A Startup’s First Steps to SOC Readiness

Early-stage companies have a lot to contend with, including funding, staffing, infrastructure, product development, and marketing, which can create a chaotic environment. Those that collect personal identifiable information or health information as part of their business model also must add earning their SOC (System and Organization Control) certification to the list. The SOC Report has become a gold standard of assuring clients that the organization has addressed relevant risks related to Internal Control Over Financial Reporting (SOC1) or to the trust service categories: Security, Confidentiality, Availability, Processing Integrity, and Privacy.

It is a daunting but wholly necessary addition to the startup workflow. Investors, partners, and customers all want to know that adequate IT security and controls are in place.

Outside parties generally call for a third-party audit that will stand up under scrutiny and cannot be challenged as a biased interpretation of how information is managed.

But where to begin?

Startups should first conduct a readiness assessment to ensure systems, processes, and procedures are relevant to meet the SOC criteria, secure, and compliant with industry standards and best practices. The assessment will help identify gaps and risks that need to be addressed that are relevant to the focus of the SOC report. The addition or modification of controls – and sometimes the tools required to execute the controls – will help close the gaps.

Here are four items to have on hand for a readiness assessment:

Policies and Procedures:

As part of the formal SOC examination, an auditor will inspect your policies and procedures relating to controls surrounding governance, human resources, change management, data storage, security, and responses to vulnerabilities or breaches. Startups may not have these documented—or be addressing questions with ad hoc solutions, especially as a small and young organization.

Formalizing policies and procedures as part of the readiness process not only assists in meeting SOC requirements, but also creates a more scalable organization. As a company grows, however, it will need to meet increasingly complex security and control requirements and revisit the policies and procedures initially established. Setting down policies and procedures early on creates the control environment pillars that govern how they behave going forward, eliminates confusion, and provides interested parties with confidence.

An internal know-it-all:

If there is one person that has been at the company from inception and can speak to all the business process and IT operational and service components, they should be prepared to walk through the environment with the auditor. This approach centralizes the process and cuts down on time required from multiple people to essentially convey the same information. In the initial stages, Human Resources, the CTO, the operations manager, and others do not all have to be involved to demonstrate how the company functions. Assessors can gain a sufficient understanding of the systems, controls, and hardware in use through discussion with the point person.

The infrastructure sprawl:

Whatever service the company is providing, today’s infrastructure model creates natural uncertainty in the IT environment if physical issues are not addressed.  The days of everything being consolidated in one, locked-down space are long gone. Where is the service provided? Are there security parameters in place in an office that are lost when employees work from home? If information is being processed locally but transmitted to various organizations, how is it being protected?

Each layer of the IT onion needs to be considered, with documented safeguards in place.

…And the information sprawl:

In similar fashion, whereas a decade ago companies relied on their own data centers, most use the Cloud or a hybrid Cloud, with access frequently extended to subservice organizations.

Amazon Web Services, Google Cloud, Oracle Cloud, and Microsoft’s Azure are popular cloud platforms. When a company is using the full security suite of these solutions, the built-in security protocols do indeed meet the requirements for a SOC Report.

In many cases, though, startups assume that using one of these services automatically protects their data in line with SOC requirements. That is unfortunately not a safe assumption. Organizations can provision environments in the cloud that have little security, because the organization failed to sign up for the relevant security services offered by the cloud provider. In addition, much of the data may move from a cloud environment to end user computing devices. In the end, customers and partners are doing business with the entity itself – not with the subservice cloud provider. Clients need assurances that a company’s internal security posture is just as strong.

Startups that are looking to capitalize on market opportunities do not want to be held back by hesitant investors or security questions from major prospects. Overall, a SOC readiness assessment can help a startup get closer to SOC compliance faster, establish a strong security posture, and set the foundation for future growth.

If you have questions, please contact Andrew Mathieson at 774.512.9089, amathieson@nullaafcpa.com; or your AAFCPAs Partner.

About the Author

Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, and SOC 2+HIPAA. He also provides HITRUST Certification examinations and assessments, GDPR assessments, FFIEC assessments, GLBA assessments, HIPAA assessments, Internal Risk Assessments, and SOX 404 audits. He renders these services across a variety of industries, including Healthcare, Managed IT Services, SaaS/PaaS/IaaS companies, Data Centers, Cloud Services, Collection agencies, Printing and Mailing companies, Financial Corporations, and diverse nonprofit organizations.