obtaining SOC-2 reports at a technology vendor

This case study contains a great deal of context, as it serves as an example of discovery that arose from doing things the wrong way.

the problem

Certain target markets for technology vendors consist of regulated entities such as banks or life insurance firms or utilities or the health sector. Firms within these markets may be accountable to several regulators domestically and abroad. These regulators are deeply concerned with third party risk:

Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm's management from fulfilling its regulatory responsibilities are of concern to regulators. The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences.

Outsourcing in Financial Services.
Basel Committee on Banking Supervision,
Bank of International Settlement, 2005

Selling information services to these regulated entities means meeting their stringent regulations. The vetting process for a new vendor can involve 80-page RFI’s full of questions. Dealing with these requirements ad-hoc can be difficult, lengthy, and disruptive. Attempting sales to these slow-moving entities can involve several gate-keepers. None of these gate-keepers can approve a deal with your firm, but they can all stop a sale if they raise objections. That's their function!

Many of these clients now also want annual service audits and SOC-2 attestation reports. Passing these audits can require new activities for your firm, and hundreds of new internal controls. Technology vendors, especially innovators, tend to be a great deal smaller than their regulated clients. Being faced with the implementation of hundreds of controls may seem like the opposite of innovation and agile service delivery.

But regulated clients live by this stuff because they know the risks in an outsourcing arrangement can be complex:

what to do

The service you offer is where you have chosen to compete. Performing at the mandated level is how you will win. By turning this risk &audit externality into a fitness regime, you can leverage the risk management function to obtain these key outcomes:

• Consistently excel in all points of contact with clients.
• Optimize the fit between internal activities.
• Adopt managed change as a way of life.

understanding and selling this initiative

The evolving SOC-2 standard is embodied in the AICPA’s “trust services principles and criteria”. It sets the level of performance, and suggests a governance framework to monitor and foster progress. If you're implementing the controls in the four domains of security, availability, confidentiality, and "processing integrity", there are about 250 material controls to implement.

It is critical to the success of tackling a first SOC-2 audit to NOT approach this by implementing that many controls to your existing business practices. The danger in rewiring a company in this way is that it makes many changes to the company's processes without seeming to change the objectives of the business. It will seem like busy work, and it will be resisted internally. And with great justification, because the existing processes are they way they are because they're serving your business.

To look at it in reverse: any business is a unique collection of processes and competencies. The crucial ones add value to your clients, and likely span departments. Change those crucial processes and competencies, and you’re defining a new unique equilibrium. You are, in effect, creating a new company.

This sort of project should therefore be sold to the internal stakeholders as the creation of a new company. But not just any new. You’ll build a more consistent company. Consistency is the heart of culture, and of brand. Consistency is a natural outcome of the governance function built into the audit process. You’ll also be building a more competent firm; when you build governance into your processes, your people eliminate uncertainty. It will be a company where everyone understands their role and what to do next.

But there's more. When your people understand that they are responsible for reaching a certain bar for achievement, something magical happens. People who have taken a quality standard to heart expect quality in everything they do. Even when no auditor is watching. Because adults don’t say, “Oh, we have to do X and Y right, but the auditor’s not looking at Z.”

A holistic approach can make all this happen. This is “doing things the hard way”.

Contrast that with an unplanned approach that will leave your firm with countless, seemingly unrelated, controls to wire into existing processes that are already "good enough". What follows is the story of trying such a strategic undertaking without a strategy.

the case study

We were a fifteen person firm with one client and big ambitions. We’d been in business for a decade but now our regulated clients wanted that SOC-2 report every year. And the scope was daunting:

• Executive: setting and communicating objectives; evaluating operations and financial performance; service level management; business continuity planning; budget approval; vendor management.
• Human Resources: background checks; asset entitlements management; hiring and termination policies; privacy; acceptable use; code of conduct; confidentiality; whistle-blowing; site security; staff evaluations.
• IT: SDLC; change control; disaster recovery; technology standards; patch management; security incident management; information classification; log monitoring; viruses; bring-your-own-device; data disposal; encryption; firewall management; remote access.
• Internal control: internal audit; risk management; policy management.

(This is a sample; It is not practical to list everything.)

The sources for guidance on controls were many.

There was a mountain of work, and it all had to be done at once. So we set about rewiring existing processes, introducing new SDLC environment, restricting access to production servers, doing background checks, and generally overturning every apple cart we could find. Meetings that were scheduled to last thirty minutes would go an hour. Or two. One went to 3.5 hours! The auditors kept finding deficiencies because the company that started this endeavor simply had so few processes or systems.

