A customer has alleged that Toronto-based financial planning and analysis (FP&A) software company Vena Solutions has misrepresented its System and Organization Controls (SOC) compliance.
Vena customer Verra Mobility claimed in a securities filing that it was misled by Vena regarding its SOC compliance.
The Nasdaq-listed mobility software firm alleged that Vena personnel “falsely asserted” that the SOC 1 Type II report the company provided to Verra Mobility had been audited by an independent auditor—a requirement for SOC compliance.
These types of reports validate the security of an organization’s services, and offer comfort that financial information provided by third parties is complete and accurate.
Verra Mobility may not be the only customer taking issue with Vena’s SOC compliance. One source familiar with Vena’s operations, speaking on condition of anonymity, claimed that Vena has misled multiple customers about its SOC compliance, and alleged that Vena is currently undergoing audits to rectify the situation. BetaKit has not yet independently verified any additional Vena customers facing these issues.
Founded in 2011, Vena provides cloud-based FP&A software to medium and large-sized companies. The firm’s technology helps clients manage budgeting, forecasting and business planning. According to Vena’s website, the company serves over 1,200 customers, including Nike, Coca-Cola, the Kansas City Chiefs, and ATB Financial.
Following outreach for this story, a Vena spokesperson provided this statement to BetaKit: “In February of this year, Vena Solutions became aware of an issue relating to SOC reports. We notified all directly impacted parties and promptly took the necessary steps to address this matter. Additionally, we notified all Vena customers, partners and employees.”
Vena declined to answer any additional questions related to its statement or the company’s SOC report issue, including: the nature of the issue, the current status of Vena’s SOC compliance, whether it had misled customers as to the status of its SOC compliance, and the number of customers impacted by this issue.
SOC reports are issued by independent auditors documenting a company’s internal controls over financial reporting that are likely to be relevant during an audit of a customer’s financial statements. According to BDO Canada, they are designed “to provide independent assurance on controls for financial processes that have been outsourced to a third party.” SOC 1 reports are suited for businesses that handle financial information for their clients, such as payroll processors and loan servicers, per PwC.
SOC 1 Type I reports attest that internal controls are suitably designed, while SOC 1 Type II reports attest that internal controls are both suitably designed and operating effectively.
These types of reports validate the security of an organization’s services, and offer comfort that financial information provided by third parties is complete and accurate. In Canada, SOC compliance is achieved through third-party audit reports from independent auditors such as PwC, Deloitte, or KPMG.
While SOC compliance is not a legal requirement in Canada, a SOC compliance expert told BetaKit on background that, for companies, “it is often a mandatory requirement to be able to win a bid because otherwise their clients are not going to sign a contract with them.” This includes FinTech companies that provide services to larger, more complex and regulated customers, such as publicly-traded firms. This SOC expert also told BetaKit that there is often a clause contained in customer contracts outlining that a service provider will provide a SOC report to clients on an annual basis.
In Verra Mobility’s Form 10-K report, filed April 2022, the company notified its investors that it had discovered “a material weakness related to certain revenue and reporting controls” associated with a third-party application.
“Specifically, the third-party service organization, Vena Solutions, provided a SOC 1 Type II report that was prepared by Vena Solutions personnel who falsely asserted that it had been audited by an independent auditor,” states Verra Mobility in the 10-K, adding that the company was not made aware of this until after December 31, 2021.
Neither company confirmed to BetaKit as to whether Vena still operates as a Verra Mobility service provider. An August 2020 customer story blog post promoting the companies’ relationship is no longer accessible on Vena’s website.
The circumstances that Verra Mobility described could have a “huge” impact on customers.
Vena did not disclose to BetaKit how the company became aware of its SOC report issue, how many Vena customers were impacted, what steps the company has taken to address the problem, or how many customers Vena has lost as a result.
When asked by BetaKit, Vena did not say how many customers signed contracts with Vena with an understanding that Vena’s SOC 1 Type II report was audited by an independent auditor, or whether the company is currently facing any breach of contract or legal action related to its SOC reports.
The company did note, however, that “there was no compromise of our production environment and we continue to operate securely in the service of our customers.”
To date, Vena has secured a total of $450 million, from a group of investors that includes JMI Equity and Centana Growth Partners, as well as some debt financing from CIBC Innovation Banking.
In April 2021, Vena raised $300 million CAD in Series C financing from Vista Equity Partners, which acquired a minority stake in Vena as part of the round. According to The Globe and Mail, $100 million went to Vena, while the other $200 million went to JMI and Centana, which sold shares but retained stakes in the company.
At this point, it remains unclear what impact Vena’s SOC report issue has had on the company’s business. The source BetaKit spoke with claimed that Vena has lost customers as a result of this situation.
According to the SOC expert BetaKit consulted, the circumstances that Verra Mobility described could have a “huge” impact on customers, especially if they are publicly-traded companies. Any customer relying on that report, they said, “would be relying on false assurance for their own financial statements.”
“It could mean that the actual information in the market … the information on those financial reports could be off.”