SOC 2 Type 2 Certification
AIS Network takes considerable care in designing its systems for the highest levels of security, reliability and scalability, because most of our clients rely on our systems to process or store sensitive data.
That also includes developing a comprehensive set of security measures and practices to keep our customers’ data protected and safe.
In accordance with our efforts to deliver the highest quality services to our clients, we have completed the SSAE 18/ Service Organization Control 2 (SOC) Type 2 audit. This is a semi-annual certification attestation administered by an independent auditor, who evaluates our private cloud hosting, managed services and application development services thoroughly.
What Does the SOC 2 Type 2 Certification Verify?
A SOC 2 Type 1 and SOC 2 Type 2 both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. The SOC 2 verifies that AISN has the proper internal controls and processes in place to protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems (known as the Trust Services Criteria).
According to the AICPA, these reports can play an important role in:
- Oversight of the Organization
- Vendor Management Programs
- Internal Corporate Governance and Risk Management Processes
- Regulatory Oversight
May I See Your SOC 2 Type 2 Certification Report?
Because AISN serves highly regulated organizations, the SOC 2 Type 2 is highly applicable to the services that we provide. Use of the Type 2 report is restricted by the AICPA, but current AISN customers can request a copy of the report using an appropriate non-disclosure agreement.
What Control Areas Are Examined?
The independent auditor reviews the following AISN control areas:
Two Types of SOC 2 Reports
Both SOC 2 reports attest to the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria.
Type 1: This is an attestation of controls at a service organization at a specific point in time.
Type 2: This is is an attestation of controls at a service organization over a minimum six-month period.
Why the SOC 2 Audit
The old SAS 70 audit was designed to help CPAs reporting on controls at a service organization — controls that impacted user entities’ financial statements. It was insufficient for reporting on a cloud hosting provider’s controls and how they impacted the privacy of customer data. Nevertheless, SAS 70 was the de facto standard up until 2011, and it was always subject to a measure of confusion.
Consequently, the American Institute of Certified Public Accountants (AICPA) updated the SAS 70 with the development of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework; together, these served as a new benchmark for service organizations and replaced the SAS 70. Next, SSAE No. 18 replaced SSAE 16 and became effective for service auditor’s reports dated on or after May 1, 2017. Beginning July 15, 2021, SSAE 19 will replace SSAE 18.
Today, SOC reports are administered in compliance with the SSAE 18 auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place.
To address the various needs of service organizations previously using the SAS 70, the AICPA developed three different reports: SOC 1, SOC 2 and SOC 3. All are conducted via a third party independent auditor.
AISN currently holds a SOC 2 Type 2 certification report in addition to a SOC 1 Type 2 report. The SOC 2 Type 2 reports on the description of controls provided by management of the service organization. It then attests that the controls are suitably designed and implemented and further attests to the operating effectiveness of the controls.