With recent hacking scandals and general concern around security of information, we discuss SOC reports at a basic level. For those who need a broad understanding of the importance of SOC reports to their business, service providers, and customers - read on!
How is SOC 1 different from SOC 2?
A SOC 1 report focuses on financial reporting and also includes some key security controls. A SOC 2 report covers additional security areas (and may cover availability and confidentiality controls) but does not cover transactions relevant for financial reporting.
SOC 2 reports are relevant to both public and private companies, while SOC 1 reports are mainly for public companies only. The SOC 2 report looks at who has access and ensures you have enough IT controls e.g., who has access to your customers' personal information? Further, as custodians of your data it is imperative your service provider has internal controls that keep your data secure. For example, when processing transactions or someone else's financial data, it is essential that no one can hack into it, that access is restricted, and that all confidential and private information is not accessible to unauthorized employees or users. What is important to you internally with the controls of a SOC 2 report should also be important to your service providers.
What does SOC Type 1 or Type 2 mean?
Type 2 … provides an opinion … covers a specified period of time ... tells you the controls are likely in place every day, not just when the auditor comes in.
You may hear the terms SOC 1 Type 1 or Type 2. What does the type of SOC report mean? Both SOC 1 and SOC 2 offer reports in either Type 1 or Type 2. Type 1 is not recommended for financial reporting. A Type 2 report is required per the SOX (Sarbanes Oxley) standard. Type 1 offers assurance only over the design of controls and describes the organization’s system and internal control design as of a defined date. Similar to a balance sheet, it shows what happened at a specific date. Type 2 is the preferred report by most. Type 2 SOC reports describe the organization’s system and internal control design (same as Type 1), and provides an opinion on the effectiveness of the controls to achieve control objectives. The report covers a specified period of time rather than a single date. This tells you the controls are likely in place every day, not just the day the auditor comes in. The opinion describes the auditor’s method of testing and the results. This report provides greater assurance over internal controls at a service organization. Basically, Type 2 is what you want!
Are all SOC reports created equally?
The audit firm contracted to complete the SOC audit are as important as the reports themselves. RevStream uses the global leader for providing SOC audits, KPMG. Why is the auditor important? Because it provides security to users that the audit was legitimate and they did what they were supposed to do. The PCAOB, who monitors accounting compliance, recently prosecuted a Hong Kong CPA firm for noncompliance and violations in their auditing process, levying a large fine and sanctions. Companies on the U.S. stock market and private U.S. firms regularly come under investigation. It is a good idea to check your service providers as well as their auditing firm for additional reassurance.
Which SOC reports matter when managing financial transactions?
In order to assess current or future service providers you need to know what SOC reports are imperative to your organization. At a basic level we make a play on Dr. Seuss’s Thing 1 and Thing 2 (SOC 1 and SOC 2) to memorize this: It's a good look to wear clean "socks" with your shoes. They keep you from getting blisters as you walk around on a "cloud". Even better if you are out in "public", you may need both "socks". For your organization, you will need clean SOC 1 and SOC 2 reports from your service providers if you are a public company, pre-IPO organizations, or a pre-acquisition organization, and you use a cloud software solution for your revenue automation. Clean socks matter for public company financial statements!
Why RevStream has SOC 1, Type 2
As an example, RevStream chooses to provide a SOC 1 report because many of our customers are public companies, provide services for public companies, or are involved in M&A or pre-IPO. These companies have their financial statements audited and it is imperative that their chain of material financial service providers also have a clean, complete SOC 1 report. We chose a Type 2 report because our customers need a higher degree of assurance over effective operation of controls, rather than a point in time (single date) assurance that a Type 1 report provides. Type 2 also checks that the software does what it claims to do. Our customers can be assured that when we make a claim about how our revenue recognition software works, it truly does.
RevStream’s cloud platform and SOC 2 report
A SOC 2 security report covers certain additional security areas which are not covered by a SOC 1 report, including system perimeter security. RevStream is a cloud delivered platform so data security is paramount. To ensure our customers’ data is secure, we chose what our auditor calls the “gold standard” for cloud services – Amazon Web Services (AWS). AWS provides their customers with a SOC 2 report over its infrastructure, this is then utilized by RevStream.
So why don’t all revenue software providers have SOC 1 and SOC 2?
To be truly "in the cloud" the software service provider you use must have a clean SOC 2 report.
SOC 2 is needed for managed revenue software services including cloud based services. If a company claims to be "in the cloud" and doesn't offer SOC 2, they are offering you a hybrid on-premise solution. To be truly "in the cloud" the software service provider you use must have a clean SOC 2 report.
SOC 1 is essential for public companies but not for private companies, who do not have to disclose financial statements to the SEC. Revenue management software that is on-premise does not require a SOC 1 report. Excel is an example of an on-premise solution. Using a solution without a SOC 1 audited report is a high trust relationship. You are operating a system that has no checks on functionality between claims and actual performance. Without a SOC 1, there is little difference between Excel and the solution you are being offered. Using revenue software without the assurance over internal controls provided by a SOC 1 Type 2 report is a controls risk.
Whether you are a public or private company, make sure your "socks" are clean and both on. And then make sure all of the people you work with, your service providers, are looking as good as you are!
Are you a company that needs SOC reports from your service providers? See examples of a few companies who rely on RevStream's revenue recognition software, and our clean SOCs, to manage their revenue.
Read more from our series on SOC compliance reports for revenue recognition software: