For any business, the protection of financial information is paramount. In an era when data theft makes headlines on a regular basis – and often wreaks havoc with a company’s reputation and/or stock price – CFOs are understandably nervous at the thought of sharing sensitive financial and business information. However, often the best solutions for document and process workflow automation, especially in accounts payable automation and accounts receivable automation, involve outsourcing to service providers. What can companies do to ensure the integrity of their outsourced data?
Recognizing the need for guidance in this area, in 1992 the American Institute of Certified Public Accountants (AICPA) created the Statement on Auditing Standards No. 70, Service Organizations. As outsourcing became common with the advent of cloud computing, the AICPA determined that businesses and CPAs needed more – namely, an objective evaluation tool to measure and independently verify the effectiveness of operations, compliance and financial reporting controls. To that end, in 2010 the AICPA introduced three Service Organization Control (SOC) reporting options: SOC1, SOC2 and SOC3. All are relevant to organizations using Software as a Service (SaaS) for any functions that require financial reporting, including purchase to pay and quote to cash software.
DataServ has successfully met the requirements for the SOC1 report. Meeting the requirements for this report provides clients with independent verification of DataServ’s ability to successfully manage and safeguard the financial and business information entrusted to them by clients.
The SOC1 report evaluates service controls that affect data relevant to a user’s internal control over financial reporting. There are two types of SOC1 reports: Type 1 evaluates the suitability of the design of a service organization’s controls, while Type 2 also measures the operating effectiveness of the controls.
Similar to the SOC1 report, the SOC2 report specifically addresses one or more of five key system attributes – what the AICPA refers to as Trust Services principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. In contrast, the SOC3 report only evaluates whether the service organization’s system achieved the Trust Services criteria. It does not include detailed descriptions of the tests involved in evaluating the system.
So how can this help a business interested in outsourcing processes? The AICPA’s goal is to provide guidance to companies considering contracting with service organizations, helping them choose an effective solution at the best value. Companies can be assured that service organizations meeting the rigorous requirements for one of the SOC reports have received independent verification that they can capably and safely manage sensitive financial and business data.
Especially when considering a SaaS provider for a company’s financial and business data needs, one of the first questions should be regarding SOC report status. If a service provider has taken the time and effort to undergo the rigorous audit process required to officially meet the requirements for the SOC designation, business leaders can be much more confident in placing their trust – and highly sensitive internal and client information – in the hands of a SaaS provider.