SOC Case Study - Secure Communications Software Start-up

Primary Contact: Eric M. Wright CPA, CITP

What can you tell us about your company/history of your company?

We are a secure communications software startup coming to a more mature level, 60 or so employees, globally, at almost five years since founding.

Why did you want a Service Organization Control Report?

As a company in the security space, we felt it was important to pursue a third-party attestation of the work we were doing to ensure the security of our products and customers. Rather than vague statements about using or leveraging varying frameworks, and promises of security, an independent third-party examination of our security controls and effectiveness would go a lot farther. Specifically, we chose a SOC 2 report, as we had several FinTech deals in the pipeline, and the SOC 2 report resonates particularly well in that space, as well as being well accepted in general.

Why is the SOC 2 Type 2 report valuable from your customers’ perspective?

As an independent third party, the auditors review our controls and posture. Not just a binary certificate, like some other standards, the SOC 2 report allows potential stakeholders, like customer or investors, to review, or have reviewed, the report, to ensure the control set is what they would expect for the product/company/service. 

Why did you choose to partner with Schneider Downs for your SOC report?

As a smaller business, at the front of the technology curve for our industry, we were really looking for a smaller firm we felt would have closer relationships. The larger firms we spoke to had a mentality we were afraid wouldn’t mesh well with us. As a highly innovative product and service, we are very used to having to explain ourselves, and wanted to be certain someone would listen. Having met one of the audit leaders at Schneider Downs professionally, I was certain this would be
the case, and it was.

Can you describe your experience with Schneider Downs?

I was very pleased with our experience. This was our initial report, and initial third-party examination. While we had prepared hard, there was some trepidation. The auditors, and the audit leadership made the process very smooth. As we encountered issues with evidencing certain controls, we were able to discuss the issues, and find a course of action to provide the documentation needed to prove the control effectiveness. In a modern Agile system, this is not always the easiest thing to do, but we were able to find creative solutions, together, to meet the goals of providing the report, while upholding the standards of the same.

How has your SOC report process been beneficial?

By the time we received our final report, we had three customers waiting for it as part of their Due Diligence of us. Since then, we have used it numerous times to shorten conversations regarding security practices. That is, as third party surveys or Due Diligence has come up, we have simply provided the SOC 2 report for review. There are occasional questions that are beyond the scope of the report, but it is certainly easier than responding manually to every request. The fact that is not just our statement, but the word of seasoned SOC report practitioners, simply reduces the friction in the sales cycle, especially for the space we are in.

Schneider Downs SOC Services

About Schneider Downs SOC Services

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at SOC.

Get the weekly newsletter with our most recent columns and relevant insights to you.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Breached?

Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.