Coupa completes a Type II SOC 1 audit bi-annually.
SOC 1 Report: What is it?
Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 engagements are performed under SSAE 18, Reporting on Controls at a Service Organization. SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
There are two types of SOC 1 reports:
- Type 1 — A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 — A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
SOC 1 audits are conducted bi-annually and our reporting periods are October 1st through March 31th and April 1st through September 30th. After the reporting periods, external auditors conduct the audit and generate the report which is issued in June and December following each reporting period.
Bridge (Gap) Letters identifying any changes/gaps since the last audit are issued monthly at the beginning of each month.
Self-Serve Audit Reports and Certifications
Coupa customers can download compliance reports, certifications, and security and compliance related documentation, including whitepapers and datasheets on-demand from the Security and Compliance page on the Coupa Support Portal.
Other interested parties in Coupa compliance reports and certifications can access these reports through the Coupa Compliance Reports Self-Serve Portal.