When evaluating accounting software applications, particularly cloud-based solutions, numerous customer considerations exist outside of a simple price comparison. In this article we’ll discuss the three deliverables instrumental to a successful financial software implementation and ongoing relationship with your software as a service (SaaS) provider:
- Assurance over the outputs and calculations from the system with an Agreed-Upon Procedures (AUP) report
- SOC reports providing assurance on internal controls over financial reporting
- Dedicated implementation and support teams backed by accountants
One of the options available to get comfortable with the outputs and calculations from a SaaS application is an Agreed-Upon Procedures report, or AUP report. The procedures performed during the AUP engagement are defined and agreed upon prior to the engagement by both the accounting firm and the SaaS provider. Pre-engagement agreements between the accounting firm and the service provider include establishing the nature, timing, and extent of the services to be performed.
After the accounting firm has completed the agreed-upon procedures, it will issue a written report of their findings. These reports are issued under the AICPA attestation standards by an independent CPA firm. In this type of engagement, the practitioner does not provide a conclusion or opinion in their final report, but rather, the report includes the specific procedures performed and the results, or findings, from the procedures.
Common examples of procedures performed during an AUP engagement are:
- Inspecting documents to validate transactions
- Confirming specific or provided information with third parties
- Comparing documents, schedules, etc. with certain attributes
- Executing specific procedures to test or validate work performed by others
- Performing mathematical computations/calculations
When evaluating accounting software solutions, customers should ensure their selected vendor has an independent third-party regularly review and validate the calculations and outputs from the system. One way to accomplish this is through an AUP report – with specific procedures designed to validate the accuracy of the software’s calculations and demonstrate compliance with applicable accounting guidance.
Without third-party review, customers have limited assurance the calculations and outputs from the software are correct. Any inaccuracies with a software provider’s calculations, including those within journal entries and reports could result in misstatements within the customer’s financial statements.
Obtaining an AUP from your SaaS provider will save both your own company’s personnel and your auditors from timely system testing and recalculation.
A SOC, or Service Organization Control report is an examination of controls by a CPA firm on a service organization’s internal controls over various functions, including financial reporting, IT security, or data processing integrity. It is important for an accounting software provider to have a SOC report because it demonstrates to customers the reliability of controls over the services the software vendor is providing.
Customers, in turn, provide their vendors’ SOC reports to their auditors during their financial statement and internal controls audit. Because the provider’s controls have already been tested, documented, and opined on by an independent auditor, the need for each customer’s individual auditors to test the vendor’s internal controls is mitigated.
Although the independent auditor issues an opinion on the effectiveness of the controls of the service organization, it’s important for companies to carefully review any complementary user entity controls the service provider has documented in the SOC report. Complementary user entity controls are certain policies, procedures and controls the service provider expects the user entity to implement for the objectives defined in the SOC report to be achieved.
Complementary user entity controls are typical in SOC reports issued by SaaS companies and in most cases are common sense processes or policies a reasonable end user would already have implemented. For example, the service provider may include a customer’s periodic review of user access as a complementary user entity control. Reviewing these complementary controls before your annual audit and ensuring you have the proper procedures in place will reduce the amount of questions from your auditors.
SOC reports come in three different categories, commonly referred to as: SOC 1, SOC 2, and SOC 3 reports.
The focus of a SOC 1 report is the service organization’s (e.g. software vendor’s) internal controls over financial reporting. Within the SOC 1 designation are two types of SOC 1 reports.
- The SOC 1 Type 1 report provides information on the service provider’s financial controls as of a certain date in time.
- The SOC 1 Type 2 report provides details on the effectiveness of the financial controls for a defined period of time.
Because the SOC 1 Type 2 report covers a period of time rather than only a specific date, having a SOC 1 Type 2 report is preferred over a Type 1 report.
The other two categories of SOC reports are the SOC 2 and the SOC 3 report. These reports cover IT and cyber security related controls of the software vendor. Similar to the SOC 1, SOC 2 reports are issued in two forms: Type 1 and Type 2.
- A SOC 2 Type 1 report assesses whether or not IT and cyber security controls exist
- A SOC 2 Type 2 report further assesses the effectiveness of the controls
Therefore, similar to SOC 1 reports, the SOC 2 Type 2 report is the more valuable report.
