Controls you can trust: SOC 1 type 2 certification

The stakes are high when it comes to choosing a lease accounting platform, because it directly affects the accuracy of your company’s financial reporting. Just about every firm working to implement the new lease accounting standards (FASB ASC 842 and IFRS 16) will be working with a new technology vendor to accomplish this project. How can you be sure you can trust what that vendor says about their own internal controls and practices, and how they will be handing your company’s financial information?

That’s exactly what Visual Lease’s SOC 1 Type 2 certification provides: proof (for both you and your independent auditors) that our internal controls are appropriately designed and properly executed to ensure safe and accurate processing of our clients’ financial transactions.

What is a SOC1 report?

A SOC 1 report is a comprehensive assessment conducted by an independent auditor to evaluate the internal controls of a service organization that could impact the financial statements of its clients. This report focuses on the organization’s ability to maintain accurate and secure financial reporting processes and provides assurance to clients about the effectiveness of these controls.

What’s required for a SOC1?

The requirements for a SOC 1 audit vary depending on the type of report being issued. However, there are some general requirements that all SOC 1 audits must meet, including:

• The service organization must have a written description of its internal controls over financial reporting.
• The service organization must have a process for monitoring the effectiveness of its internal controls.
• The service organization must permit the auditor to have access to all relevant documentation and personnel.
• The service organization must cooperate with the auditor’s investigation.
• The auditor must test the operating effectiveness of the service organization’s internal controls over financial reporting.
• The auditor must obtain written representations from management about the effectiveness of the service organization’s internal controls over financial reporting.

What does a SOC 1 Type 2 certification tell you?

Your lease accounting software vendor is a service organization that acts as an extension of your own company in the sense that they perform processing of your financial data, adding lease accounting journal entries to your GL and calculating lease assets and liabilities. That’s why your technology vendor’s controls and practices need to stand up to the same level of scrutiny that your own do.

Service Organization Control (SOC) assessments and reports, created by AICPA (American Institute of Certified Public Accountants) and performed and generated by an accredited audit firm, provide the assurance that a service organizations controls are properly designed to meet their stated control objectives at a specific point in time.

A SOC 1 report specifically addresses a service organization’s controls that relate to internal control of financial reporting. The Type 2 certification adds an assessment of the service organization’s execution of their own controls (whereas a Type 1 audit assesses only the design of controls). Auditors can come in at any point during or after the report’s specified time period to test and verify the service organization’s compliance with controls.

Because a SOC 1 Type 2 report covers a specific time period, it’s important to look for continuity of coverage over time. Chances are you will rely on your lease accounting technology for many years to come, so your auditors need to be satisfied that your chosen vendor continues to follow their stated controls and practices for the long term.

Visual Lease’s SOC 1 Type 2 certification services as assurance that your data is secure in our system and your lease accounting calculations are accurate.

Controls examined in Visual Lease’s SOC 1 Type 2 audit

Every SOC 1 audit is not the same; service organizations can have differences in their stated objectives and controls.

Visual Lease’s SOC 1 Type 2 audit covered data security, acceptable use of data, physical security of our offices, backup and recovery, and continuity planning. Our audit also went above and beyond policies and business practices to validate the most critical aspect of our service: our lease accounting calculations engine.

The following are the specific controls and business practices that auditors assessed and certified in Visual Lease’s SOC 1 Type 2 report.

• Organization administration.  These controls provide reasonable assurance that individuals employed are qualified, experienced, and trained for the job functions they perform.
• Client onboarding and administration.  These controls provide reasonable assurance that client and related lease data will be supported, authorized, accurate, and reliable.
• Lease calculations.  These controls provide reasonable assurance that lease data will be processed completely and accurately.
• Governance and compliance.  These controls provide reasonable assurance that risk identification and management, as well as relevant laws and regulations that impact operations, are identified, known, understood and implemented into business operations.
• Physical security.  These controls provide reasonable assurance that physical access to the system is restricted to authorized personnel.
• Environmental controls.  These controls provide reasonable assurance that the system is protected against fire and smoke and that temperature and humidity is maintained within predefined ranges.
• Logical access:  These controls provide reasonable assurance that logical access to systems is restricted to authorized personnel and is based on job responsibilities.
• Vulnerability management.  These controls provide reasonable assurance that the Visual Lease infrastructure is adequately secured from vulnerabilities.
• Backup and recovery.  These controls provide reasonable assurance that appropriate backups of critical systems are made to enable recovery from an outage or data center failure.
• Change management.  These controls provide reasonable assurance that changes are tested, approved, and documented prior to implementation.
• Website availability.  These controls provide reasonable assurance that service levels are defined between Visual Lease and its clients and that application availability and the hosting environment are monitored.
• Third party providers.  These controls provide reasonable assurance that third-party service providers are monitored.

How has SOC 1 Reporting Evolved Over Time?

Before, the absence of standardized reporting allowed companies to share information as they pleased, favoring insiders but leaving consumers and shareholders in the dark about internal controls and investor safeguards.

The American Institute of Certified Public Accountants (AICPA) stepped in to standardize this process, introducing auditing standards for compliance. In 2011, these standards evolved into SSAE 16, later renamed SOC 1, effective from June 15, 2011.

SOC 1 aimed to align US reporting with international practices, introducing two key changes:

1. Requiring a comprehensive “system description” in place of the prior control description.
2. Mandating a management-crafted assertion outlining control standards and responsibilities.

This new framework focused on reporting the service organization’s financial control internals, including risks from internal personnel and processes in the system description.