Everything we knew about SOC 2 was wrong

 

After 15 years of working with SOC 2 for clients around the world, we needed to issue our own SOC 2 reports for AssuranceLab. It was brutal. And it changed everything for us. 

 

It’s one thing to be experts in the standards, and another entirely to master it yourselves in practice. Going through that challenging 12 months of achieving SOC 2 Type 1, and then maintaining it for Type 2, we realised everything we knew about SOC 2 was wrong! It requires a very different approach. This sparked a new philosophy about how we work with our clients. There’s one key concept you need to know about compliance that we’ll share with you below.

 

Taking it back to the beginning: everything we knew about SOC 2 was wrong

AssuranceLab was founded by an ex-manager in the Big4; who had worked with the SOC 2 framework from its grassroots, through to 15 years later, being the most prevalent global security compliance standard. We still work with its precursor, SOC 1, and even the precursors to that…. But we won’t bore you with all those details!

We knew everything there was to know about this SOC 2 framework. Or so we thought…. 

 

For Paul as a Manager in Big4, there was a big problem…. Big4 firms weren’t suited to the market opportunity. There was an explosion of SaaS companies and startups needing to achieve SOC 2, and Big4 just couldn’t serve that market.

 

For the Big4, their brand and reputation are incredibly important. That may sound ironic now after all the latest scandals and bad press, but it was a critical factor back then (and probably still is). Their brand allowed them to charge 10x the fees of competitors while using inexperienced auditors to tick the same boxes. Their brand was a hindrance to the market need for SOC 2. 

 

The world was going through an explosion in software as a service (SaaS), and startup companies handling sensitive data. It’s impossible to guarantee security breaches won’t occur. Security and privacy are deep and complex subject matters. The Big4 generally don’t want to work with startups that are inherently more risky for their brand to be associated with. 

 

That resulted in fees and audit methodologies that just made no sense to the market. Imagine quoting $150-300k SOC 2 for a 10-person startup, with the actual fee to be confirmed halfway through… if that sounds crazy, this is not just an isolated example or two; but the norm from the big4 firms at the time. This ultimately paved the way for founding AssuranceLab a few years later. 

 

Based on past experiences, AssuranceLab was founded to do things differently and change the way audits are conducted. To really understand where the risks were and align the audits and feedback to what was actually valuable. To be more pragmatic about what really makes sense for modern companies, and throw out the outdated “risk library” that only works at large, traditional, extremely risk-averse companies out the door. 

 

But our approach still missed the most important point, where we realised we got it all wrong. Fast forward to AssuranceLab getting SOC 2 accredited ourselves. Piece of cake! …. or so we thought. 

 

We thought we knew everything there was to know about the SOC 2 framework. We were collaborating with the most innovative compliance automation platforms, CPA firms, and partners in all corners of the industry. 

 

But it was a real wake-up call putting that into practice ourselves; wearing the hat of wanting what was best for the business, knowing we had to achieve SOC 2, and understanding that every business has a finite set of resources to work with. The latter is what’s most important. 

 

And here it is: less is better!

The industry has an inherent view that; 

  • More controls are better
  • More risks identified means better risk management 
  • More policy coverage means more clarity on how things need to be managed 

But when you consider that each company has a finite set of resources; you realise the practical limitations and how it actually sets you back trying to do more. 

  • More controls means less focus on the more important controls
  • More risks identified means less robust discussion and action plans for the most critical risks
  • More policy coverage means employees get lost or don’t read the policies, making it harder to find the key clauses that matter most 

Now just to be clear; we’re not talking about doing nothing being better than a big, robust, compliance program. It’s about finding the right balance for each company. The way to do that is to follow the philosophy that just enough is the perfect, ideal or optimum level. 

So what could “less” look like?

  • Start with the most important and relevant 80 controls, instead of 100 
  • 10 of the critical, broad risks instead of 60 detailed items to work through
  • Log your 10-50 most critical third-party services, instead of the full 300 your team uses in varied ways that aren’t as material 
  • Implement a one-pager or a few pages of the most important policy clauses for each area and have your employees only sign off those you need them to play an active role in. 

Over the past few years we have worked with this ‘do less’ principle in mind, leading to our Compliance Starter Pathway. Where we combine the best compliance automation with our AI audits backed by human experience. It allows you to achieve compliance while getting time back to focus on building and growing. Get started with less. 

SOC 2

Some additional information in one line