MOSS ADAMS LLP | 1

SOC AuditsService Organization Reporting

MOSS ADAMS LLP | 2SLIDE 2

INTRODUCTION

Chris Kradjan, CPA, CITP, CRISC

Chris Kradjan is the National SSAE 16 Leader for Moss Adams. He has been with Moss Adams since 1994, and has been auditing and consulting since 1992. He works routinely with a wide range of complex service organizations to meet their needs. His practice areas include SSAE 16 SOC 1/2/3 auditing, PCI-DSS compliance services, internal controls reviews, Sarbanes-Oxley compliance services, SysTrust/WebTrust audits, and independent technology assessments. Furthermore, Chris is regularly involved with technology and financial controls assessments based on the COSO, COBIT, PCI-DSS, NIST, FISMA, and ISO 27002 frameworks. He serves on the AICPA SOC 2 Task Force and was recently appointed to the AICPA Assurance Services Executive Committee.

MOSS ADAMS LLP | 3SLIDE 3

• Overview of SOC reporting• Scope and coverage of SOC audits for AIS• Background about Moss Adams as your auditors• Key terminology• Customers’ responsibilities• AIS internal contact

OBJECTIVES

MOSS ADAMS LLP | 4SLIDE 4

• Increased competition• Sarbanes-Oxley – SEC/publicly traded companies• HIPAA Security and Privacy Rules – Healthcare• GLBA – Financial services• FERPA – Education• PCI-DSS – Payment card data• State and local security and privacy laws• NIST 800-53 – Federal compliance• ISO 27001 – Security• Safe Harbor – International

MARKET / REGULATORY PRESSURES

MOSS ADAMS LLP | 5SLIDE 5

• Represents that AIS has been through an in-depth audit of its system/controls

• For business unit(s) or entire organization• Discloses controls relevant to customers• Demonstrates design and operating effectiveness of

controls in place• Follows AICPA standards - can only be issued by CPAs• Even more important given Sarbanes-Oxley, heightened

regulatory conditions, and increasing competition

SOC AUDITS

MOSS ADAMS LLP | 6SLIDE 6

• Provide customers independent assurance about AIS’ controls

• Satisfy multiple customers through a single audit • Help AIS differentiate itself from its competition• Provide independent feedback to management to

define and monitor adherence to established operational metrics

• Identify potential opportunities to strengthen the business practices and operating environment at AIS

VALUE OF SOC AUDITS

MOSS ADAMS LLP | 7SLIDE 7

RELEVANT PARTIES

User Entities

American Internet Services

UserAuditors

UserAuditors

UserAuditors

UserAuditors

User Entities

User Entities

User Entities

Moss Adams

MOSS ADAMS LLP | 8SLIDE 8

• Audit of “system”/controls (vs. financial audit)

• AIS performs services (as “service organization”) for its own customers

• In turn, its customers (“user entities”) and their auditors (“user auditors”) want assurance over the AIS systems/controls

• AIS then hired Moss Adams (“service auditor”) to opine on AIS’ systems/controls

RELEVANT PARTIES - DEFINED

MOSS ADAMS LLP | 9SLIDE 9

• 11th largest accounting and consulting firm• Reputable and nationally recognized, celebrating 100 years• Over 1,800 professionals and 240 partners in 22 offices• Strong acceptance to relevant customers and industries/markets• Well established in the tech and data center space• Professionals serving in important leadership roles through the

AICPA, COSO, and other national committees • Proven technical expertise and industry credentials • Established SOC auditing and testing processes• Practical, solution-oriented approach

MOSS ADAMS

MOSS ADAMS LLP | 10SLIDE 10

Leads• Chris Kradjan, Partner• Francis Tam, Partner• JP Langlois, Supervisor

Highlights• Lead by SSAE 16 National Practice Leader• Comprised of seasoned SOC team• Security, operations and controls advisors• SOC, Sarbanes-Oxley, HIPAA, PCI, internal controls specialist• CPA, CISA, CISM, CITP, CRISC, PCI QSA

AUDIT TEAM

MOSS ADAMS LLP | 11SLIDE 11

Reports• SOC 1 Type 2 Audit (SSAE 16 and ISAE 3402)• SOC 2 Type 2 Audit• SOC 3 Type 2 Audit

Audit Period Ending: April 30, 2012, April 30, 2013, etc.

