Coupa successfully completed it's first Type II SOC 2 audit for Security and Confidentiality in 2015.
SOC 2 Report: What is it?
Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements (AICPA, Professional Standards, Vol. 1). A SOC 2 report is similar to a SOC 1 report. Either a Type 1 or Type 2 report may be issued and the report provides a description of the service organization’s system.
For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests. SOC 2 reports specifically address one or more of the following five key system attributes:
- Security — The system is protected against unauthorized access (both physical and logical).
- Confidentiality — Information designated as confidential is protected as committed or agreed.
- Privacy, Availability, and Process Integrity were not tested.
- Privacy — Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
- Availability — The system is available for operation and use as committed or agreed.
- Processing integrity — System processing is complete, accurate, timely and authorized.
Coupa Type II SOC 2 audits are conducted annually with a reporting period of October 1st through September 30th. After the reporting period, external auditors conduct the audit and generate the report which is issued in November.
Self-Serve Audit Reports and Certifications
Coupa customers can download compliance reports, certifications, and security and compliance related documentation, including whitepapers and datasheets on-demand from the Security and Compliance page on the Coupa Support Portal.
Other interested parties in Coupa compliance reports and certifications can access these reports through the Coupa Compliance Reports Self-Serve Portal.