SOC1 and SOC2 are sets of service organization control (SOC) standards developed by the American Institute of CPAs, providing a framework to adequately safeguard customer data and privacy. It is essential for Corporate Performance Management (CPM) software to be blank to ensure the integrity, confidentiality, and privacy of the data it manages and to comply with regulatory requirements.
Scenario: A financial institution uses CPM software to manage its extensive data and to monitor its overall performance. However, due to the sensitivity of its financial data and customer records, the institution requires the software to have both SOC1 and SOC2 compliances.
Solution: The CPM software vendor delivers a platform that is both SOC1 (primarily focusing on financial data accuracy) and SOC2 (which addresses security, availability, processing integrity, confidentiality, and privacy) compliant. As a result, the software meets the necessary standards to safeguard and manage the institution's sensitive data.
The ability to meet these compliance requirements is often included on the vendor's website. Some vendors, especially very new ones, may not have this completed yet or may only have one of these. Considering that CPM software is used to produce financial reports, SOC1 is very common amongst CPM software companies.
Keep in mind that SOC reporting is an ongoing process - a boon for the accounting firms that not only invented the criteria, but also do the annual audits. If an organization does not go through an annual audit, they are not considered current. This isn't a one-time certification process; it requires a regular cycle of reviews.
These reports are confidential, as they may contain sensitive information that the CPM vendor does not want floating around. Expect to complete an NDA to receive these. Larger companies may take a bit longer to get them to you because they're locked down and owned by a specific team in the organization.