restrictive on their business, it can be advantageous and, in some ways, easier to follow a cross-industry, “best-practice” methodology. 

Meeting the needs of other stakeholders will depend on the specifics of what they are looking for assurance over. Regulators that require an “independent audit” of your technology generally steer towards SOC 2. Partners often prefer the standard they have adopted themselves or their customers care more about. Employees’ and management’s preferences are based on what they feel “fits” best.

Whichever standard you choose initially, it’s very common for tech companies to do both. The good news is there’s a lot of overlap. Customers generally accept if you have one of these, even if it’s not their preferred one. If they do require their preferred standard, they typically accept what you have in the immediate term and agree on a period to achieve the other.

To learn more about choosing the best standard or frameworks for your compliance and reporting needs, contact us.

Table of Contents:

What Is Blockchain?

Who Are the Key Players?

Third-Party Assurance

Key Blockchain and Digital Asset Terminology

As a young consultant joining the assurance space, I was looking for opportunities to work in emerging technologies. Candidly, I just wanted to work on ‘cool’ clients, and those in the emerging tech space seemed to foot the bill. A fortunate conversation with a partner at my firm turned into a long discussion about blockchain and cryptocurrencies.

This was around 2019, and I had a faint understanding of crypto that was limited to knowing that Bitcoin existed, and that a guy I knew in high school had somehow made enough money to buy himself a brand-new BMW M3.

He tried to convince me to buy some, but it sounded like a scam. When he totaled that BMW and was promptly able to purchase a new one, I figured it had to be a scam because no high schoolers made that kind of money authentically.

The conversation with this partner, however, offered a change of tune that made me realize not only was this high schooler on to something in 2012, but that I probably missed out on making a fortune. This partner is an incredibly intelligent person whom I looked up to, who taught me about the underlying tech and its potential to completely change entire industries.

I figured if he believed in it that much, there must be something to it I didn’t understand. But I knew I wanted to learn.

Blockchain is defined as a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network. All participants on the network using the shared database are referred to as nodes connected to the blockchain, with each maintaining an identical copy of the ledger. When one participant wants to transact with another, all nodes must use the pre-determined consensus mechanism to validate that transaction.

Upon validation, all copies of the ledger are updated with the new transaction information (i.e., a new block is added to the chain). These transactions, or blocks of transactions, cannot be deleted or altered. In the event of an alteration, the rest of the network would reject the alteration and exclude it from the blockchain.

You can categorize key players into the following groups: Digital Asset Wallet Providers, Digital Asset Exchanges, Digital Asset Custodians, Cryptocurrency Payment Companies, and Utility Tokens.

These service providers need to be able to prove to customers that their platforms are secure. Some questions that a user entity of these service providers should ask are:

These groups and the organizations within them serve a mosaic of use cases ranging from supply chain tracking, financial transaction management, identity management, and much more. With the relatively nascent nature of the technology and lack of regulation in the industry, the need for comprehensive and scalable risk assessment frameworks is imperative.

As the volume of entities and enterprises entering this space grows, the need for assurance in their use of the technology amplifies. These entities need to be aware of the risks involved and how to mitigate them appropriately.

In recent years, scandals have rocked the world of blockchain and digital assets, with “rug-pulls” becoming a known term. These scams, where developers or creators withdraw all funds or liquidity and disappear, raise significant concerns about the availability of services and access to funds for customers.

This is where Third-Party Assurance can step up. SOC 2, for example, provides critical assurance for blockchain systems by establishing rigorous security controls, third-party validation, and continuous compliance monitoring tailored to decentralized environments.

A SOC 2 report can provide assurance against traditional and blockchain-specific risks at a service provider. This is achieved by evaluating their controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Other examples include:

Distributed Ledger Technology (DLT): A distributed, decentralized ledger technology that records transactions across a network of computers. Each transaction is grouped in a block and linked chronologically in a chain.

Block: A collection of transaction data.

Chain: A linked sequence of blocks, each referencing the previous one via a cryptographic hash.

Hashing: A cryptographic function that converts input data into a fixed-length string.

Nodes: Individual computers in the blockchain network that store copies of the ledger and follow the protocol.

Smart Contracts: Self-executing contracts with terms directly embedded into their code that execute actions automatically when predefined conditions are met.

Tokens and Digital Assets:

Public Blockchain: Open, permissionless networks (e.g., Bitcoin, Ethereum)

Private Blockchain: Permissioned networks with restricted access (e.g., Hyperledger Fabric)

Consensus Mechanisms: Protocols used by blockchain networks to agree on the validity of transactions and maintain the integrity of the distributed ledger.

When I stepped into this space, I knew it would be a wild ride. Between the ever-changing regulatory landscape, emerging use cases beyond anything I could have conceptualized, and the volatile nature of the industry, the ride has been much like the technology itself: complex.

The see-saw can be balanced with the right expertise and assurance, allowing the pioneers to focus on innovating.

To learn more about applying the benefits of blockchain assurance, contact us.

Achieving HIPAA compliance requires more than just good intentions—it takes the right policies, processes, and technologies to protect sensitive health information. Whether you’re a covered entity or a business associate, understanding your obligations is the first step. Here’s a practical overview of how to begin your HIPAA compliance journey, and how Sensiba can help.

Becoming HIPAA-compliant involves implementing processes, policies, and technologies that secure Protected Health Information (PHI). Compliance is required for any organization or individual who handles PHI, such as healthcare providers, insurers, and business associates. Here is a sample overview of some key steps needed to start.

