SOC 2 Compliance: Attaining Audit Maturity at Amount

Overview

Amount was preparing to spin-off from an industry-leading digital lending company. This transition brought up some challenges, but also created a lot of opportunities. With LogicGate’s help, the team at Amount successfully established their own robust processes, gathered evidence of controls, and attained Type 2, SOC 1, and 2 certifications. More importantly, Amount now had the ingredients it would need to thrive in the future:

• Independent control processes, infrastructure, facilities, network, and control owners with a platform that would grow with the company
• Better control and ownership over audit timeline and processes to achieve audit maturity
• More time and resources by eliminating duplicate audit efforts and using automation across different operational and security frameworks the ability to identify controls issues through continuous controls monitoring.

SOC 2 Compliance: Attaining Audit Maturity at Amount

Headquartered in Chicago, Illinois, Amount helps financial institutions make banking simpler, safer, and more convenient.

Amount provides an end-to-end platform with enterprise bank-grade infrastructure and compliance, so banks can build out their digital offerings in months — not years. With Amount, banks can optimize performance across product categories while tapping into various service offerings including customer acquisition, funnel and performance assessments, and risk analytics.

In January 2020, Amount was preparing to spin-off as an independent company. The intent was for the separate companies to maximize their distinct value and growth potential. Amount had previously operated with combined internal controls and processes with its parent, a digital lending company. Once the transaction was completed, Amount would need to establish its own control processes, infrastructure, facilities, network, and control owners.

This planning fell to Amount’s Operational Risk Manager, Carly Phillips, and her team. To prepare to go independent, they had to determine the post-transition audit strategy and establish a preliminary control library.

Carly and her team recognized they needed to assure clients that they had effective internal controls and processes as a standalone company. Given Amount’s role as a fintech SaaS company and third-party service provider that stores customer data in the cloud, the best way to demonstrate the maturity of its controls was through SOC 1 and 2 reports, which required a time-consuming independent audit.

Leveraging Audit Technology

As Carly reviewed the combined SOC 1 and 2 audit process from before the spin-off, she saw that the process required Amount to use the shared auditor’s proprietary system.

Because the auditor’s system wasn’t internally managed, Amount couldn’t link evidence to the controls being tested, collect data over time, revisit previously submitted evidence, or internally review information prior to submission to the auditor. On top of that, control owners had to fulfill identical evidence requests for separate audits such as NIST or PCI, which took up time and resources.

As they prepared to set up their own program, Amount’s Operational Risk team knew there were audit solutions that could help them take advantage of automation and allow them to control the audit process as well as their own data. Amount was looking to set up an audit process that would help them establish independence and also give them control of the process. Equally important was a platform and partner that would grow with them in the future.

Enter LogicGate’s Risk Cloud® platform, which gave Amount the flexibility to establish, scale, and optimize their controls process along with a team that had the GRC expertise to provide insight as Amount matured.

Preparing for an Independent SOC 1 & 2 Audit

As an independent company, Amount would have to navigate a mix of controls that were brought over from its predecessor, establish new controls, and, in some cases, make ownership changes to existing controls. LogicGate’s Customer Success team helped Carly and her crew parse through the multitude of controls to understand what they had, what they needed, and where there were gaps, along with considering industry best practices.

To ensure it could comply with SOC 1 and 2, Amount undertook a readiness assessment to determine how prepared it was for SOC 1 and SOC 2 audits. To prepare, adopting LogicGate’s SOC 2 Management Application in Risk Cloud was a logical next step.

During implementation, the LogicGate team built the process that helped Carly’s team get the audit done as accurately and quickly as possible. Amount leveraged the existing controls, management workflows, and PCI documentation already in Risk Cloud, while also mapping SOC 2 and NIST’s CSF assessments across activities.

The transition empowered the Operational Risk team and helped them put in place a more robust and centralized audit process going forward.

In the fall of 2020, Amount completed its first independent and automated SOC 1 and 2 audit. With an automated platform for controls management, they could now take advantage of continuous controls monitoring to identify and remediate potential issues in real-time rather than during the audit process.

This was possible through over-time evidence collection, control-owner attestation, and identification of potential deficiencies, all of which supported self-audit of their own controls and ongoing audit readiness.

Carly explained, “What we achieved is an automated strategy to look at controls throughout the year rather than just at that one checkpoint when the auditor comes in.”