SOC 1 and SOC 2 Compliance and Why This is Important

Oracle has attained SOC 1 and SOC 2 Type 2 compliance for the Retail SaaS portfolio. As a result, Oracle Retail is the only solution provider in its space to have both SOC 1 and SOC 2 compliance for all retail cloud services. This compliance is critical in ensuring retailers have the most robust security, privacy, and confidentiality while running their business operations on our retail solutions.


See Oracle Retail in action.

What is an SOC report?

System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). The program is intended to provide internal control guidelines for the services offered by a service organization, such as Oracle Retail. The audits are performed by an independent third-party service auditor (we enlist Schellman). The outcome of the audit is a report on the internal control structure of an organization, like Oracle Retail, that provides the services.

Why is SOC compliance so important?

These audits provide reports on a standard set of policies, procedures, and controls by the service organization such as Oracle. They also provide retailers (and their auditors) proof of the controls in place and help reduce their risk. SOC reports help companies to establish trust and confidence in their service delivery processes and controls. Since an independent third party does the SOC reports, they provide more than a "take our word for it" promise. They allow retailers to have a standardized, apples-to-apples comparison of different service providers.

SOC compliance audits are one of many inputs into a retailer's financial reporting and Sarbanes-Oxley Act (SOX) compliance. Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services depending on their own legal and regulatory compliance obligations. These audits are one of the key components in that analysis.

“Retailers are entrusted with a treasure trove of customer, cost, recipe and supplier data that is increasingly under attack. The risk of security breaches and digital theft has never been greater. Oracle Retail provides mission-critical functionality to our community and now gives them the additional confidence of SOC 1 and SOC 2 certification for our entire SaaS platform. This unique milestone allows our customers to deliver a more secure shopping experience and underscores the significant R&D and security investments made to serve retailers.,” explains Oracle Retail SVP and GM Mike Webster.

According to Marqeta, 65% of consumers have been more concerned about fraud since the start of COVID-19. At the same time, up to 96% of consumers intend to continue using contactless payments post-pandemic. Retailers need to be ready to support the shift to mobile and contactless payment in-store and instant one-click checkout online and implement retail solutions that have SOC compliance reports ensures safety to the business to restore confidence in customers. For example, a modern retail POS system like Xstore relieves the fear of payment fraud.

What are the different types of SOC compliance reports?

There are two different types of reports, SOC 1 and SOC 2.

1

SOC 1 report focus is on internal controls over financial reporting

They are specifically intended to meet the needs of entities that use service organizations and the CPAs that audit the user entities' financial statements in evaluating the effect of the controls at the service organization on the user entities' financial statements. This report is particularly relevant for Merchandising Foundation Cloud Service (PDF).

2

SOC 2 report focus is on security, availability, processing integrity, privacy, and confidentiality

This report intends to provide detailed information and assurance about the controls relevant to the security, availability, and processing integrity of the systems used to process users' data and the confidentiality and privacy of the information processed by these systems. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization—relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems.

There are two types of reports for these engagements:

  • Type 1: Reports on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2: Reports on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Doesn't everyone have SOC compliance?

Not everyone has SOC compliance; however, it is not that simple. Some technology solutions may have SOC reports for their data center but not for their applications. Others may have SOC 2 but not a SOC 1 report, as their solution does not have financial integrations. Oracle Retail is the only cloud solution provider offering SOC 1 and SOC 2 reports for their retail applications.

Want to know more about Oracle Retail cloud services that have SOC compliance?