As a managed service provider (MSP), we strive to keep ahead of issues facing our business and the clients we serve. The cybersecurity and technical controls we put in place within our business are as important as the ones we put in place at client businesses.  We want to prove to our clients that their data is secure, and “trust but verify” our own processes and controls.

The AME Group completed SOC 2 Type 2 examination

We have received our SOC 2® Type 2 report, which evaluates our execution of processes and controls we have in place relevant to security and verifies they meet strict requirements. 

The AME Group completed MSP Verify™ Certification

To take SOC 2 a step further, we completed the more detailed and rigorous MSP Verify™audit process through MSPAlliance, the unified voice of the managed services industry. MSP Verify™ is a certification for managed service providers, designed to provide assurance, generate trust, and communicate transparency to consumers of managed IT services.

CMMC Readiness Assessment

As a part of the third-party auditing process, the Unified Control Standards (UCS) and Trust Service Criteria (TSC) are mapped to the CMMC requirements to complete a CMMC Readiness Assessment.

Jay Sundberg, Security Services Manager is a CMMC Registered Practitioner.

Jay Sundberg CMMC Registered Practitioner


SOC stands for System and Organizational Controls. American Institute of Certified Public Accountants (AICPA) developed the framework. Its purpose it to provide regular, independent attestation of the controls* that a company has implemented to mitigate information-related risk. There are three types of SOC audits: SOC 1, SOC 2, and SOC 3. SOC 1 and SOC 2 each have a type 1 and type 2 audit. When it comes to cybersecurity, SOC 2 has become the standard. The AME Group audits our SOC 2 Type 2 annually.

In a SOC 2 audit, we describe the policies, procedures, and systems we have in place to protect information. There are up to five categories called Trust Services Criteria. The AME Group is evaluated on three of the five categories: Security, Availability, and Confidentiality. Independent auditors evaluate the evidence we supply for the controls in each category. When complete, we receive our official SOC 2 Type 2 report. We can share this report with customers and business partners to assure them that their data will be handled securely.

SOC 2 Type 2 Report

SOC 2 Type 2 audits attest to both the design and operating effectiveness of controls over a period of time. The timeframe is typically between 3-12 months. The SOC audit provides assurance of how our systems are set up, and how they are used day-to-day. A SOC 2 Type 2 will generally provide a greater level of trust to a client or business partner due to the increased visibility of systems in action.

  • Describes our organization’s system as a whole
  • Assesses the design of our organization’s controls, as well as their operating effectiveness
  • Focuses on a period of time in which the controls are operating
  • Features detailed descriptions of the auditor’s tests and test results of the controls


Our clients and partners want to trust that we are going to protect their data. A SOC 2 report independently validates our security controls. It builds trust, and allows us to better protect our clients.

  • Protects sensitive information
  • Demonstrates a commitment to corporate governance
  • Provides assurance to customers and partners that our systems are secure
  • Satisfies requirements for an organizational and regulatory oversight
  • Serves as a competitive advantage, winning trust and driving revenue

*Controls include any process, policy, device, practice, or other actions that modify risk

About SOC

System and Organization Controls (SOC) is an Assurance and Advisory Service by the American Institute of Certified Public Accountants, AICPA.  The SOC 2 third-party audit is based Trust Services Criteria set forth in TSP section 100 (AICPA, Trust Services Principles).

About MSP Verify Program

The UCS consists of 10 control objectives and underlying controls. These controls constitute crucial building blocks of a successful managed services (and cloud computing) practice. Once the provider’s organization has completed all MSPCV (Managed Service Providers Cloud Verify) documentation on all applicable control objectives (with the assistance of MSPAlliance’s readiness assessments, gap analysis, helpful templates and consulting) the results are then examined by an independent third-party accounting firm for verification and signing of a public facing report.

As with any other substantive certification of this type, the MSPCV certification must be renewed annually. The MSPCV was the first certification created specifically for the managed services and cloud industry. Governmental agencies and regulatory bodies across the globe have reviewed MSPCV. 5 continents around the world use and accept the MSPCV control objectives.

Businesses who select a company that is part of the MSPCV can rest assured that their IT solution provider has met and exceeded the following standards, verified by a third-party audit process.

  • 1: Governance,
  • 2: Policies and Procedures,
  • 3: Confidentiality and Privacy,
  • 4: Change Management,
  • 5: Service Operations Management,
  • 6: Information Security,
  • 7: Data Management,
  • 8: Physical Security,
  • 9: Billing and Reporting, and
  • 10: Corporate Health. (Does not exist in SOC 2.)

A third-party accounting firm signs the MSPCV certification report.


MSPAlliance® is a global industry association and accrediting body for the Cyber Security, Cloud Computing and Managed Services Provider (MSP) industry. Established in 2000 with the objective of helping MSPs become better MSPs. Today, MSPAlliance has more than 30,000 cloud computing and managed service provider corporate members across the globe and works in a collaborative effort to assist its members, along with foreign and domestic governments, on creating standards, setting policies, and establishing best practices.  For more information, visit

*Controls include any process, policy, device, practice, or other actions that modify risk