Start by determining whether your organization is a Covered Entity (such as a healthcare provider or health plan) or a Business Associate (a vendor or service provider handling PHI on behalf of a covered entity). These classifications determine your responsibilities under HIPAA.

Next, identify what qualifies as PHI under the law. This includes any data linked to an individual related to health status, treatment, or payment. Common examples include:

A comprehensive risk assessment is foundational to compliance. This process should:

Regular risk assessments help organizations stay ahead of evolving threats and regulatory expectations.

HIPAA requires documented policies aligning with the Privacy, Security, and Breach Notification Rule. Key steps include:

Employees are your front line of defense. Regular training ensures they understand the following:

Ongoing refresher training is essential to keep staff informed of updates and reinforce compliance expectations.

While there’s no formal “HIPAA certification,” many organizations benefit from an independent audit of their HIPAA controls. An audit assures the design and effectiveness of your compliance practices and helps identify areas for improvement.

Sensiba offers tailored HIPAA audit services designed to fit your organization’s size, complexity, and risk profile. Our agile approach avoids the disruption of traditional large-scale audits. Instead, we work alongside your team to build confidence in your compliance posture.

Ready to strengthen your HIPAA compliance? Contact us to speak with a member of our team.

Change management plays a pivotal role in SOC 2 compliance. It governs how changes to IT environments—whether hardware updates, software upgrades, or system modifications—are handled and documented. Each change introduces potential risks, from misconfigurations to security vulnerabilities, making a well-managed process essential to maintaining compliance.

This article is the first in a series aimed at IT and compliance professionals navigating the change management process in the context of SOC 2. We’ll begin by reviewing the Trust Services Criteria, exploring the purpose of change management controls, and walking through best practices to help ensure changes are properly reviewed, approved, tested, and documented.

SOC 2 reports are based on five Trust Services Criteria:

Unlike other compliance frameworks that prescribe rigid requirements, SOC 2 allows flexibility. Organizations select the Trust Services Criteria that align with their business objectives and data handling practices. Security is typically included by default, with additional criteria being added as appropriate.

Change management is a core element of the control environment evaluated in a SOC 2 audit. It goes beyond technical upgrades and version control to maintain trust, minimize disruption, and ensure every update aligns with your organization’s compliance posture.

An effective change management process helps safeguard system integrity by enforcing accountability, reducing risk, and promoting operational consistency. No matter how small, every change should follow a deliberate and documented process to mitigate unintended consequences.

To meet SOC 2 expectations, your change management process should include the following:

To learn more about the role of effective change management in SOC 2 compliance, contact us.

Choosing a compliance audit provider isn’t as straightforward as selecting most business services. Information security audits, especially across frameworks like SOC 1, SOC 2, ISO/IEC 27001, and GDPR, vary widely in execution, cost, and fit.

If this is your first time navigating these waters, here are 10 important factors to consider.

Ask how many clients the auditor serves under the specific framework you’re considering. Some large firms offer cybersecurity audits but only support a handful of clients in cloud-based or software-as-a-service (SaaS) industries. It could be a red flag if their experience doesn’t align with your profile.

Audit firms vary in how they quote and present pricing. Be cautious of hidden fees or hard-to-compare pricing models. Ask prospective providers to explain how their services and costs compare with those of others you’re evaluating.

Some providers charge extra if the audit takes longer than expected or issues arise. Others may add fees for delays or rescheduling. These terms can create tension between you and your auditor. Look for flexible and transparent firms, especially if you anticipate shifting business priorities.

First-year pricing is often discounted because audit work decreases over time, and long-term relationships are common. That said, ensure you’re not locked into unfavorable future pricing. Scrutinize multi-year commitments and ask about potential rate adjustments.

While specialization can be valuable, working with multiple providers for overlapping audits can create unnecessary complexity. If you’re pursuing SOC 2, ISO/IEC 27001, ISO/IEC 42001 GDPR, CCPA, PCI-DSS, or HIPAA compliance, consider a firm that can support all your frameworks under one roof.

Auditors are bound by independence requirements and cannot design or implement your controls. However, firms with strong partnerships, such as penetration testers, IT service providers, or managed security vendors, can connect you to reliable resources that complement the audit and your remediation needs.

If you use tools like Vanta or Drata to manage controls and evidence, your auditor should work seamlessly with them. Ideally, they can reduce manual uploads by pulling evidence directly from these platforms. Look for firms with automation playbooks designed to streamline audits using your existing tools.

While name recognition matters less than it once did, your auditor’s brand still helps shape customer perception. Big Four firms convey general trust, but specialist cybersecurity audit firms often hold more credibility in this space—especially those with strong reputations and deep experience in cloud-native environments.

For SOC 1 and SOC 2 reports, make sure your auditor is authorized under the appropriate standards. In the U.S., reports must follow SSAE 18 standards (AT-C 105 and 205) issued by the AICPA. Some firms use international equivalents (like ISAE 3000) that all U.S. customers may not accept. If your business is U.S.-based or serves U.S. clients, AICPA registration is a must.

Perhaps most importantly: who will you work with? Sales professionals or senior partners may guide you through the pitch before handing off your engagement to junior staff. Ask who will perform the audit and what level of experience they bring. Direct access to knowledgeable professionals makes a meaningful difference during the engagement.

Still unsure? Here are two low-risk ways to evaluate audit providers:

At Sensiba, we welcome questions about any of the points above. We support organizations across cloud services, and many of our clients are happy to speak with peers considering our services. Our readiness assessments cover SOC 1, SOC 2, ISO/IEC 27001, GDPR, HIPAA, CCPA, and other global standards.

To explore how we can support your compliance goals, contact us.