SOC 2 Compliance: Q&A with an Audit Expert – Liam Collins

The inaugural episode of the Trustero podcast “Everything Compliance” features an interview with Liam Collins, Co-lead for Armanino’s Trust Practice. Armanino is one of the 25 largest accounting, consulting, and technology firms in the US. Liam has been focused on compliance for most of the past two decades and has seen more than his fair share of audits, successful and otherwise. Below are some of the questions and answers from that interview.

What types of companies do you work with?

We have a lot of startup companies doing SOC 2 compliance for the first time. We deal with lots of mid-market companies and lots of large public companies as well.

Why is SOC 2 so suddenly important to these companies?

There is an ever-increasing focus on security and compliance, with vendors being an extension of any company’s security environment. Vendor management and procurement require their vendors to get a SOC 2 done to demonstrate they have adequate controls in place and operating effectively.

What does “doing it right” actually entail?

For us, doing it right means having the correct scope, strong controls to mitigate risk, and operating those controls consistently. It’s also important to educate stakeholders across the company to ensure that this is not just seen as an IT issue. This is something that affects an entire organization. At the beginning of the conversation with a potential client, we ask questions like, “What are you looking to get from this relationship?” “Are you simply looking to check the compliance box? Are you looking to build a program that makes your company better, makes your customers’ data more secure, and makes you more successful in the long term?” That’s important because we want an open and transparent long-term relationship where we are adding value to our clients and their customers.

What are the most important elements of the SOC 2 audit process?

We always strive to start working with our clients early in the process to determine what controls are really important and the proper scope for each SOC 2 audit. Not all SOC 2 audits are the same. The scope is essential because it can be very broad or narrow depending on the kind of customers we’re working with and their customer data. Therefore, we believe it is vital to engage with your auditor as early as possible in your SOC 2 audit process. Transparency is also crucial. Companies should look for an auditor they can partner with on this process and with whom they can communicate regularly. You should frequently be speaking about your remediation activities, how your documentation is looking, are the controls working, etc.

It is also efficient when clients say, “Can you look at documentation before the formal audit?” We could certainly do that. We give a lot of guidance on things like policies, processes, and technology. These are the conversations we like to have early on. “How can we help you? How can we partner with you on this?” Because we both have the same desired outcome, which is a successful relationship, a long-term relationship with a company doing well.

How can compliance automation technology help, and how is it evolving?

It’s gotten better in the audit profession. We’ve been talking about continuous compliance for 15-plus years but are definitely seeing an evolution in the technology, especially in the last couple of years. I think there’s an opportunity out there. How do we truly build technology that will continuously monitor controls? Can we ever automatically issue real-time access reports? To empower the CFO to be confident and say, “Hey, come and do my audit, that’s fine. I already know I passed because I’ve got technology that is monitoring everything on an ongoing basis.” And no matter what the tool is, we want to make sure we understand where the information is coming from and that it is complete and accurate.

Liam Collins
Co-Lead of Armanino’s Trust Practice

Liam has over 20 years of assurance and consulting experience, including ten years with Big Four firms. He leads the firm’s Risk Assurance and Advisory Services practice, including its Cybersecurity, Privacy, Service Organization Control (SOC) audit, HITRUST, ISO27001, Sarbanes-Oxley (SOX), Internal Audit, and IT Compliance service lines. Before joining Armanino, Liam served as a Managing Director at KPMG, where he was an engagement Partner on a number of large assurance and consulting projects. He has also held audit, assurance, and IT leadership roles at PricewaterhouseCoopers (PwC), ControlMetric, Clare Chapman, and Prodapt.
Liam is a member of the American Institute of CPAs and the Information Systems Audit and Control Association (ISACA). He received a BSc. in Accounting from Golden Gate University, a JD from the University of San Francisco School of Law, and an MBA from the Wharton School at the University of Pennsylvania.

Armanino LLP is one of the nation’s 25 largest independent accounting and business consulting firms. Armanino provides an integrated set of audit, tax, business management, consulting, and technology solutions to companies in the US and globally. The firm helps clients adapt and change in every stage of business, from startup through rapid growth to the sale of a company. Armanino emphasizes smart technology, leading a cloud revolution of financial, operational, sales, and compliance tools that transform the way companies do business.