We’ve all heard the way that organizations buy and use software is changing. The rise of Software as a Service (SaaS) has empowered many business users to find, choose, and implement software without IT’s involvement. Beyond implementation, the IT and security teams are still responsible for the security and compliance of the solution, ensuring systems integrate with each other, and safeguarding the company’s business processes.
When it comes to financial application software, compliance initiatives affect more than just the software users. Take for example lease accounting software. Failure to meet lease accounting security measures and comply with the appropriate governmental regulations could cost a business millions and put accountants and security professionals jobs at risk. For those reasons, businesses should involve IT. It is imperative that the offices of the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) are a part of any major software decision that’s going to impact the people, processes, and financial data in your company.
An example on how to assess financial application software
We will use the evaluation of software for lease accounting for this example, since the three major accounting boards – FASB, IASB, and GASB – have all issued new guidance on how to account for leases. This will require most organizations to purchase a software application specifically built to address those new standards.
Your lease accounting software will be subject to both financial and security audits likely performed by two different third parties. Besides auditors wanting to know that your lease accounting software passes compliance and protects your information, the business is relying on the solution you choose to securely store its financial records. To ensure data integrity, here are five points IT and security professionals should check for when evaluating a lease accounting solution:
1) SOC 1 Type 2 Report
A System Organization and Controls (SOC) 1 Type 2 report is a report on controls at a service organization that are relevant to the user entities’ internal control over financial reporting. A SOC report provides not only an assessment of the design of the controls of a financial application, but also an audit of its operating effectiveness. This report gives the company assurance that the logical access of the solution and program change procedures are operating effectively throughout the current audit period. Without a SOC report, the CIO has to do a lot more work to prove the internal controls and security of the software to auditors.
When assessing potential software providers, IT and security professionals should ask for a letter from the firm that performed the SOC evaluation or for the report itself. Whether the provider presents a letter or the actual report, IT and security teams should be aware of these key details:
- The report is completed by a well-known third party, preferably a Big 4 firm
- The provider has gone through multiple years of SOC audits
- The controls tested align to the use case of the application
2) Agreed-Upon Procedures (AUP)
An agreed-upon procedures engagement is one in which an accounting firm is engaged to test or review predefined transactions or specific subject matter of a third-party, such as a service provider. The product of an AUP engagement is an AUP report. This report contains the factual findings from the procedures performed but does not conclude on the results of the procedures. Its purpose is to enable entities to evaluate the facts based on their own needs and criteria.
Because an AUP engagement goes beyond testing internal controls to test specific scenarios, calculations, journal entries or software capabilities, it can provide an extra layer of assurance, particularly related to certain lease accounting calculations. Ask providers if they have an AUP report to share.
Here’s what to look for in the report:
- The report is completed by a well-known third party, preferably a Big 4 accounting firm
- The completed procedures align with the use case of the application
- The facts presented align with your needs and expectations of the software
3) Approval mechanisms to prevent errors being introduced into the software
In order to avoid operational mistakes, software should have a two-step approval process to review inputs and ensure completeness and accuracy. Additionally, an accurate data validation feature is essential for your software to have the controls in place that your auditors are looking for and also for public companies to comply with the Sarbanes-Oxley Act (SOX).
It’s also important to note that a solution like Excel lacks key controls to preserve the integrity of your data, including the ability to lock journal entries, accurately track changes, adjust access based on roles, or prevent duplicates. A lease accounting solution should also be a central repository for lease contracts so data can be easily referenced from the source document.
4) Requires a user login
All parts of your lease accounting solution must be password protected. It’s important for the system administrator – which should be someone who is not entering lease data – to create and manage login credentials for your users. Having unique logins with passwords will help ensure an audit log is possible, as discussed below.
5) More than a spreadsheet
Using an Excel spreadsheet or modified lease management software to track your leases rather than a password protected lease accounting software makes it difficult to prove to auditors that your data is accurate and hasn’t ended up in the wrong hands.
Without the appropriate controls anyone can gain access to your spreadsheets, change, download, and eliminate lease financial information without anyone knowing it even happened. Lease accounting software, on the other hand, should be built with the proper audit logging to show who entered, changed, or deleted information and when.
6) Data encryption
With data that affects your financials regularly flowing in and out of your lease accounting software – including new lease records, updated lease records, journal entries, and more – it’s imperative for it to be secure.
The IT and security teams should ensure the lease accounting solution your business chooses has encrypted data anywhere it is stored. Protecting your data and the systems and applications that store your data should be a top priority for your software vendor.
Questions to ask your lease accounting vendor
Many of your business’ key stakeholders will have questions about the lease accounting software you are evaluating. Below are some of the important questions IT and security teams should have answers to before a new lease accounting solution is in place.
- What security measures are in place to protect my data?
- How do I manage who has access to our information?
- What is your uptime service level agreement and how have you performed historically?
- How many people are on your support team and does support have access to subject matter experts such as accountants?
- How many clients use the application for accounting and how is the company ranked in 3rd party reviews?
Security shouldn’t be a sacrifice
As financial and security compliance standards become more complex and numerous, knowing how to evaluate software vendors is increasingly important. Lease accounting solutions are top of mind for accountants when it comes to meeting the new compliance standards. However, there’s no reason to sacrifice security especially when it comes to your financial records just to reap the benefits of a lease accounting solution or any other financial application that makes your job easier.
Make the process easier by downloading our software comparison guide to develop a thorough list of questions for your next evaluation.