Unlocking Security: A Deep Dive into SOC 2 Compliance with Kate Williams

Rob : 0:01

Hello and welcome to the VanRein Compliance Podcast with Rob and Dawn. I'm Rob and I'm Dawn. Hello Dawn, how you doing Good, how are you Good? We are excited today because we have Kate Williams on the podcast. She is a CPA, she is a certified SOC 2 external auditor and she is our exclusive audit partner at Maxwell Locke Ritter in Austin. So, yes, you have to hook them horns, because that's where you went.

Kate: 0:33

Yes, that's right. Happy to be here, guys.

Rob : 0:38

Well, thank you so much for joining us. You know, the one thing that we'd love to do is just encourage and educate our listeners about different types of compliance frameworks. We've talked ISO, we've talked family business. We're going to chat high trust later, but this week we want to talk SOC 2 and we're like, hey, who's the SOC 2 auditor that we know and, oh, we use? Yes, which is good. So we're excited to have you. We're excited to just learn more about SOC 2, which we know, but obviously, having our listeners learn more about it and the value of it. So, yeah, perfect, all right. Well, tell us a little bit about yourself, talk to the class, introduce yourself.

Kate: 1:18

Sure, perfect. So I'm Kate Williams, partner at Maxwell Lock and Ritter. Like you mentioned, I have been in kind of the IT risk and compliance space since I graduated. It's all I've done. I started out at PwC in a group called Risk Assurance. They actually started out being called System and Process Assurance that's what hooked me, because they called it SPA and SPA just sounded like a really luxurious department to work in. But then they rebranded Risk Assurance. So I've been in that kind of field ever since. I've been at ML&R for about five years now and our bread and butter is SOC2. I live and breathe SOC2, for better or worse. I bring it up in parties. People are usually not amused, but I feel like we have a good group here that is interested in learning more, so I'm excited to be here.

Dawn: 2:05

Absolutely. Oh, that's fun at parties, yeah.

Rob : 2:08

Yeah, I have socks too. No, no, sock too oh that's different.

Dawn: 2:12

Do you have a nickname? I have to ask you first do you have a nickname, Cause Rob has a HIPAA nickname that some of our customers have coined him. Do you have like a sock too? Liketoe Queen or any kind of weird nickname that people give you? Oh?

Kate: 2:25

I think at some point I've jokingly called myself a Socktoe Guru. Like to my team, I would never be so bold as to say that to a client. They might just think you know, compliance nerd, I don't know Something along those lines, but Socktoe Guru is a self-proclaimed title that my team has latched on to, unfortunately Better than Rob's. What is it?

Rob : 2:49

So the backstory of this is I had a client meet with me and it was being a person we're going through everything. And she looked at me and she goes Rob, yeah, you're a hippo devil, yeah, but I need you to fix that. So you're going to fix it as the hippodevil.

Kate: 3:05

Oh my gosh.

Rob : 3:06

And because she had had so many just security concerns and getting her team to really understand compliance. She's like you, just I hate it. It's dumb. And obviously she's like I've been in business and had my practice way before, HIPAA was a HIPAA and here she's like, just threw the check at at me and she's been an amazing client for like five years, so I'm the HIPAA.

Kate: 3:26

That's amazing, like I'll take it. I'll take it.

Dawn: 3:30

Oh my gosh, you were called something better. I can't remember someone. Another customer renamed you, but I can't remember what it is. But it is better than than, obviously, HIPAA devil.

Rob : 3:39

HIPAA devil, yeah We'll move on.

Kate: 3:41

It's always easy to remember the bad ones, right? You remember the bad ones. You can never remember the good ones.

Rob : 3:47

Like any language, right, you always learn the cuss words in German or French.

Dawn: 3:52

Well, let's start off Kate, with you know people know they've heard SOC 2. But let's just give our listeners a little bit of like a framework on what it is actually.