The President had to support me constantly as the resistance from his executives was frequent and vocal. In fact, one executive would years later recount the time that a more senior executive tried to rally support to have me fired. Things would go the opposite way – I was promoted twice as a result of the progress we were making. But the complaints were legitimate: we did not know where we were going; I was introducing change after change after change that riled the owners of the different process areas; we needed to make hires just to manage the new processes and to ensure the new controls were in place—again, we were only fifteen people when this started. We had to institute a process by which each functional manager did quarterly control risk self assessments. We had to constantly revise our documentation and the controls to match the evolving nature of our practices—no small feat when you're staying within the confines of an annual control audit. We had to ask people to sign dozens of manuals of policy and process every year. We subjected them to phishing tests and annual tests of our business continuity preparedness. All of this took years to stabilize.

results

But as unplanned as our initiative was, it began to pay off at once in a critical area. As soon as we had documented processes and an audit report to share, we began to notice a shortened and easier sales cycle.

• Easier RFP’s and RFI’s: just hand over the documentation!
• No more one-off requests for proof of capability from vendor managers, IRM, legal, etc.

In the words of the President;

“Now that we have our audit report, we’re having a whole other level of discussion. The gate-keepers simply ask for the report and we’re done. Everyone thanks us for making their jobs easier.”

At the same time, we observed that operations were running more smoothly:

• Delivering software updates in a reliable fashion (1 error in 557 releases)
• Hosting our service in a secure and uninterrupted fashion (no downtime after four years and counting).
• Stable processes free the time of SME’s and management.

Also, life was becoming easier for existing clients:

• No more one-off requests for proof of capability from vendor managers, IRM, legal, etc.
• Improved “story” for service owners.
• More interest in expanding services with us.

And we were becoming more confident and transparent:

• Reduced need for monitoring by clients. None has ever called for an ad-hoc audit.
• Clarity around roles and responsibilities.
• Comprehensive service level attainment is demonstrable through reporting.

With our operations made more easy, leaders were freed to make decisions and lead:

• Far fewer procedural questions.
• Far fewer mistakes due to uncertainty or improper process.
• Stable processes free the time of SME’s and management.

Cross-team processes were naturally becoming more smooth:

• Mature practices mean teams work together as expected.
• Entrusting functional managers with governance process leads to automatic correction of deviations.
• A strong sense of ownership of product and service.

Turnover became less of an issue. The company was now growing rapidly as it became more mature and a more convincing supplier to its regulated clients. The pace was frantic, but no longer lethal:

• People not wearing out from rework and confusion.
• They enjoy the blend of responsibility and quality outputs.
• Stable processes freed the time of SME’s and management.

We had enabled growth:

• Stable processes allow a business to scale.
• Problems that creep in turn up at the first quarterly risk control self-assessment.
• Persistent problems turn up in the auditors’ report.

The magic of having adopted the regulated culture:

• Having that audit report indicates that you’re part of the regulated industry.
• Once you’re reached the level of being an approved vendor, you’ll find yourself able to rapidly grow in your industry.
• Partners will seek you out. Others will more readily accept you as a mature organization with the right types of clients.

But all of these things occurred to us only with time, and only when we had gone through rounds of audit-driven corrections sensing that the good outcomes were possible but just around the corner. As we were going through it, it felt like nothing but pain.

If we had any sense of all of these benefits we could have erased quite a bit of the resistance and debate. And avoided the attempts to have the change agent fired!

lasting lessons

First: by selling a vision of the benefits – and driving change towards those benefits – rather than viewing it as a compliance exercise, you can celebrate the improvements as they come and build on your strengths.

Second: it's becoming harder to sell to regulated industries. Having a great product got you to the door. But it's the consistency and confidence engendered from your risk control capabilities that are the security pass to get you in the door and keep you there.

reach out to me!

I like to advise:

• Understanding risk analysis (MSc in Risk Management).
• Understanding service delivery strategies (20+ years experience).
• Understanding IT and IT governance frameworks (e.g. ITIL, COBIT).
• Mapping the governance framework to business strategy.
• Knowledge of regulated financial industries and the software/service firms that support them.
• Business process renewal and the writing of process manuals.
• Managing the auditors. (Certified Internal Auditor designation).
• Project management (I am a PMP).