As a software-as-a-service (SaaS) company, we take nothing for granted.  The beauty of SaaS is that customers can cancel their service at any time without many of the complications associated with walking away from an on-premise software solution.  For Coupa, that means we work hard to deliver the best product and service possible to earn our customers’ business every single day.  And that includes proving that Coupa, and the service we provide, is up to snuff when it comes to an auditor’s scrutiny.

While Coupa gets its share of recognition for delivering a user-friendly and innovative solution to its customers, many companies may be surprised by how much we’ve done to ensure that our customers’ data is secure and backed up, and that our service uptime is the envy of IT departments everywhere.   The SaaS space has been exploding over the past few years, and it will continue to grow exponentially because fewer companies are willing to invest millions in servers, software, and support costs to run on-premise enterprise solutions.  But companies still have concerns, especially about their data.  Virtually all public companies, and many private companies too, require their service providers’ to maintain, and prove, adequate controls over their respective services.  Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  A service auditor’s examination performed in accordance with SAS No. 70 (”SAS 70 Audit”) represents that a service organization has been through an in-depth audit of their control objectives and control activities, which include controls over information technology and related processes.

The SAS 70 audits come in two flavors.  The Type I audit determines compliance with those objectives at a point in time.  The more rigorous Type II audit determines a company’s compliance with the guidelines over a period of time.  Auditors typically require that service providers demonstrate Type II compliance with control objectives that address everything from application security and data backups to organization risks and personnel policies. For more information, Wikipedia has an excellent entry on SAS 70 auditing standards.

Not all SaaS solution providers can say they have passed the SAS 70 Type I and Type II audits.  The audit process requires an investment of time, money and resources that not every company is willing to expend.  Coupa retained SAS70 Solutions last fall to conduct SAS 70 audits of its operations.  We passed our Type I audit late last year, and just this June, we completed and passed our first 6-month Type II audit period. Frankly, we nailed it!   It’s great validation for the Coupa team, and on the decisions we’ve made in how we manage our business operations and the Coupa e-Procurement service. To my knowledge, we are the only SaaS e-procurement vendor that has been able to leverage services like Amazon cloud computing and open source technologies to build an infrastructure that can scale to support hundreds of thousands of users at minimal cost, allowing us to provide a great value in enterprise software with Coupa e-Procurement – complete with the strong operational controls and processes enterprises expect of their service providers.

Going forward, we are planning annual audits for our service, and can provide mid-term bridge letters, to satisfy auditor requirements for customers operating under a fiscal and calendar-year environment.  For more information on Coupa’s SAS 70 Type 1 and Type II audits, please send me an email.