Kate: 4:02

Yeah, great question. So it's a regulatory framework. It's a list of requirements that are published by the American Institute of Certified Public Accountants. Not a very exciting component to it, but that's the backstory. The AICPA initially created requirements on vendors and companies that impacted their customers' financial statements, on vendors and companies that impacted their customers' financial statements, and then, as there were more and more companies that impacted things more like data security or business operations or availability, that kind of evolved into the SOC 2. So you have this kind of laundry list of requirements designated by the AICPA and what that turns into in the real world. In real life is usually tech companies, often enterprise SaaS or health tech or fintech tech companies that have really sensitive information or work with big companies. They'll go through this assessment process where an auditor checks a bunch of things against this SOC 2 framework, and then the outcome is this very, very long report that I hope everyone lovingly reads, but I hear they maybe skim through a little bit.

Dawn: 5:14

And then they get, of course, the seal that they want on their website.

Kate: 5:17

That's exactly right. Yeah, critical component that AICPA SOC 2 seal of approval.

Dawn: 5:24

Yep, you know, from our standpoint, we're hearing a lot of my customers need me to be SOC 2. We're getting a lot of folks coming to us saying this is what we need, we need, we need, we need. It sounds like a lot of people are making the requirement a requirement. I guess I don't know. Is it just kind of become this thing to do? Just people are just throwing it out there like, oh, I'm just going to do it. Is it just kind of become this thing to do? Just people are just throwing it out there like, oh, I'm just going to do it. Is it becoming kind of one of those things where it's like everyone has it and do they need it? I guess that's my point. Is that? Is it becoming flooded?

Kate: 5:54

Yeah, that's a great question. It's definitely become much more common and much more frequently requested. So the perfect examples of who genuinely needs a SOC 2, you really see it a lot in early stage companies that are going after very large customers Like, say, you have a startup, they've been in business for two years, they have 20 software engineers, they made this great product that Walmart wants to buy. Walmart has no reason to trust this 20 person, two year old software company. But if they have a SOC 2 that tells Walmart, hey, like, someone independent came in, reviewed these controls, reviewed how your data will be secured, reviewed how this platform will be updated and kept secure, so that's the prime example of when it really makes sense when you have a company that needs that level of credibility to work with really large customers. Beyond that, it certainly makes sense for larger companies that are selling into large orgs to continue to have that certification as they grow, continue to have the SOC 2 report every year. But what we've seen is that earlier and earlier stage companies are being asked for the report, Sometimes when they're at stages where it's just really honestly hard for them to pull together the resources time-wise and money-wise. Or we've also seen companies that really don't process that much sensitive information and they're still getting asked for a SOC 2.

Kate: 7:32

So it's certainly become more prevalent In some ways. I think that's a good thing because it just standardizes good data security practices across the board. People know that they have to immediately jump in and treat sensitive information well, but it's been in some instances, I think, a little more burdensome to companies than it necessarily needs to be. So we'll always talk with companies and figure out you know where's the ask coming from. Is it reasonable right now? And if the answer is yes, and well, if we get a SOC 2, we're going to win this $100,000 deal Like, yes, that makes financial sense, right. But other times we might suggest, you know, in this instance maybe push back on the prospect and say we do all these other things but we don't have a SOC 2 yet. Maybe we'll get one next year and see if that works. So there's some flexibility there, because we're definitely seeing it be very broadly applied.

Dawn: 8:30

Yeah, we've come across all those scenarios. Honestly, I think the big thing is the ROI.

Kate: 8:37

Yeah.

Dawn: 8:37

Customers want to market themselves, and some of them are startups, some of them are legacy companies that just feel that because they work with larger corporations if they're healthcare, whatever they are and they just really want that for the ROI and also, conversely, is to win a big account. So we're seeing all those scenarios as well on our end.

Kate: 9:00

Yeah absolutely.

Rob : 9:02

So SOC's always been. You know there's been the confusion of the type one and the type two, right? So people are like what do we need? Like what do you need? Like I don't know, what do I need, I don't know what do you need. So why don't you break down what is a type one for the listeners and what's the?

Kate: 9:16

So that just adds and it's like I just want to talk to the AICPA, like, who created this? Like, let's add an A and B in there. Like you know, it just so ends up being so confusing.