A SOC 3 report covers similar topics to a SOC 2 report. However, it is a general-use report as opposed to the SOC 2. This allows the SOC 3 report to be more widely distributed but it is also significantly less detailed than the SOC 2 report in regard to controls testing.
The distribution of SOC 1 and SOC 2 reports is restricted because they have the potential to be misunderstood when taken out of the context from which they were intended to be used. Therefore the distribution of SOC 1 reports is restricted to the management of the service organization, users of the software or services, and the user’s auditors. In essence the parties most likely to understand and be knowledgeable about:
- The services provided by the service organization
- The service organization’s interaction with subservice organizations, users, and other entities
- The service organization’s control objectives
- Internal controls and their limitations
Restricting the reports to these parties helps to mitigate the risk of the report being misinterpreted or contributing to incorrect business decisions.
Overall, a SOC 1 Type 2 report is the most beneficial SOC report on a service organization’s internal controls for an accounting focused SaaS vendor to provide to its customers since it provides assurance on internal controls over financial reporting. Ultimately, these controls will impact the end user’s own financial statements and could lead to errors or internal control deficiencies if there is a control failure. More specifically, a SOC 1 Type 2 report is the most preferable in order to cover an entire reporting period rather than just a point in time.
Because of the differences between an AUP report and a SOC report, it is beneficial for software vendors to provide both types of reports to customers to provide assurances over both the calculations presented within the software and internal controls over financial reporting as a whole.
One of the most significant differences between an AUP Report and a SOC report is that an AUP report provides assurance over calculations such as amortization schedules and journal entries for specific scenarios at a point in time. The practitioner and service provider determine the exact procedures to perform in order to demonstrate accuracy or controls of selected outputs. The resulting AUP report is an objective recording of the procedures performed and the results of those procedures. As a SaaS provider, AUP reports are documentation to users specific calculations and outputs have been tested by an independent third party.
Conversely, SOC reports provide an opinion as to the effectiveness of the service provider’s internal controls. The procedures performed are prescribed based on the control objectives selected to be tested. The end user is able to provide the SOC report to their auditors to mitigate testing on their financial reporting. A clean SOC I Type 2 report demonstrates to the auditors the SaaS provider’s internal controls over financial reporting have been found to be operating effectively for the entire testing period, and therefore they can be relied upon and decrease the testing requirements of the end-user’s auditors.
Often overlooked as criteria for evaluating an accounting software solution is the level of support available throughout the implementation cycle and during your entire software subscription period. Does the provider have a dedicated implementation team or individual assigned to your account? Or is the standard implementation more of a self-service approach leaving you to call a general help desk with any questions? Understanding both the assistance available during the implementation and after, as well as who will provide the assistance is key to a positive experience.
Of course if you’re evaluating accounting solutions, having the right team behind the product is monumental to your success. It’s important for the SaaS provider to have accountants throughout the organization to best service your company. Having accountants specialized in the specific transactions or function the software provides is valuable, especially if the vendor can offer expertise in the complexities of accounting treatment and keep you informed of developments to the relevant accounting standards. These additional resources will help you walk through any questions on how to process your transactions within the software and ensure you are fully supported at every step of any integration.
Make sure your vendor has accessible accountants available at every level of the organization – sales, implementation, customer support and product development. Whether you’re dealing with a partial lease termination or a modified equity award, being able to speak to someone who truly understands the complexities of your situation can go a long way. In addition to live support, a repository of “how to” articles — both on system capabilities and complicated accounting transactions — is a must. Check to ensure your vendor has the right tools to support your department’s success.
Evaluating a software vendor requires, among other factors, assessing how the vendor supports its customers at the onset of the agreement and throughout the life of the contract. We’ve explained the importance of a dedicated support team with expertise in the subject matter of the application and highlighted the importance of providing assurance over both controls and system outputs such as calculations.
A vendor can provide assurance over certain calculations through an AUP report, where a third-party accounting firm is engaged to perform specific agreed upon procedures and report on the findings. This differs from a SOC report, which presents an opinion on the service organization’s controls. It’s important for an accounting software vendor to regularly provide both of these reports to customers in order to demonstrate the reliability of its system outputs, including calculations, journal entries, and reports, as well as the internal controls over financial reporting.