A Tale of Two Audits: LogicGate’s SOC 2 Journey

All posts

As we near the completion of our 2020 SOC 2 Type 2 audit at LogicGate, it feels like a great moment to reflect on where we came from, where we are at, and where we are going in the future. 

Before joining LogicGate, I spent my time helping companies reframe their security processes towards leading practices and helped to deploy security tools. To put it bluntly, I was audit-phobic. Collecting evidence from new processes and tools is always difficult, being judged on that evidence can be even worse at times. This made my first initiative at LogicGate, to lead us through our SOC 2 audit, an interesting one with lots of lessons to be learned.

LogicGate’s Journey

As most small and midsize businesses (SMB) would probably agree, audits are a unique challenge. The biggest issue, how much things change within a year! When talking with your external audit team, you end up spending most of the discussions saying things like, “let me catch you up on what’s changed.” What worked process-wise for 30 employees, quickly is outgrown at 100 employees and beyond.

The other challenge, limited resources. Most small companies do not have a standalone compliance team to help enforce audits. This means that holding yourself accountable, establishing great processes, and prioritization around implementing controls up front are the biggest indicators of success in an audit. One advantage that we had, despite being a startup, is the fact that risk management is in our DNA and we have created a risk-aware culture at LogicGate. We see the value and importance of creating a solid foundation for GRC processes.

Living in the Platform

In March 2020, our control owners gathered to review how our prior year’s audit had gone. There was a range of ideas presented on how we could improve, how we could reduce our efforts through automation, and how we could democratize our control management to an even greater number of people to get accountability as close as possible to the process itself.

One of the major outcomes of that discussion was…LIVE IN RISK CLOUD MORE!

With the help of our Customer Success team, the InfoSec team and various control owners took on a six month process to rethink how we leveraged the platform and how we could take big company processes (internal audit, ongoing control evaluations, cross-framework mapping), and deploy them with startup-level resources. 

The Outcome of Our Efforts

After having already completed three SOC 2 audits, our team was ready to really focus on democratizing our controls. The reason for this is that we wanted to tie the process owner to the control itself to grow the process and the control with the number of users, customers, or “things” we were working. Fortunately, Risk Cloud made this easy. Update control and we’re good to go. What we had to overcome was an internal audit function to ensure we were following through. With no team, we spent a good amount of time solving this problem.

We landed on a solution through establishing contracts with our newly appointed control owners. Control Owners would agree to an audit timeframe for them to self-evaluate, they would be notified when new control frameworks were added, and through Risk Cloud this was all automated to reduce the effort of our InfoSec/Legal team. This framework allowed us to gracefully add new frameworks while ensuring our processes and controls stay compliant. It made our most recent SOC 2 audit so much easier, increasing my confidence in our answers and evidence, and keeping our team’s eye on the prize while growing and changing so quickly. 

My Wow Moment

One moment that stood out to me during this process was when I was presenting this information to a cross-functional team. There were a few questions about how we were doing with these self-evaluations and I didn’t have the answer on hand. So, as I was talking, I was able to quickly generate a visual dashboard and less than five minutes later, I had the answer to present to the team as I was completing my presentation. To be asked for a new perspective and be able to give it basically live really blew my mind at the power of the Risk Cloud platform.

As we wrap up our year and complete our audit, I had two major takeaways and thoughts from the two audits I led:

  • Lean in on automation and reinvest the cost savings forward into more team wins
  • Democratization of the controls leads to long-term understanding and success

In my opinion, everyone is a security/compliance professional, they just don’t have the time to learn how to be one. By reinvesting the savings of automation, keeping the control so close to the process, we were able to nail our “WHY” and better understand where we need to do these things to our team. We were able to be more thoughtful in our processes jointly to make the controls and evidence collection more natural, allowing us even more savings now and into the future.

With those thoughts out into the world, it’s time to go back and complete our discussions with the auditors and start planning on how to make 2021 even more successful for our Security/Legal/Compliance objectives and use them to enable our overall company goals!

 

All posts

Related Posts

View all posts