Kate: 9:35

A bunch of accountants in a spreadsheet just saying Right, we're not good at marketing and branding, just as you know, as a species, as like accountants and auditors. As a species, it's like accountants and auditors. So just, I'll mainly dive into type one versus type two, but just because people end up hearing them both, a quick insight into SOC one versus SOC two. Soc two is really the most prevalent one right now. Soc one is, you know, for companies that impact financial reports of their customers, so payroll organizations. You know, for companies that impact financial reports of their customers, so payroll organizations. You know some companies that do accounting type calculations. You know there are a lot of instances where that makes sense.

Kate: 10:16

The bigger topic right now, and what's more prevalent, is SOC 2. So you kind of have that layer that will leave there SOC 1 and SOC 2. And then that next level of adding confusion is the type 1 and the type 2. So the type 1 is a point in time assessment. So we'll pick a date, we'll say June 30th.

Kate: 10:40

As of June 30th, we expect you to have this set of controls in place and we're just going to look at one of everything like OK, we expect you to approve changes to your platform and test them prior to deployment. So let's just look at one of those changes and see if you did that. We don't have to take a sample, we don't have to look at all of them. We don't have to be random in our approach like we do for the type two. We're just looking at it once and so we can see that it's in place, but not necessarily that you're really crushing it and tackling it consistently all the time. So a lot of times companies will start with a type one because it's just easier to get out the door faster.

Rob : 11:24

Get up and go.

Kate: 11:25

It's just as of a certain date Exactly. You don't have to wait for a time frame to pass and it's kind of a trial run sometimes where you get to see what the process is like, like what kind of evidence you're getting. Obviously, if they're going through a readiness process with you guys, they would understand what that would look like. You know they would understand what that would look like, you know, would understand what that evidence is. And so the trial run part might not be as critical of a component, but it's still beneficial from like a timing standpoint to get a report out the door sooner.

Kate: 11:57

The type two has to cover a time frame and there has to be additional testing essentially. So we'll take that same change example and we'll look at all right, you did 50 changes over the time frame. So we'll pick a sample of eight or however many we pick. I don't have my sampling guidance memorized at the moment, but we're going to randomly pick eight and we're going to randomly check those if they were approved and tested, and we're going to randomly check those if they were approved and tested. So it essentially has to be consistently in operation. Controls have to be working continuously because inevitably we're going to accidentally pick the one time that you didn't do it. It's just well known about us auditors is that we always accidentally pick the bad one.

Rob : 12:44

Of course you have to justify your existence. I know.

Kate: 12:49

Exactly, I knew you were doing something wrong. So yeah, that's the main difference, kind of point in time as of a day or as of a timeframe, usually a year.

Rob : 13:00

Yeah, yep, it's always over that year and obviously you know as much as other brands which we won't name. You know they say you can get your sock to sir in like two weeks, right, or the dry body. You know, and, and, as you mentioned, yes, we, we Van Ryn does perform the internal readiness and the audit and the creation and the policies and the procedures and we package you up and then we hand you to Kate and she does the external auditing you up and then we hand you to Kate and she does the external auditing. So one thing I need everybody to focus on is yes, great, you've got an external auditor, but they're not going to do the internal audit, or if they do, it's either very expensive or it is. Sometimes you have that conflict of interest, right, having the same firm.

Rob : 13:40

We need to have like a separate internal auditor and a separate external auditor. Oh, I have to create policies. Yeah, we can come and help you with that, or you can do it yourself. They go, oh like, yeah, it's not a check the box thing.

Kate: 13:55

So yeah, we don't like check the box. It sounds nice. I feel like I, you know, I talk to prospects and clients. They're like well, it sounds like check the box. Who cares? It's like no, check the box is such a waste of time.

Kate: 14:11

If you're doing check the box activities, if you have, like you know, one of the automation platforms and it's all check the box. You didn't do anything to help your company. You didn't do anything to be more secure. You didn't do anything to help your customers have more secure data. You just did the minimum customers have more secure data. You just did the minimum to get a report. So, when it comes down to it, you're going to run into scenarios where, if your customer knows what they're looking for, they're going to see like, oh, this report, these are just check the box activities. This isn't actually a good compliance program, a good security framework that they're following. So it's really dangerous to do that, even though I know some people, at least my husband. My husband is a tech CEO. They have a SOC too. I don't do it because it's an independent violation and I would give him so many exceptions. I would find exceptions right, but he always tells me what-.

