Coupa completes a Type II SOC 1 audit bi-annually.
SOC 1 Report: What is it?
Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 engagements are performed under SSAE 18, Reporting on Controls at a Service Organization. SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
There are two types of SOC 1 reports:
- Type 1 — A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 — A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
SOC 1 audits are conducted bi-annually and our reporting periods are November 1st through April 30th and May 1st through October 31st. After the reporting periods, external auditors conduct the audit and generate the report which is issued in June and December following each reporting period.
Bridge (Gap) Letters identifying any changes/gaps since the last audit are issued monthly at the beginning of each month.
If you would like a copy of the current Coupa Type II SOC 1 Report or SOC Gap Letters, they can be downloaded from the Coupa Compliance Reports Request Portal.