Abrantix AG has successfully completed a System and Organization Controls (SOC) 1® Type 2 audit for ReconHub. This independent report by a certified auditor confirms that ReconHub's internal controls have been effectively designed and implemented over a twelve-month period.
Why is this relevant for you as a CFO, controller or head of accounting? Because it's about more than just a piece of paper. It's about trust, compliance and the integrity of your financial processes.
The term System and Organization Controls refers to an audit methodology of the American Institute of Certified Public Accountants(AICPA). The SOC 1® audit focuses specifically on controls that are relevant to the financial reporting of a service provider's users.
Type 2 means that the auditor has not only assessed the design of the controls, but also tested their actual effectiveness over a defined period of time - in this case twelve months.
This is particularly important for ReconHub as a payment reconciliation system (PRS). Why? Because ReconHub acts as a subsystem between your operational transaction systems (cash registers, payment service providers) and your general ledger. The quality and reliability of these reconciliation processes has a direct impact on your financial reporting.
A SOC 1® Type 2 report gives you and your auditor the assurance that, among other things:
When you use ReconHub for your payment reconciliation, you are effectively outsourcing part of your internal control system (ICS) to a service provider. However, legally and practically, the responsibility for financial reporting remains with you.
This is where the dilemma lies: you have to prove to your auditor that the outsourced processes are also properly controlled. But how do you audit systems and controls that you don't have direct access to?
This is exactly where the SOC 1® Type 2 Report comes in. It serves as a bridge between you as a user and ReconHub as a service provider. Instead of having each individual customer audit ReconHub individually (which would be neither economical nor practical), ReconHub commissions an independent auditor to conduct a comprehensive audit once a year.
The result - the SOC 1® Report - is then available to all customers and can be included in their annual audit.
Efficiency gains in the annual audit: your auditor can rely on the SOC 1® Report instead of having to audit ReconHub themselves. This saves time and therefore audit costs.
Reduction of audit risk: The documented effectiveness of the controls in ReconHub reduces the inherent risk in your financial reporting. Your auditor needs to test fewer compensating controls on your side.
Evidence of compliance: For regulated industries or listed companies, evidence of effective controls at critical service providers is often mandatory. The SOC 1® Report fulfills this requirement.
Confidence in data quality: You know that the reconciliation results from ReconHub are based on controlled processes - not undocumented black box logic.
Risk management: The report also identifies the so-called Complementary User Entity Controls (CUEC) - these are controls that you as a user should implement in order to create a complete control environment together with ReconHub's controls.
The report describes the ReconHub system and its control environment in detail. It is typically divided into several sections:
System description: How does ReconHub work? Which interfaces exist? What data is processed? This description helps your auditor to understand the system.
Control objectives: What is to be achieved by the controls? Typical objectives are, for example, the completeness and accuracy of data processing, appropriate access restrictions or the traceability of changes.
Control activities: What specific controls are carried out? These can be automated system controls (such as validation rules for data imports), but also manual controls (such as reviews of configuration changes).
Audit result: The auditor describes his tests and comes to an opinion as to whether the controls were effectively designed and effectively implemented over the audit period.
Complementary User Entity Controls (CUEC): A list of controls you should implement as a user. For example, checking the completeness of uploaded data or checking the plausibility of reconciliation results.
Modern companies have recognized that the order-to-cash (O2C) process does not end with order entry or invoicing. It only ends when the money is in the account - correctly booked, fully reconciled and fully documented.
This is where ReconHub becomes a critical component. The system reconciles sales data, payment service provider statements and bank credit notes. It identifies differences, categorizes exceptions and prepares the data for posting in the ERP system.
A real-life example: An international retailer relied on a self-developed reconciliation system. After a software update, a faulty interface led to double bookings for weeks. Turnover was overstated and liquidity planning was distorted. The error was only discovered during the annual audit - with considerable correction costs and reputational damage.
With a SOC 1® Type 2 audited system such as ReconHub, this risk would have been significantly minimized. The audit explicitly includes change management controls to ensure that software updates are carried out and tested in a controlled manner.
You may also have heard of SOC 2® audits. This is where confusion often lies - hence a clear distinction:
SOC 1® focuses on controls that are relevant to users' financial reporting. The audit is based on the International Standards on Auditing (ISA), specifically SSAE 18 and ISAE 3402. The report is primarily intended for auditors.
SOC 2®, on the other hand, evaluates controls in relation to the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. This audit is broader in scope and often addresses IT security and data protection.
For payment reconciliation systems such as ReconHub, SOC 1® is the relevant check because it deals with the integrity of financial reporting. SOC 2® can be useful in addition, but is a different audit objective.
Complementary User Entity Controls (CUEC) are an important aspect of the SOC 1® report. These describe controls that you should implement as a user of ReconHub.
ReconHub cannot cover all control risks on its own. Some controls are the responsibility of the user. Example:
ReconHub ensures that uploaded data is processed correctly. But ReconHub cannot check whether the uploaded data is complete. This control - checking completeness before uploading - is your responsibility.
Or: ReconHub automatically reconciles transactions and identifies exceptions. However, the final decision on how to deal with an exception (e.g. write off a difference as a loss or investigate further) lies with the user.
These are just two of several such controls. The SOC 1® report lists these CUECs transparently. Your auditor will check whether you have actually implemented these controls. Only if both ReconHub's controls and your CUEC are effective will you have a complete control environment.
As a ReconHub user, you should actively incorporate the SOC 1® Type 2 Report into your year-end audit. Here is a practical guide:
The SOC 1® Type 2 Report is not a static document. It evolves, just like ReconHub itself.
At Abrantix, we don't see the audit as a one-off compliance exercise, but as a continuous improvement process. The annual audit forces us to critically scrutinize our controls, identify weaknesses and optimize processes.
You benefit from a system that not only works in a controlled manner today, but is continuously improving. New controls are added, existing ones are tightened up and the entire control environment is adapted to changing risks. The goal: to establish ReconHub as a trustworthy, audited platform for business-critical financial processes.
The successful completion of the SOC 1® Type 2 audit for ReconHub is more than just a compliance milestone. It is a clear signal: ReconHub takes its role as a critical component in your financial process seriously.
For you as a user, this means tangible benefits in the annual audit, reduced risks in financial reporting and the certainty that your payment reconciliation is based on a solid, audited foundation.
At a time when trust in digital financial processes is increasingly being questioned, the SOC 1® Report creates transparency - and that is not a standard statement. Because no two systems are the same: Which controls are checked, how deep the scope goes and what the report ultimately says depends directly on how a company is set up. What remains is the substance behind it - that the relevant controls work, the data is reliable and the process is demonstrably secure.
If you would like to find out more about the SOC 1® Type 2 Report for ReconHub or have questions about integrating it into your annual audit, please contact us. We will be happy to help you realize the full potential of this independent assurance.