Have a question about this requirement?

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Requirement

SOC1 and SOC2 compliant

Functional Area

General

Industries
All
DETAILS

Description

SOC1 and SOC2 are sets of service organization control (SOC) standards developed by the American Institute of CPAs, providing a framework to adequately safeguard customer data and privacy. It is essential for Corporate Performance Management (CPM) software to be blank to ensure the integrity, confidentiality, and privacy of the data it manages and to comply with regulatory requirements.

Example Use Case

Scenario: A financial institution uses CPM software to manage its extensive data and to monitor its overall performance. However, due to the sensitivity of its financial data and customer records, the institution requires the software to have both SOC1 and SOC2 compliances.

Solution: The CPM software vendor delivers a platform that is both SOC1 (primarily focusing on financial data accuracy) and SOC2 (which addresses security, availability, processing integrity, confidentiality, and privacy) compliant. As a result, the software meets the necessary standards to safeguard and manage the institution's sensitive data.

Considerations

The ability to meet these compliance requirements is often included on the vendor's website. Some vendors, especially very new ones, may not have this completed yet or may only have one of these. Considering that CPM software is used to produce financial reports, SOC1 is very common amongst CPM software companies.

Keep in mind that SOC reporting is an ongoing process - a boon for the accounting firms that not only invented the criteria, but also do the annual audits. If an organization does not go through an annual audit, they are not considered current. This isn't a one-time certification process; it requires a regular cycle of reviews.

These reports are confidential, as they may contain sensitive information that the CPM vendor does not want floating around. Expect to complete an NDA to receive these. Larger companies may take a bit longer to get them to you because they're locked down and owned by a specific team in the organization.

Questions to Ask a Vendor

  • Compliance Assurance: Can you provide the most recent SOC1 and SOC2 audit reports for your CPM software?
  • Third-Party Compliance: How do you ensure that any integrated third-party services or applications are also blank?