Originally published by Angela Ngo, Senior Manager, Product Marketing at Zuora, on Medium.
Serving over 50 public companies, Zuora RevPro achieves SOC 1 and renews SOC 2 compliance on its revenue automation service.
At Zuora, we take compliance and security very seriously. This vigilant security culture is woven throughout our product, technical operations, and security engineering teams. It shows in our extensive security and compliance certifications as well as the awards our security team has won. This year, we’re proud to announce that in addition to renewing all of our compliance initiatives, we have two new compliance reports to add to the docket: ISO 27018 for Zuora and SOC 1, Type II for Zuora RevPro.
I know, there’s a ton of security standards out there — SOC, ISO, PCI, HIPAA…the alphabet soup overflows. What does this new SOC 1 compliance report actually mean for RevPro customers?
SOC (Service Organization Controls)
SOC, or Service Organization Controls, are internal control standards set by the The American Institute of Certified Public Accountants (AICPA). SOC 1 reports are issued to provide insight over a service organization’s compliance with these control standards. As more finance teams choose cloud-based technologies to manage their business, SaaS companies are elevating their internal controls to better serve their customers’ financial reporting requirements. When a solution becomes “SOC compliant,” that company or service is effectively taking on the burden of putting in place internal controls of SOC standards to give their customers greater comfort around the financial reporting information from their service.
Not sure what this all means and why you should care? Read on.
Picking Services that are SOC 1 Compliant
You, as a business, need to pick services that are SOC 1 compliant to gain comfort over those service organizations and their ability to assist with the management of your internal controls. You can gain insight into the controls at your service organization by reviewing their SOC 1 report. If you are a public company, your financial auditors can review the SOC 1 report and determine whether to rely on the controls at that service organization. If you use a service organization that is not SOC 1 compliant, your financial auditor will need to perform more work to determine the integrity of data that comes from that service organization — costing more time and resources.
This chart helps summarize all the parties and outputs involved:
Zuora RevPro is SOC 1 Compliant
Zuora RevPro being SOC 1 compliant means that our customers and their auditors can now better understand the change management, logical access, and IT operations controls performed by Zuora RevPro. Customers and their auditors can simply obtain and review the SOC 1 report from Zuora RevPro and be able to place reliance on our controls and revenue data processed. This usually means lower audit fees for our customers because audit firms will need less time and resources to validate revenue numbers from RevPro.
Zuora RevPro serves over 50 publicly traded companies, and continues to invest in product and security measures that enable our customers to operate more efficiently. We’re proud to share our SOC 1 report with our customers.
How did SOC come about?
So…Big picture — in the early 2000’s, congress passed the Sarbanes-Oxley Act of 2002, or SOX — yes more letters from our alphabet soup. SOX mandates that every company puts in place controls to prevent erroneous or fraudulent financial reporting. From SOX came SOC, or Service Organization Controls.
Who gets to set all these standards?
The American Institute of Certified Public Accountants (AICPA) — an objective body that, among other things, sets the standards for Services Organization Compliance. Service organizations are then responsible for hiring third party auditors to attest that their service is compliant with the AICPA’s SOC standard.
What the heck are Service Organizations?
In the auditing world — ”service organizations” are basically companies or technologies that provide a business management “service” that it’s good at, freeing their customers up to focus on things their business is good at — like improving their product, serving their customers, and driving sales. Importantly, the service organizations provide a service that can impact their customers’ financial reporting.
Yes, that was a lot of words. Let’s take a simple example to illustrate: payroll automation. The payroll “service organization” will do what it’s best at on behalf of its customers — keep track of employee’s compensation plans, handle sending salary payment to a company’s employees, etc. This payroll service must also provide data to its customers that is used in financial reporting — like how much money went into payroll expense in a fiscal period, what a company still owes employees for hours worked at a specific point in time, etc. Because the payroll service provides services and information used for financial reporting, companies and their auditors need to understand whether the payroll service has effective controls in place to ensure it provides accurate, reliable financial data to their customers.
Learn more about Zuora RevPro, automated revenue management for ASC 606 and IFRS 15.