How do you know what security controls and compliance features are essential, important, or perhaps unnecessary, when it comes to choosing your revenue recognition software service providers? SOC 1, SOC 2, SSAE 16, Type 1, Type 2, and soon SSAE 18. What do they mean to you, the user?
SOC 1, SOC 2, SOC 3 basics
SOC 1 relates to financial systems and tests the functionality of financial processes.
- For example, are there controls to ensure your software processes transactions completely and accurately, has gone through proper development and testing, prevents unauthorized access, and maintains data integrity?
SOC 2 covers data security and the controls an organization puts in place to secure data.
- For example, cyber and perimeter security or employee hiring.
- Similar to SOC 2 (security, availability, confidentiality) but with less information – usually a single page report.
- A “General Use” SOC report that can be distributed freely and publicly beyond auditors. SOC 1 and SOC 2 are “Restricted Use”.
- ONLY provides an opinion on controls. Does not provide a system description or description of service auditors tests and results.
Cloud based, revenue automation software providers will need to provide both a SOC 1 and SOC 2 report to public companies and their users. Public and pre-IPO companies or companies looking to attract venture capitalists, may need to meet the SEC standard for financial statements, which includes providing a SOC 1 report from your service providers. Those service organizations who provide services that support significant financial reporting processes such as revenue and payroll may need SOC reports for clients. We discuss this in further detail, as well as a great example of the type of relationship where both SOC reports are necessary.
What SOC reports do public companies need?
U.S. public companies need to provide annual audited financial statements to investors, and a SOC report is a part of this audit. During this financial audit, the auditor is additionally required to test internal controls over financial reporting as a part of SOX (Sarbanes Oxley) compliance controls. The controls audit extends its reach beyond the company being audited to service providers. The provider must give the financial auditor of the public organization an assurance with regard to the effective operation of organizational controls i.e., a SOC 1 Type 2 report.
Does a private company need SOC reports?
Private companies are less regulated than public companies, but many will follow the same protocols as public companies. First, this is a prudent risk management strategy. Second, it ensures the company’s books are in good standing if ever the company wishes to attract investment or make an IPO. Service providers require SOC reports only when they or their chain of service providers deal with public companies. SOC 1 reports will be requested if your services as a private company impact a public company’s financial data. Private companies may choose to audit for SOC 2 reports, but not SOC 1. These companies are not required to provide SOC 1 reports to their financial auditors, so there is no need to go through the process. As an exception, service providers operating i n highly regulated industries such as financial services, healthcare, or insurance, usually need to provide both SOC reports. Additionally, private user organizations that deal with sensitive user data may also request both SOC reports from service providers.
SOC 3 reports may be used by any company, however this style of report is being phased out by FASB as SOC 2 covers the same items but in greater depth. If you are operating an on-premise software solution and not providing services to anyone else through this software, you do not need a SOC. SOC reports are for external use on internal controls.
What is the difference between SSAE 16, SSAE 18, and SOC 1?
The term SSAE 16, or the updated version SSAE 18, are often used interchangeably with SOC 1. The correct term is SOC 1, as SSAE (Statement on Standards for Attestation Engagements) are the standards under which SOC 1 is issued. SOC reports are issued by independent third party service auditors under the AICPA’s SSAE standards. Direct and third party service providers produce SOC reports, issued by their service providers or their own auditors. SOC 1 reports provide assurance over internal controls on security and transaction processing controls, and a SOC 2 report provides assurance over security controls for service providers.
The security controls covered under a SOC 1 report include those that are relevant to financial reporting whereas a SOC 2 report covers a wider range of security controls and may cover controls in other areas including availability and confidentiality of data.
SOC 1 vs. SOC 2
SOC 1 controls include IT security and transaction processing controls, on financial controls. SOC 2 reports provide assurance over security controls, and optionally also includes availability, confidentiality, and privacy at service organizations.
For large public organizations, the chain of service providers is often long. If you are a large public organization using a third party service provider for services covering key financial reporting processes (such as revenue), it is imperative they offer a SOC 1 Type 2 report. This is completed in order to satisfy your financial auditors requirements.
Note that new SSAE 18 regulations go further along the ‘chain’ than current SSAE 16, to ensure every public company has a secure chain with solid financial and security controls in place. More companies will need to be sure they are providing appropriate SOC reports upstream and downstream. In order to provide your financial auditors with assurance of controls for your own organization, you need to ensure that your service providers and the related chain provide SOC 1 reports.
Who provides user organizations with a SOC report?
SOC stands for Service Organization Controls report. The name itself indicates its role. An independent audit firm performs the SOC 1 examination for the service provider who then communicate the results of the examination via the SOC report. For a Type 2 report the result includes an opinion on the design and operating effectiveness of controls in place. This tests if the software does what it claims.
What is a service provider? A service provider is a company who provides a direct or third party service for another company. It may be your company providing services to others, or others providing services to you. Website hosting, data management, payroll, tax, accounting, or revenue recognition are examples of services provided by ‘service provider’ companies. For example, Amazon Web Services provide web hosting services and they provide various SOC reports to their customers and their customers’ customers.
An example of SOC 1 and SOC 2 reports with a service provider
Aptitude RevStream’s revenue recognition software helps customers manage their revenue cycle and revenue recognition processes. This is the service they provide for others. Large public companies that use RevStream’s software require a SOC 1 report to satisfy SEC financial reporting requirements. RevStream customers also include private companies utilizing the revenue recognition software. While private companies may not need a SOC 1 report, they recognize that their upstream companies and users may be public companies and thus will need a SOC 1 report completed. After multiple years of providing SOC 1 reports, RevStream understands the importance of an up-to-date SOC 1 report. Customers trust RevStream, knowing that their cloud stored data is secure with a clean SOC 2 report and accurate financial data is reported with the SOC 1 report. The extra assurance of a Type 2 report confirms that RevStream’s controls are operating effectively.
Read further about SOC reports: