SOC 1 Type 2 Certification
Because most of our clients rely on our systems to process or store sensitive data, AIS Network takes considerable care in designing its systems for the highest levels of security, reliability and scalability.
That also includes developing a comprehensive set of security measures and practices to keep our customers’ data protected and safe. In accordance with our efforts to deliver the highest quality services to our clients, we have completed the SSAE 18/ Service Organization Control 1 (SOC) Type 2 audit. This is a semi-annual certification attestation administered by an independent auditor, who evaluates our private cloud hosting, managed services and application development services thoroughly.
What Does the SOC I Type 2 Certification Verify?
The SOC 1 Type 2 certification verifies that AISN has the proper internal controls and processes in place around security and availability. This helps to mitigate risk and ensure that our clients’ data are highly secure.
The SOC 1 is most appropriate for companies that are required to meet regulatory financial reporting requirements such as Sarbanes-Oxley (SOX), especially those that provide financial services, so that they may demonstrate their compliance with internal financial reporting controls. In addition, federal regulations such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA) and the Health Insurance Profitability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.
May I See Your SOC 1 Type 2 Certification Report?
Because AISN serves financial services companies and others subject to these regulations, the SOC 1 is highly applicable to the services that we provide. Use of the Type 2 report is restricted by the AICPA, but current AISN customers can request a copy of the report using an appropriate non-disclosure agreement.
What Control Areas Are Examined?
Audits take quite a long time and effort, since the overall scope is so wide. The independent auditor reviews the following AISN control areas:
- Organization and Administration
- Information Security Program
- Human Resources
- Physical Security
- Logical Access
- Network Monitoring
- Configuration Management
- Vulnerability Management
- Backup and Restoration
- Incident Management
- Application Development
Two Types of SOC 1 Reports
Both SOC 1 reports attest to the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting.
Type 1: This is an attestation of controls at a service organization at a specific point in time.
Type 2: This is is an attestation of controls at a service organization over a minimum six-month period.
Why the SOC 1 Audit
The old SAS 70 audit was designed to help CPAs reporting on controls at a service organization — controls that impacted user entities’ financial statements. It was insufficient for reporting on a cloud hosting provider’s controls and how they impacted the privacy of customer data. Nevertheless, SAS 70 was the de facto standard up until 2011, and it was always subject to a measure of confusion.
Consequently, the American Institute of Certified Public Accountants (AICPA) updated the SAS 70 with the development of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework; together, these served as a new benchmark for service organizations and replaced the SAS 70. Next, SSAE No. 18 replaced SSAE 16 and became effective for service auditor’s reports dated on or after May 1, 2017. Beginning July 15, 2021, SSAE 19 will replace SSAE 18.
Today, SOC reports are administered in compliance with the SSAE 18 auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place.
To address the various needs of service organizations previously using the SAS 70, the AICPA developed three different reports: SOC 1, SOC 2 and SOC 3. All are conducted via a third party independent auditor.
AISN currently holds a SOC 1 Type 2 certification report in addition to a SOC 2 Type 2 report. According to the AICPA, “SOC 1 reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 reports are examination engagements performed by a service auditor (CPA) in accordance with Statement on Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organization, to report on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1 report is restricted to existing user entities (not potential customers) and their auditors.”