FP&A software company Vena Solutions made headlines recently with their controversial Systems and Organization Controls (SOC) reports grabbing the spotlight.
One of Vena’s customers, Verra Mobility, claimed that Vena misled them into believing that the Soc 1 Type II report that Verra was given had been audited by an independent auditor. Verra, a Nasdaq listed mobility software firm (Nasdaq: VRRM), cited in a securities filing from April that the report was audited in house by Vena, which breaks the SOC compliance rules:
“You'll see in our 10-K, which we expect to file tomorrow, that we had a material weakness associated with a third-party application called Vena. This is a financial reporting tool utilized in performing certain control activities. In summary, it was determined that Vena's SOC1 Type 2 report was deemed unreliable. And because we utilized Vena for several SOC controls, those controls using these reports were determined to be ineffective.”
SOC reports (Type 1 and Type 2) are designed “to provide independent assurance on controls for financial processes that have been outsourced to a third party.” The idea of SOC reports is to validate that financial information provided by 3rd party audits is accurate, and is usually done for, but not exclusive to, publicly traded companies such as Verra Mobility.
SOC 1 Type 1 reports confirm that internal controls are designed correctly, while SOC 1 Type II reports confirm that internal controls are designed correctly and operating effectively.
Verra is claiming that they were misled by the Type II report, and the time period in question is from Q4 of 2021. It is important to note that Verra’s securities filing does not claim that there were mistakes in the reports, rather the only issue was that they were not independently audited.
“Please note, however, that the material weakness had no impact on our financial statement outcomes,” the securities filing reads. “We are committed to the cycle of continuous improvement in our financial process and control environment.”
While Verra Mobility’s report is the biggest and most public complaint against Vena’s SOC compliance, there seems to be other customers raising the alarm as well. Canadian news and tech innovation website BetaKit reported that one anonymous source familiar with Vena’s operations claimed that Vena has misled multiple customers about its SOC compliance.
Vena is currently undergoing audits to rectify the situation.
A Vena spokesperson provided a statement to BetaKit about this issue: “In February of this year, Vena Solutions became aware of an issue relating to SOC reports. We notified all directly impacted parties and promptly took the necessary steps to address this matter. Additionally, we notified all Vena customers, partners and employees.”
Vena is a Toronto based FP&A software solution that was founded in 2011 and caters to medium and large businesses. Some of their 1,200 customers include names such as Nike, Nando’s, and the Kansas City Chiefs.
It remains unclear how this will impact Vena’s business and profitability, but the anonymous source that BetaKit spoke with reported that Vena has lost some customers as a direct result of the SOC report controversy.
However, this can have a big impact on customers in the near future, especially among larger and publicly traded companies. Due to the regulations involved in publicly traded companies, relying on SOC reports that were not verified by third parties can have a big impact on customers.
These reports that were not independently checked could be misleading, causing the rest of their financial statements to be inaccurate as well. In addition, it means that investors and the public may have received false information which brings up a whole list of problems with the heavily regulated Securities and Exchange Commission (SEC).
Establishing Trust With SOC Reports
SOC reports started in 1992 under the Statement on Audit Standards (SAS). In this statement, service organizations became the central source of requirements and guidance for CPAs who report on controls or audit the financial statements of companies that utilize service organizations to complete tasks that affect their financial statements.
In 2010, the SOC 1 and SOC 2 reports were split off and introduced by the American Institute of Certified Public Accountants (AICPA) in order to address the need of companies to externally validate their state of security.
An independent and successful SOC audit establishes trust and confidence in a certain service provider, as the report ensures that their controls over the systems that affect the company and its finances are operational and properly designed. If the report is not ideal, then the report highlights the areas which the company needs to improve their rules and procedures that verify the financial integrity and prevent fraud.
As we see from the importance of independent and trusted SOC reports, FP&A software solutions do far more than simply budget and forecast. SOC reporting is just one example of how FP&A tools’ first layer of organizational data security rests upon its infrastructure and how important safeguarding true and accurate data is.
Receiving SOC 2 certification is a rigorous process and requires the maintenance of long term practices that ensure ongoing security of data. As only one small piece of what FP&A solutions do, it’s very important for businesses to do the proper research and understand which tool fits their needs based on company size, budget, revenue, data security, and organizational goals.
Our team at The Finance Weekly has put together a comprehensive list of the top 10 FP&A solutions on the market today, so that organizations can make the most informed decision about which software will cover their company's needs.