SOC 1 Type 2 Certification
Because most of our clients rely on our systems to process or store sensitive data, AIS Network takes considerable care in designing its systems for the highest levels of security, reliability and scalability.
SOC 1 Type 2 Certification
That also includes developing a comprehensive set of security measures and practices to keep our customers’ data protected and safe. In accordance with our efforts to deliver the highest quality services to our clients, we have completed the SSAE 21/ Service Organization Control 1 (SOC) Type 2 audit. This is a semi-annual certification attestation administered by an independent auditor, who evaluates our private cloud hosting, managed services and application development services thoroughly.
What Does the
SOC I Type 2 Certification Verify?
The SOC 1 Type 2 certification verifies that AISN has the proper internal controls and processes in place around security and availability. This helps to mitigate risk and ensure that our clients’ data are highly secure.
The SOC 1 is most appropriate for companies that are required to meet regulatory financial reporting requirements such as Sarbanes-Oxley (SOX), especially those that provide financial services, so that they may demonstrate their compliance with internal financial reporting controls. In addition, federal regulations such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA) and the Health Insurance Profitability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.
May I See Your SOC 1 Type 2 Certification Report?
Because AISN serves financial services companies and others subject to these regulations, SOC 1 is highly applicable to the services that we provide. Use of the Type 2 report is restricted by the AICPA, but current AISN customers can request a copy of the report using an appropriate non-disclosure agreement.
What Control Areas Are Examined?
Two Types of SOC 1 Reports
Type 1
Type 2
Why the SOC 1 Audit?
The old SAS 70 audit was designed to help CPAs report on controls at a service organization — controls that impacted user entities’ financial statements. It was insufficient for reporting on a cloud hosting provider’s controls and how they impacted the privacy of customer data. Nevertheless, SAS 70 was the de facto standard up until 2011, and it was always subject to a measure of confusion.
Consequently, the American Institute of Certified Public Accountants (AICPA) updated the SAS 70 with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework; together, these served as a new benchmark for service organizations and replaced the SAS 70. Next, SSAE No. 18 replaced SSAE 16 and became effective for service auditor’s reports dated on or after May 1, 2017. SSAE 19 later replaced SSAE 18, followed by SSAE 20, SSAE 21, and SSAE 22.*
Today, our SOC reports are administered in compliance with the SSAE 21 auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standards demonstrate that an organization has adequate controls and processes in place.
To address the various needs of service organizations previously using the SAS 70, the AICPA developed three different reports: SOC 1, SOC 2, and SOC 3. All are conducted via an auditor.
AISN currently holds a SOC 1 Type 2 certification report and a SOC 2 Type 2 report. According to the AICPA, “SOC 1 reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 reports are examination engagements performed by a service auditor (CPA) by Statement on Standards for Attestation Engagements (SSAE) 19, Reporting on Controls at a Service Organization, to report on controls at a service organization that is likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1 report is restricted to existing user entities (not potential customers) and their auditors.”
* SSAE-22 is for review engagements, which is not the SOC 1 and SOC 2.