SSAE 16 Compliance, SSAE 16 Audits
Not All Compliance Levels Are Equal
AIS has successfully completed multiple third-party audits that demonstrate compliance with rigorous industry standards — providing clients assurance that we have appropriate controls in place to safeguard their data, privacy, equipment, and connectivity, and security.
These audits include SSAE 16 SOC 1, 2, and 3 (all Type 2) and Title 21 CFR Part 11.
Good news: for each of our San Diego and Phoenix data centers, AIS has successfully completed:
- SOC 1 Type 2 (SSAE 16 and ISAE 3402)
- SOC 2 Type 2
- SOC 3 Type 2
- 21 CFR Part 11 (AIS BusinessCloud1)
Conducted by Moss Adams LLP, one of the largest accounting and business consulting firms in the nation, third-party audits of AIS data center operations demonstrate high standards in areas that are particularly sensitive for our business client base.
SSAE 16 (Statement on Standards for Attestation Engagements #16) replaces the old SAS 70 type of audit which had been around since the early 1990s.
The goal of the SOC (Service Organization Controls) 1, 2, and 3 audits is to provide assurance (via report) that controls asserted actually exist and are functioning properly.
- The AIS SOC 1 report focuses on the security and availability principles and is available to customers and prospective customers upon request with the execution of a Non-Disclosure Agreement (NDA).
- A SOC 2 report focuses on controls, called Trust Services Principles, related to Security, Availability, Confidentiality, Processing Integrity, and Privacy – validating that the system is protected against unauthorized physical and logical access, for example. The AIS SOC 2 report focuses on the security and availability principles and is available to customers and prospective customers upon request with the execution of an NDA.
- The SOC 3 report is a summary Trust Services Report that documents assurances on AIS’ controls related to the Security and Availability principles but without the detailed description of the tests and results contained in SOC 2.
Please contact your sales representative if you would like a copy of the AIS SSAE 16 SOC 1, 2, or 3 reports.
A key requirement of an SSAE 16 audit is an attestation engagement in which AIS management provides to the auditor a written assertion regarding the controls designs, objectives, and implementation.
The auditor, in turn, verifies the proper controls are in place and that they are functioning properly for the length of the sampling period through an SSAE 16 report.
An organization can receive either a Type 1 or a Type 2 audit. Type 1 merely reports on the suitability of the controls at a point in time, while a Type 2 report tests the effectiveness of the controls over a period of time, usually six months to one year. AIS does Type 2 audits.
AIS’ most recent SOC 1, 2, 3 Type 2 audit compliance reporting time period was from May 1, 2012 to April 30, 2013.
Title 21 CFR Part 11
Title 21 CFR Part 11 of the United States Food and Drug Administration (FDA) provides guidelines on electronic records and electronic signatures (ERES).
Attaining this important milestone helps FDA-regulated clients of AIS – including drug makers, medical device manufacturers, biotech companies, biologics developers, food manufacturers, and contract research organizations (CROs) – meet their own rigorous compliance requirements.
Title 21 of the Code of Federal Regulations (CFR) Part 11 defines the criteria under which electronic records and signatures are considered to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.
Part 11 requires controls including audits, system validations, electronic signatures, and documentation for software and systems involved in processing electronic data that are (a) required to be maintained by the FDA predicate rules or (b) used to demonstrate compliance to a predicate rule.
FFIEC, FISMA, GLBA, HIPAA, HITECH, ISO, PCI-DSS, SOX, etc.
AIS can assist you in locking down network infrastructure and insuring compliance to the provisions related to:
- Federal Financial Institutions Examination Council (FFIEC)
- Federal Information Security Management Act (FISMA)
- Gramm-Leach Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH)
- International Organization for Standardization (ISO)
- Payment Card Industry (PCI) Data Security Standards (DSS)
- Sarbanes-Oxley (SOX)
- And more…
We have extensive experience in regulated markets and we will gladly work with you to map out a solution that meets your specific needs.
SSAE 16 SOC Audit Presentation
Contact Us Now to learn more about AIS Compliance and why it matters