Rob : 15:04

Well considering. So we're recording this a couple of days before Mother's Day in the bouquet that I know listeners don't see. So exceptions oh, you're good honey, here's your certificate.

Kate: 15:13

He is great. He is great.

Rob : 15:15

Yeah.

Kate: 15:15

Yeah, right now he would get a good one. He would get a clean bill of health on that thing. But he tells me he's like well, I'm fine with check the box, let's just get it over with. So I feel like we have to tell people there's danger in that. That's not the easy path. Check the box might sound like it's just quick and easy, but it's a much harder path when your customer ends up finding out that they're looking at a SOC 2 and relying on it.

Dawn: 15:42

And then the whole thing was just a check the box done in five seconds and you bring up a good point about automation, because we use a platform and there is some automation but, honestly, not everything's automated and it is not check the box and, honestly, we walk our customers through. We use it as a tool and whether you use a spreadsheet or an automated, whatever you use, they are tools to collect your evidence. And that is a big thing is you have to collect certain types of evidence and that's where the real work comes in. Like you've answered the question, you've identified that you know this control and this, but this is where customers are like oh my goodness, this is a lot of work. It is, and you have to do the work In a platform. I don't care what platform you use or what spreadsheet you use, it's only as good as what you put into it. Absolutely, you can do readiness however you see fit for your business Within the framework. Obviously you have to obviously do certain things, but you have to do it. There is no check the box. You can't just flub your evidence.

Dawn: 16:50

And so we here at Van Ryn, we, I don't know accountability partners, probably not the right terminology, but we do hold our customers accountable and we will assign them tasks. I mean, we, you know if they're like, hey, this is kind of overwhelming, this is a lot of stuff, yeah it is. So let's take it in small pieces. And so I'll actually break out different pieces, whether it's based on control or whatever it is, or just based on like is it HR, are the HR controls like a group of controls and we would just assign those tasks out to whomever on their team would be best at that. And so it is a lot of work. But at the end of the day, it is great work that you're doing, because look at the ROI that you get. You know your customer, you win a big contract. Or you can say here's my cert I'm putting on my website. I mean it's really a great certification to go through.

Kate: 17:42

But yes, it is a lot of work to go through, but yes, it is a lot of work. Yeah, that's such a great point on the use of tools. So I think that both of our companies it's. We have experts powered by technology. It's not. Here's a technology, install it and then we'll tell you that you're SOC 2 compliant in two seconds. You know it's how about? We talk to experts that know the ins and outs of compliance, that are really fun at parties when we talk about compliance, and then that's powered by technology, so you can have tools in place that can maybe automate some of the really mundane things or help you keep everything in one place, but it's not replacing the experts like the human interaction. That's what I feel like has been unfortunate in recent years, with some of like the top results when you Google. I need a sock too right now.

Rob : 18:42

That's what I've seen that oh yeah, and you also hit nail on the head is your wonderful husband, who is the tech CEO mentality. I haven't met him yet. He's like I just need to check the box because my board needs to see we have a SOC 2. And you turn that going. Okay, dear, they gave me the lovely flowers. We can get your SOC 2. When you have a breach because your company didn't implement the controls, then you have to talk to the media and your shareholders, and then you could be ousted as a CEO, I mean let's

Rob : 19:13

look at you know we've today is May 10th is recording this. We've had the change healthcare data breach that's been going on for almost two, three months. We have providers unable to be paid. Accenture Health got hit yesterday. 140 hospitals and they have multiple certifications. And then was it today or yesterday? Dell, who has everything Suck and ISO and Hytress the companies that have all the money that can do this correctly. Obviously they're big targets. I got it, but there is gaps. The one that will change healthcare like one is not having two-factor authentication on a service account and they're able to get in the back door and you need to do things correctly. So it's not a check the box. We'll need to make it shiny for you and allocate time and resources.

Dawn: 20:00

Yes, time and resources.

Rob : 20:01

Because I think-.

