Zuora Successfully Re-certified on SOC 2 Type 2, But Why?

By Saloni Madhok January 17, 2017

By Jim Staats, Senior Account Manager at Zuora

With the recently completed Service Organization Control 2 Type 2 (SOC 2 Type 2) audit resulting in another re-certification for our Software-as-a-Service (SaaS) platform, RevPro OnCloud, some may be left wondering what’s the big whoop while others might say, “…and ?”

To answer the former, the ‘big whoop’ is successful completion of this audit by an outside party – for the fifth year in a row, resulting in our fourth re-certification – indicates the policies, communication, procedures and monitoring of controls implemented by Zuora have been tested for operating effectiveness. This most recent report reaffirms the company’s commitment to operational excellence and data security.

This company understands the responsibility instilled in delivering a trusted solution to some of the largest and most sophisticated enterprise companies on the planet. The independent assurance behind this report plays a key role in enabling Zuora to deliver transparency to our customers and the industry.

OK, but why SOC 2 Type 2, specifically? To better understand, let’s do a quick recap on how the standards of control originated.

The Accounting Standards Board (ASB) and the American Institute of Certified Public Accountants (AICPA) developed this international accounting standard (formerly referred to as SAS 70), which focuses on “Trust Service Principles” for establishing standards of control for service organizations. Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization and are designed to provide valuable information to help users and customers define and interpret risks associated with outsourced financial and accounting services. The SOC 2 report is based on Trust Services Principles (TSP), designed to provide customers with full confidence that a service and/or SaaS provider’s technology, systems and controls provide security, availability, confidentiality, processing integrity and/or privacy in accordance with AICPA attestation standards. A ‘Type 2’ report includes the design and testing of controls to report on the operational effectiveness of controls over a period of time, in comparison to a ‘Type 1’ report which evaluates and reports on the design of controls put into operation as of a specific point in time.

Zuora selected SOC 2 Type 2 as certification of choice because the RevPro application is based on organizational controls.

Unlike the SOC 1 audit based on internal controls over financial reporting, the purpose of a SOC 2 report is to evaluate an organization’s information systems relative to security, availability, processing integrity, confidentiality or privacy.

Consider the following, and we think you’ll agree we made the right choice in choosing SOC 2 Type 2 to test and validate the controls put in place:

  •  RevPro is purely a configurable application. Based on the configurations performed in RevPro upon customer approval, revenue is processed and reported.
  •  RevPro doesn’t certify on the accuracy of the statements. As stated above, based on the configurations defined, revenue is processed. We expect the customer to certify the numbers based on the rules to which they have agreed.
  •  RevPro provides a framework to configure, process and report revenue.
  •  The RevPro application follows GAAP guidelines and is not generic across all industries. Every vertical and customer has its own way of processing revenue and report out the same.