michael werneburg

obtaining SOC-2 reports at a technology vendor

This case study contains a great deal of context, as it serves as an example of discovery that arose from doing things the wrong way.

the problem

Certain target markets for technology vendors consist of regulated entities such as banks or life insurance firms or utilities or the health sector. Firms within these markets may be accountable to several regulators domestically and abroad. These regulators are deeply concerned with third party risk:

Of particular interest to regulators is the preservation at the regulated entity of strong corporate governance. In this regard outsourcing activities that may impede an outsourcing firm's management from fulfilling its regulatory responsibilities are of concern to regulators. The rapid rate of IT innovation, along with an increasing reliance on external service providers have the potential of leading to systemic problems unless appropriately constrained by a combination of market and regulatory influences.

Outsourcing in Financial Services.
Basel Committee on Banking Supervision,
Bank of International Settlement, 2005

Selling information services to these regulated entities means meeting their stringent regulations. The vetting process for a new vendor can involve 80-page RFI’s full of questions. Dealing with these requirements ad-hoc can be difficult, lengthy, and disruptive. Attempting sales to these slow-moving entities can involve several gate-keepers. None of these gate-keepers can approve a deal with your firm, but they can all stop a sale if they raise objections. That's their function!

Many of these clients now also want annual service audits and SOC-2 attestation reports. Passing these audits can require new activities for your firm, and hundreds of new internal controls. Technology vendors, especially innovators, tend to be a great deal smaller than their regulated clients. Being faced with the implementation of hundreds of controls may seem like the opposite of innovation and agile service delivery.

But regulated clients live by this stuff because they know the risks in an outsourcing arrangement can be complex:

what to do

The service you offer is where you have chosen to compete. Performing at the mandated level is how you will win. By turning this risk &audit externality into a fitness regime, you can leverage the risk management function to obtain these key outcomes:

understanding and selling this initiative

The evolving SOC-2 standard is embodied in the AICPA’s “trust services principles and criteria”. It sets the level of performance, and suggests a governance framework to monitor and foster progress. If you're implementing the controls in the four domains of security, availability, confidentiality, and "processing integrity", there are about 250 material controls to implement.

It is critical to the success of tackling a first SOC-2 audit to NOT approach this by implementing that many controls to your existing business practices. The danger in rewiring a company in this way is that it makes many changes to the company's processes without seeming to change the objectives of the business. It will seem like busy work, and it will be resisted internally. And with great justification, because the existing processes are they way they are because they're serving your business.

To look at it in reverse: any business is a unique collection of processes and competencies. The crucial ones add value to your clients, and likely span departments. Change those crucial processes and competencies, and you’re defining a new unique equilibrium. You are, in effect, creating a new company.

This sort of project should therefore be sold to the internal stakeholders as the creation of a new company. But not just any new. You’ll build a more consistent company. Consistency is the heart of culture, and of brand. Consistency is a natural outcome of the governance function built into the audit process. You’ll also be building a more competent firm; when you build governance into your processes, your people eliminate uncertainty. It will be a company where everyone understands their role and what to do next.

But there's more. When your people understand that they are responsible for reaching a certain bar for achievement, something magical happens. People who have taken a quality standard to heart expect quality in everything they do. Even when no auditor is watching. Because adults don’t say, “Oh, we have to do X and Y right, but the auditor’s not looking at Z.”

A holistic approach can make all this happen. This is “doing things the hard way”.

Contrast that with an unplanned approach that will leave your firm with countless, seemingly unrelated, controls to wire into existing processes that are already "good enough". What follows is the story of trying such a strategic undertaking without a strategy.

the case study

We were a fifteen person firm with one client and big ambitions. We’d been in business for a decade but now our regulated clients wanted that SOC-2 report every year. And the scope was daunting:

(This is a sample; It is not practical to list everything.)

The sources for guidance on controls were many.

There was a mountain of work, and it all had to be done at once. So we set about rewiring existing processes, introducing new SDLC environment, restricting access to production servers, doing background checks, and generally overturning every apple cart we could find. Meetings that were scheduled to last thirty minutes would go an hour. Or two. One went to 3.5 hours! The auditors kept finding deficiencies because the company that started this endeavor simply had so few processes or systems.

The President had to support me constantly as the resistance from his executives was frequent and vocal. In fact, one executive would years later recount the time that a more senior executive tried to rally support to have me fired. Things would go the opposite way – I was promoted twice as a result of the progress we were making. But the complaints were legitimate: we did not know where we were going; I was introducing change after change after change that riled the owners of the different process areas; we needed to make hires just to manage the new processes and to ensure the new controls were in place—again, we were only fifteen people when this started. We had to institute a process by which each functional manager did quarterly control risk self assessments. We had to constantly revise our documentation and the controls to match the evolving nature of our practices—no small feat when you're staying within the confines of an annual control audit. We had to ask people to sign dozens of manuals of policy and process every year. We subjected them to phishing tests and annual tests of our business continuity preparedness. All of this took years to stabilize.


But as unplanned as our initiative was, it began to pay off at once in a critical area. As soon as we had documented processes and an audit report to share, we began to notice a shortened and easier sales cycle.

In the words of the President;

“Now that we have our audit report, we’re having a whole other level of discussion. The gate-keepers simply ask for the report and we’re done. Everyone thanks us for making their jobs easier.”

At the same time, we observed that operations were running more smoothly:

Also, life was becoming easier for existing clients:

And we were becoming more confident and transparent:

With our operations made more easy, leaders were freed to make decisions and lead:

Cross-team processes were naturally becoming more smooth:

Turnover became less of an issue. The company was now growing rapidly as it became more mature and a more convincing supplier to its regulated clients. The pace was frantic, but no longer lethal:

We had enabled growth:

The magic of having adopted the regulated culture:

But all of these things occurred to us only with time, and only when we had gone through rounds of audit-driven corrections sensing that the good outcomes were possible but just around the corner. As we were going through it, it felt like nothing but pain.

If we had any sense of all of these benefits we could have erased quite a bit of the resistance and debate. And avoided the attempts to have the change agent fired!

lasting lessons

First: by selling a vision of the benefits – and driving change towards those benefits – rather than viewing it as a compliance exercise, you can celebrate the improvements as they come and build on your strengths.

Second: it's becoming harder to sell to regulated industries. Having a great product got you to the door. But it's the consistency and confidence engendered from your risk control capabilities that are the security pass to get you in the door and keep you there.

reach out to me!

I like to advise: