Six Years. Zero Exceptions. What That Actually Means for Your Supplier Data.

When you choose a platform to manage your supplier relationships, you are also choosing who handles the data behind those relationships. 

Bank details. Ownership structures. Compliance certifications. Onboarding documentation. All of it lives inside the system you select. The question worth asking before you commit, and periodically after, is what that system does to protect it. 

What a SOC audit actually tells you 

A SOC 2 Type 2 examination is not a self-assessment. It is an independent audit conducted by a third-party firm, evaluating whether a service organization's controls around security, availability, processing integrity, confidentiality, and privacy are actually operating as designed, not just documented on paper. 

The "Type 2" designation matters. A Type 1 report evaluates whether controls are suitably designed at a point in time. A Type 2 report evaluates whether those controls operated effectively over a sustained period. It is a harder bar to meet and a more meaningful signal for organizations making vendor decisions. 

A SOC 1 Type 2 examination covers something equally important for procurement and finance teams: controls relevant to user entities' internal control over financial reporting. When your own auditors assess the third-party systems your organization depends on, a clean SOC 1 result is part of your own audit evidence. 

Zero exceptions means every control tested was found to be operating as designed. No findings. No qualifications. No remediation required. 

Six consecutive years 

TYS completed its 2026 SOC 1 Type 2 and SOC 2 Type 2 examinations with zero exceptions across all control areas. The audit covered the period February 1, 2025 to January 31, 2026 and was conducted independently by A-LIGN Assurance. 

This is the sixth consecutive year TYS has achieved this result. 

That streak matters more than any single year's report. A first-time clean audit is a data point. Six consecutive years with zero exceptions is evidence of something embedded in how the organization operates. The controls are not assembled for audit season. They are how the work gets done every day. 

What the audit covers 

The examination tested controls across five areas: 

  Control environment. Policies, codes of conduct, background screening, training requirements, organizational structure, and accountability standards for all TYS personnel. 

  Information security. Role-based access controls, multi-factor authentication, audit logging, encryption at rest and in transit, logical access reviews, and data disposal procedures. 

  Computer operations and availability. System monitoring, incident response, business continuity and disaster recovery planning, antivirus and intrusion prevention, and change management. 

  Data communications. Vulnerability scanning, network segmentation, TLS encryption, firewall configurations, and VPN authentication. 

  Backup and recovery. Encrypted backups, real-time offsite replication, daily incremental and monthly full backup schedules, and annual restoration testing. 

Every control point across all five areas: no exceptions noted. 

Why this matters for the organizations that use TYS 

The supplier data managed on the TYS platform sits at the intersection of financial operations, compliance requirements, and operational continuity. Payment details that need to be accurate. Certifications that need to be current. Ownership records that need to reflect reality. 

When you extend your supplier management to a third-party platform, you extend your own compliance posture to that vendor. A SOC 2 Type 2 examination with zero exceptions, independently verified and sustained over six consecutive years, is how TYS demonstrates that the extension is warranted. 

The full SOC reports are available to current clients and to prospective customers under NDA. Reach out to your TYS contact for access. 

Learn more about how TYS protects your data → 

Frequently Asked Questions

What is SOC 2 Type 2 compliance? SOC 2 Type 2 is an independent audit that evaluates whether a service organization's security, availability, processing integrity, confidentiality, and privacy controls are operating effectively over a defined period. It is conducted by a third-party auditor in accordance with standards established by the American Institute of Certified Public Accountants (AICPA). A zero-exceptions result means every control tested was found to be operating as designed throughout the audit period. 

What is the difference between SOC 1 and SOC 2? A SOC 1 audit evaluates controls relevant to user entities' internal control over financial reporting. A SOC 2 audit evaluates controls across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Both Type 2 reports evaluate operating effectiveness over a sustained period rather than at a single point in time. 

How often does TYS undergo SOC audits? TYS undergoes independent SOC 1 Type 2 and SOC 2 Type 2 examinations annually. The 2026 audit, conducted by A-LIGN Assurance, is the sixth consecutive year TYS has completed both examinations with zero exceptions. 

How can I access TYS's SOC reports? SOC reports are available to current TYS clients and to prospective customers under a non-disclosure agreement. Contact your TYS representative to request access.