Dawn: 20:02

Implementation. Implementation, I think, is key. You can have all the tools in the world Because I think implementation implementation, I think, is key. You can have all the tools in the world. I mean, we have customers that come to us and they're like oh, I use this platform and they gave me an hour of a consultant's time and I'm coming to you because I don't know what I'm doing and I can't do this anymore. And it's like well, of course you can't, because no one's guiding you through it. Platforms are platforms.

Dawn: 20:26

I mean even a spreadsheet is like someone needs to tell me how to do this, to guide me through it. And so I think that definitely, when you get to something like a SOC 2, you need guidance, you need to know the framework, the guidance. What are we doing here? Where are we going? What are we? You know, how are we doing this? How are we accomplishing? What are the milestones right? So kind of you dovetail into that like milestones of like a SOC 2 type 1, obviously it's that point in time. But as far as milestones like when, as an external auditor, would you come in? When, like such us Van Ryn would do the readiness, When'd you come in, Like at what point in that time?

Kate: 20:57

Yeah, so generally we don't necessarily need to know the ins and outs of all of the bad things, all of the things that weren't in place. We do love to have some involvement in kind of that final check of the controls. So these controls have been customized to this client based on their operations. We love to kind of see that and get an understanding of how those decisions were made and to understand if there are any residual opportunities for improvement, say Because sometimes, especially with a type one, there might be instances where a company is still actively working on things and they might have it in place well enough for a type one but they know that it's a risk for the type two and those are actually pretty beneficial for us to know, just so we have the right mindset towards being a proper partner to them, going forward, like understanding that they would continue to work on the readiness front if there's anything else that needs to happen for remediation. But kind of setting that expectation for us so we can feel comfortable.

Kate: 22:09

We're signing off on this SOC 2 type 1. We're very confident in the evidence we've seen. But having that understanding if there are still opportunities for improvement, that doesn't mean those turn into control deficiencies. If we're confident in what we see that's presented as the audit evidence, but us not being blindsided. Sometimes there's a mentality like I don't want to know everything. I don't want to know like, well, when we first started working with them, every terminated person was, you know, had administrative access. I probably don't need to know that ever but we don't need an off-boarding checklist, right?

Rob : 22:46

We just?

Dawn: 22:46

they'll be back.

Kate: 22:48

I don't want to steal anything.

Rob : 22:57

Oh, okay, we're going to divert just quickly. Off-boarding is critical there, because when you off-board, Rob leaves or whatever anyone leaves your organization, you have got to disable everything immediately. And when we were starting the business, let's six, seven years ago Don went back to a former employer because I don't know, Kate, you know guys, when we say we're going to start a business, it's cool and I'm going to live in my van down by the river, and Ethan was like five or six. And she goes is there going to be money or healthcare or food or shelter? And I'm like, oh, we're fine.

Dawn: 23:25

Just normal questions, right? Yeah, why do you?

Rob : 23:29

need that. I got a t-shirt.

Kate: 23:30

Why are you asking so much?

Rob : 23:31

of him, I know shame on me. And then I'm going to hand the story to you, Dawn. So you went back to a former employer, which is great.

Dawn: 23:43

And what did you see? I basically called my old boss from years before I'd been in the insurance industry and I was like hey, can I come back for a bit? Oh sure, yeah, yeah, yeah, yeah, you know, came back and same email address. Everything was the same. Oh no, like okay, just rolling right into the same. It was, it was, it was yeah, and I think I was actually the same like cubicle, like everything. It was so funny and it had been a minute, it had been like 10 years. Yeah, yeah, isn't that funny, so that's insane, but anyway but no, Nobody leaves Right as an auditor.

Rob : 24:24

No, we don't want that.

Dawn: 24:25

No that's bad, that's a bad one, that is a bad one, that is a bad one. So the other thing we want to touch on is is I know that you and your firm, you only do SOC 2. And that's great. I think that's awesome that you are specialized in that. But we have customers that get confused on SOC 2 versus ISO 27001. And so can you speak to a little bit about, like maybe when someone makes the decision on which way to go. Obviously, we know SOC 2 is US for United States companies and ISO is obviously European standard. But there may be times when someone just goes I'm just going to go ISO instead of SOC 2. Do you have some instances where you've had these conversations with some clients?

