SOC 2 Type 2 Certification

AIS Network takes considerable care in designing its systems in accordance with the highest levels of security, reliability and scalability. With the majority of our clients relying on our systems to process or store sensitive data, this approach is non-negotiable.

AICPA SOC 2 Type 2 Certification

SOC 2 Type 2 Certification

Our compliance strategy also includes developing a comprehensive set of security measures and practices to keep our customers’ data protected and safe.

In accordance with our efforts to deliver the highest quality services to our clients, we have completed the SSAE 21/ Service Organization Control 2 (SOC) Type 2 audit. This semi-annual certification attestation is administered by an independent auditor, who thoroughly evaluates our private cloud hosting, managed services, and application development services.

What Does the
SOC 2 Type 2 Certification Verify?

With cyber threats on the rise, potential customers rightfully want to know what systems and security controls we’ve put in place to safeguard their sensitive data. One of the best ways to provide this assurance is with a SOC 2 Type 2 report.

The report verifies that AISN has the proper internal controls and processes in place to protect client data.

The SOC 2 Type 1 and 2 both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. Developed by the American Institute of CPAs (AICPA), the criteria serve as a benchmark for managing customer data.

Essentially, the audit determines whether service organizations are compliant with the principles of security, availability, and processing integrity of the systems the service organization uses to process users’ data as well as the confidentiality and privacy of the information processed by these systems. 

According to the AICPA, these reports can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

May I See Your SOC 2 Type 2 Certification Report?

Because AISN provides IT services for banks and other organizations subject to these regulations, the SOC is highly applicable to the services that we provide. Use of the Type 2 report is restricted by the AICPA, but current AISN customers can request a copy of the report using an appropriate non-disclosure agreement.

What Control Areas Are Examined?

The independent auditor reviews the following AISN control areas:
  • Security
  • Availability

Two Types of SOC 2 Reports

Both SOC 2 reports attest to the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. With one key distinction. A Type 2 report includes an assessment of the operating effectiveness of the controls and processes over a defined period of time, rather than a single point. Increasing the visibility of systems in action is intended to provide a greater level of trust to the customer. 

Because of the shorter coverage period, the Type 1 audit is quicker, easier and less expensive to generate. While similar in many ways, the Type 2 report requires an organization to undergo rigorous auditing over a longer period to prove compliance. It’s resource-intensive, but it pays dividends in the additional value it provides.

Areas covered in a SOC 2 Type 2 report include infrastructure, software, people, data and procedures.

Type 1

This is an attestation of controls at a service organization at a specific point in time.

Type 2

This is is an attestation of controls at a service organization over a minimum six-month period.

It’s worth noting that you don’t pass or fail an audit. Rather, the auditor provides an opinion as to whether or not an organization is adhering to the specified trust principles. If the auditor’s assertions align with those of management, then you will be given a ‘clean’ or unmodified opinion. Meaning that you can be trusted with the storage and transmission of sensitive data. 

Our 100% compliance guarantee assures clients that AISN always passes its security and compliance audits so that AISN clients can also pass theirs.

Why the SOC 2 Audit?

The old SAS 70 audit was designed to help CPAs reporting on controls at a service organization — controls that impacted user entities’ financial statements. It was insufficient for reporting on a cloud hosting provider’s controls and how they impacted the privacy of customer data. Nevertheless, SAS 70 was the de facto standard up until 2011. (And it was always subject to a measure of confusion.)

Consequently, the American Institute of Certified Public Accountants (AICPA) updated the SAS 70 with the development of the Statement on Standards for Attestation Engagements No.16 (SSAE 16) and the SOC framework. Together, these served as a new benchmark for service organizations and replaced the outmoded SAS 70. Thereafter, SSAE No.18 replaced SSAE 16 and became effective for service auditor’s reports dated on or after May 1, 2017. SSAE 19 later replaced SSAE 18, followed by SSAE 20, SSAE 21, and SSAE 22.*

Today, our SOC reports are administered in compliance with the SSAE 21 auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place.

To address the various needs of service organizations previously using the SAS 70, the AICPA developed three different reports: SOC 1, SOC 2, and SOC 3. All are conducted via a third-party independent auditor.

AISN currently holds both a SOC 2 Type 2 and a SOC 1 Type 2 certification. The SOC 2 Type 2 reports on the description of controls provided by the management of the service organization. It then confirms that the controls are suitably designed and implemented and attests to the operating effectiveness of the controls.

* SSAE-22 is for review engagements, which is not the SOC 1 and SOC 2.

Want More Information About Our SOC Compliance?

At AISN, we don’t believe in a ‘one-size-fits-all’ approach to cloud solutions. We’ve based our business model on the premise that our clients deserve customized cloud solutions designed to meet their specific compliance, security and operational needs. If you’d like to know more about the cloud or cloud enablement services, don’t hesitate to get in touch. Our experts are always happy to discuss your needs and answer any questions you may have.