Sites• Lightwave Data Center (LWDC)• San Diego Tech Center (SDTC) • Fiber Alley Data Centers #1/#2/#3 (FADC)• One Wilshire Point of Presence (OWPOP)• Van Buren Data Center (VBDC)

SCOPE

MOSS ADAMS LLP | 12SLIDE 12

SOC 1/ISAE 3402

Control Areas:• Service Delivery• Solutions Design• Computer Operations• Logical and Physical Security• Change Management• Incident Management• Disaster Recovery Planning• Business Continuity Planning

CONTROL AREAS

SOC 2 and SOC 3

Principles:• Security• Availability

Control Areas:• Policies• Communication• Procedures• Monitoring

MOSS ADAMS LLP | 13SLIDE 13

Historical with SAS 70SAS 70 Reporting AU 324

New with SSAE 16• SOC 1 – Internal Controls Over Financial Reporting AT

801

• SOC 2 – AT 101 and Trust Services Principles (Detailed Reporting) AT 101

• SOC 3 – Trust Services Principles (SysTrust/WebTrust) AT 101

Type 1 and 2 reporting both still applicable

ALPHABET SOUP

MOSS ADAMS LLP | 14SLIDE 14

• AICPA SOC 2 ReportAT 101 Attest Engagements

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy(Type 1 and 2 Reports)

• AICPA SOC 3 ReportTrust Services ReportTrust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®)

SOC 2 AND 3 REPORTING

MOSS ADAMS LLP | 15SLIDE 15

• Follows Trust Services Principles, Criteria and Illustrations (Including WebTrust® and SysTrust®)

• The engagement is used to emphasize system reliability

• Based on a prescribed set of control objectives and criteria

Principleso Securityo Availabilityo Processing Integrityo Confidentialityo Privacy

• Intended audience is system stakeholders

• No restrictions on report distribution

TRUST SERVICES

Control Areaso Policieso Communicationo Procedureso Monitoring

MOSS ADAMS LLP | 16SLIDE 16

ISAE 3402

SSAE 16United States

CICA 5970Canada

HKCPA 860.2HK/China

AUS 810Australia

AAF 01/06United Kingdom Others

MOSS ADAMS LLP | 17SLIDE 17

REPORT COMPARISON

Source: AICPA © 2011

SOC 1/ISAE 3402

1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls and

results of those tests – control objectives

SOC 3

1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls

and results of those tests

SOC 2

1. Auditors report2. Detail system description 3. Management assertion4. Management controls5. Auditor tests of controls and

results of those tests – criteria

MOSS ADAMS LLP | 18SLIDE 18

CUSTOMERS’ FIDUCIARY RESPONSIBILITY

• Periodically monitor AIS in formal manner• Obtain and maintain an understanding of AIS operations• Assess policies, procedures and controls in place• Identify recent changes and reportable issues• Use the latest SOC Type 2 reports to reduce their own

compliance efforts• Obtain a gap letter/negative assurance letter between reports

MOSS ADAMS LLP | 19SLIDE 19

CUSTOMERS’ BENEFITS OF SOC REPORTS

• Streamlined way to obtain detailed and regular input on the performance of the service organization

• Provides a clear description of the controls in place• Independently affirms the controls were (1) designed

appropriately, and (2) operating effectively.• Simplifies ability to fulfill fiduciary responsibilities• Helps focus on exceptions and issues• May provide them cost savings through reduced audit fees

MOSS ADAMS LLP | 20SLIDE 20

REVIEWING AN SSAE 16 REPORT

• Audit period covered and whether it is a SOC Type 2 report• Firm engaged to perform the SOC audits• Nature of the opinion and if there are any modifications• Any subservice organizations included or carved out• Scope of controls and level of detail within control description• Coverage and sufficiency of the specified control activities• Extent of changes since prior report• Nature, timing and extent of testing performed by service auditor• Nature and extent of exceptions, and their significance• Review and consideration of the user control considerations

MOSS ADAMS LLP | 21SLIDE 21

AIS INTERNAL CONTACT

Frank GaffVP Service Assurance & Chief Compliance Officer(858) 576-4272 x128fgaff@americanis.net

“In successfully completing its current suite of SOC 1, SOC 2 and SOC 3 Type 2 audit reports, AIS has reinforced its strong commitment to the security and availability of its data center facilities and operations.”

Chris Kradjan, Partner, National IT/SOC Practice Leader, Moss Adams

MOSS ADAMS LLP | 2222

The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.

Chris Kradjan, CPA, CITP, CRISCPartner , SSAE 16 National Practice Leader (206) 302-6511chris.kradjan@mossadams.com