Kate: 25:10

Yeah, I have, and you're spot on with kind of the US versus international. Soc 2 originated in the US. Iso, obviously, like international, is the I, so that's a more international one. So sometimes when I catch people early and they're kind of figuring out what they need from compliance, they know the two of them just offhand and they don't even know that there's any kind of geographic association. So that's usually the first step is talking to them about like well, where are your operations and where are your customers? If your customers are all international or you have both a mix of US and international, then maybe you do ISO, maybe you do both.

Kate: 25:51

I feel like there's been somewhat of a trend of acceptance on both sides where a little more kind of the ability to interchange, but it still seems like standard U, standard US. Soc 2 international wants ISO. So that kind of location distinction is always useful to talk through. Beyond that, the biggest thing that I notice as a difference that I'll try to share is that SOC 2, I almost feel like, is a little more flexible. You have, like the categories and the criteria. You can choose additional categories or not. You know you can add on privacy if you want. You can leave it off if you want.

Kate: 26:32

And then you know there's policies involved. But in ISO there will be statements in the ISO requirements of there is a policy that covers this and that's pretty infrequent in the SOC 2 requirements. Is a policy that covers this and that's pretty infrequent in the SOC 2 requirements. It's just generally expected. You know you have to have. We're going to look for an information security policy incident management. That has to be documented but it's less prescriptive on the policy front for SOC 2. It's a little more malleable.

Dawn: 27:01

I agree with that yeah.

Kate: 27:02

Yeah, so that's a pretty strong difference, that and part of that. I honestly feel like certain personalities I work with like have opinions on either way. Yeah, they're like well, that makes so much more I know personalities impacting compliance, can you imagine?

Rob : 27:21

Well, thank you for that, and we've got a couple of clients going through ISO now and we changed auditors, which is for the best and the reason we chose. Actually, we'll have David on here, dawn, we'll bring him in to talk about ISO. Is he looked at me goes, rob. Iso is probably the most political certification in the world. It is based out of Europe. Everybody has their own opinions and every auditor has a standard, but their opinions are different.

Dawn: 27:45

Yeah.

Rob : 27:45

He goes. What I like is not the same thing that the next guy likes, even though we're both accredited. And Saka is probably like that to a point as well. I bet Right.

Kate: 27:54

Yeah, yeah, I think that's right. There's opportunity for interpretation, always Like lawyers, cpas. You know this is good. Yeah, right, this is good enough because I like you today. This one, no, just kidding.

Rob : 28:11

I feel like I have to say it's Monday and I don't like that. Write a policy now, leave me alone.

Kate: 28:15

Exactly.

Dawn: 28:17

I kind of want to know what the biggest issue is that you've seen with a SOC 2 audit Like has there been something that you consistently see that is done incorrectly or it's missing or something that's been an issue multiple times?

Kate: 28:34

Oh, good question. So do you mean like things companies do wrong and like control deficiencies, or do you mean, when I'm reviewing SOC 2 reports, like a control?

Dawn: 28:44

deficiency. Yeah, like, do you see something consistent in different industries and different companies? You've seen it the same. You've seen the same deficiency. Yes, what is?

Kate: 28:53

that it's always. Often not always, but it's really common. Wow. So it's common for a couple of reasons. One is that there's not a pure, true definition of, like timely access removal. So there's kind of differences in opinion of what's considered timely. So that kind of has an interesting impact on it, on when you see kind of offboarding issues.

Kate: 29:21

Like we'll have some clients that will see off-boarding issues because they set a very, very strict like you have to revoke access in this very short timeframe because access is so privileged, like so sensitive. You know, maybe it's a health tech company with PHI access, so they have a very short window and so then we'll end up with control deficiencies there because they didn't term in that window. Then other clients they have a bigger window because you know that was their policy and the access wasn't that sensitive, and so they're a little more Wild West with offboarding. But it doesn't turn into a control deficiency just based on the associated risk and how things are structured. Right, but the timeliness component is part of it. And then also there are so many cases where we can't tell when access was removed. So they'll let us know. Yeah, so like all right, like we picked this termination. We see they were terminated on this date.

Kate: 30:21

Can you provide evidence of access removal? And oftentimes they have a ticketing system and an offboarding checklist. We love an offboarding checklist and that'll show, but if they don't specifically document something, systems often do not have an easily accessible audit log that shows when access was removed, and so it's unfortunate because they'll tell us all day long like no, we really did remove access. I promise, we just have to see it. Sometimes Some of them I'm like I trust you, I believe you, but it's not enough. We have to see.

Rob : 30:57

You know, and as we go towards that zero trust model, right, that we're all looking towards then. It used to be trust but verify. Now it's like I don't trust you at all. I need to verify. Now it's like I don't trust you at all. I need to verify, so I need to verify you know I think. I think it's like life and work. Now I don't trust you, but we should. Um, I need to verify that you have a process and, from an audit standpoint, did you?

Rob : 31:19

disable you know Tom's account in his last day.

Dawn: 31:20

Yeah, wow, that is huge, that's alarming. Actually, I'm like flabbergasted at that.

Kate: 31:26

Yeah, it's a really common one. It's really unfortunate because it's not one that's easy to gloss over. In the report itself, you know, there's usually a pretty solid management response available of like checking last login date OK, this person didn't log in after their term date, but that one jumps out as like oh, terminations. You know know when that shows up as an exception. It's an unfortunate one. So yeah to all the listeners.

Dawn: 31:53

Yes, take note of that. That is super interesting higher quickly right yes, yeah properly, oh my gosh.

Rob : 32:03

So okay, so there's one. How about a couple others? I mean, like you know, kind of like, I find is just not being like organized Organization is big, you know, making like the evidence, having the evidence. So I think of it as I have to prepare things properly. So do you see that people that don't have like a written list team internally, they get kind of sloppy. And what's your take on that? What do you feel like when you hear the auditor coming in the door and you're like, wow, your receipts are all over your desk. Oh, this is going to be fun, right, it's going to be a mess. They're a hot mess too.

Kate: 32:33

Yeah, yeah. Another thing I see a lot. I feel like if a company has a ticketing system that they use very well, a lot of things end up in there and can be found, especially if they're like marked well, so you have like access, approval in your JIRA ticketing system or you have, like you know, the change logging and approval. So a lot of stuff ends up kind of living there and ideally it's easy to find. But I'm seeing a lot of companies tackle a lot of things just in Slack or an email and it's like you're never going to find that. I can't find emails I got yesterday Like you're just never. If your audit evidence is an email or a Slack conversation, it's just so hard to filter through that stuff, it just gets lost forever. So if there's not some sort of ticketing system, is there a process? Yeah, you gotta have a process. Do a thing that you actually do that's a good one.

Rob : 33:32

She'll have process Dawn. You're the process queen, that's what you do.

Dawn: 33:35

Yeah, our big thing on our end is disaster recovery, business continuity plans, hipaa. It's like a lot of people don't have that yeah, that want to be HIPAA. It's like a lot of people don't have that yeah, that want to be HIPAA compliant. So we find lately us helping out and assisting with some framework and let's kind of get you know, wrap our heads around this together to try to help you understand what those items are that you need. You know, your instant response team, your instant response reporting, all that kind of stuff that's wrapped up all in that. So we find that that is something that's missing a lot of, and I think that that's just something that everyone needs, no matter what compliance program they're going into. I mean, personally, we all have to have a plan right. We have to have an exit plan for our family.

Kate: 34:21

Yeah, that's a good point.

Dawn: 34:24

So I kind of approach it that way, but that's one thing that we find and I'm sure our listeners are like yeah, yeah, I know, I know it's up here in my head, okay, that's great, but you got to put it down on paper because you don't document it Right. Then it didn't happen. So documentation definitely no-transcript.

Kate: 35:17

30 years old. It's like none of this information applies to companies anymore. I don't feel like there's solid resources available for any self-learning, so it's one that you definitely have to like hire.

Rob : 35:32

If there is only a company that can help.

Kate: 35:34

Right, if only.

Dawn: 35:36

If only yes, oh my gosh.

Rob : 35:39

And then, if they knew an external auditor, wow, to make this easy.

Kate: 35:44

Can you imagine Epic?

Rob : 35:47

So obviously processes is a big issue. We see, you know, when you're talking with prospects and they're looking you're just kind of coming back to what you mentioned earlier looking at a SOC 2, what are a couple like decision points? You can tell listeners Like, hey, think about these two or three things as you're investigating. Is a SOC 2 right for my business? What are a couple of things?

Kate: 36:07

Thoroughly look at your customer agreements. I understand why there's sometimes not always a full understanding when I talk to companies about what's in their customer agreements, because a lot of them you know they'll be startups and so they might have an agreement, but then they have to sign the agreement from the other company. They have to accept a lot of red lines or just sign an agreement from the customer, and so they have less control over what they're signing up for than I think they feel like they will when they first get off the ground. It's like the bigger the company you're trying to sell to, the more likely they're going to send you a doc for you to sign.

Kate: 36:53

So we end up seeing, when you actually look at customer agreements that have been like red lines but agreed to, there will be very specific language about requirements and the company aren't tracking them. Like maybe they saw the red line. They're like, okay, fine, we want this client, that's fine, but then they don't track it after the fact. So they might be promising like 99.99% uptime, but they're not tracking that at all because it wasn't part of their standard agreement, got it? Or like in a more relevant way, they might be promising that they have a SOC 2 type 2 annually that covers privacy. And then they're like, oh, I need a SOC 2. But if you just have a SOC 2, privacy is a whole new beast to tack on to SOC 2. So a lot of times look at the customer agreements. I'm sure it's painful, it's legalese, they're long. You don't even know what's in them. But see what you have actually promised to your customers already as a starting point for what you should be doing.

Rob : 37:57

The other thing, too, is we're starting to finally break this misinformation of hey, I can just rely on my vendor, SOC 2. Like well my environment's in Amazon and Microsoft or in Google or in a data center SOC 2. And that's good enough and I go. No, it's you with the business. You know ABC business.

Kate: 38:15

It's not.

Rob : 38:16

Amazon's business, because those businesses they're really conduits. That's all they are. They're really not liable for anything. It is up to you how you implement your environment and your protocols and your security in AWS, so you can't rely on AWS. Folks and our customers know that and some still don't. You're like no, you can't hang on to that, it's a weird thing. No, you need to have your own SOC 2 certificate.

Kate: 38:43

Yeah, yeah, that's a great point, just doesn't work anymore. It doesn't work.

Rob : 38:47

Yeah, that's a great point Just doesn't work anymore. It doesn't work. No, it doesn't work. People read between the lines now it's like, no, that doesn't work.

Kate: 38:53

That's so good.

Rob : 38:55

It has been fantastic just talking with you, kate, and thank you so much for joining us this week. And if our listeners want to reach out to you or learn more about you or contact you and the gang at Maxwell, what's the best way to reach out to you guys?

Kate: 39:08

Yeah, my email address would be an easy way. Okay, kwilliams. At MLRPCcom Also, we have a freshly newly branded website, mlrpccom. It's a long one. Lots of letters that's how accounting firms work Just Maxwell, lockett, ritter, lots of last names thrown at you. But we got a nice fresh rebrand earlier this year that we're pretty proud of. So we actually have a pretty spiffy website.

Dawn: 39:40

Yeah.

Kate: 39:40

And I have some articles on there about various really exciting compliance topics. Hey, compliance is fun, we think it's fun.

Dawn: 39:49

So you're talking to the right people because we think it's fun.

Kate: 39:51

I know I'm in good company.

Rob : 39:53

I'm in good company, that's right, and we'll put the link in the show notes, guys, so you can click on our email address and get more info about ML&R. But yes, you're right. I mean, does accounting firm stop at the third?

Kate: 40:09

partner, or do you just go to four or five or, like attorneys, you have 18 and you know how does. Yeah, I feel like three is the max where you still say the names because, like kpmg is technically four last names but no one knows them. But pwc, most people know is price waterhouse coopers, but at some point you're like there's too many guys like just pick your favorites I want my name on the door.

Rob : 40:28

Oh okay, great, here here's a sticker. Have fun. Well, thank you again, as always, Folks, I'll put all the contact information in the notes and thank you so much for joining us this week on the Van Ryan Compliance Podcast. We'll see you next week. Bye-bye.

Kate: 40:44

Bye-bye, thanks everybody, bye.