Bert Friedman is Head of Compliance at business banking startup Nearside (formerly known as Hatch). He has also served as Chief Compliance Officer for financial technology (FinTech) company Deserve, and Vice President of Compliance for the Financial Intelligence Unit of Chicago’s Community Choice Financial, Inc.
Bert has extensive “hands-on” experience with SOC 2, audits, and auditors. He shares some of the fruits of that experience in a lively “Everything Compliance” conversation with Trustero Vice President of Marketing and Business Development Kimberly Rose. Below are edited summaries of some of Bert’s comments and advice.
Please share a bit of your background and experience with SOC 2.
Absolutely. I was first acquainted with SOC 2 in my capacity as Chief Compliance Officer at Deserve, where I was sort-of thrown into the mix and learned by doing. After that, I worked with a couple of other companies on a consulting basis. I’m currently working on Nearside’s SOC 2 Type 2 certification as we speak.
What have your experiences taught you about dealing with auditors?
Well, I think a lot of people just get thrown into SOC 2 compliance like I did. Those people need auditors who will work closely with them and take the time necessary to succeed. If your SOC 2 auditor doesn’t take that time, you may never get through the audit process, or it will be very painful. I was very lucky to find a mid-sized, local auditing firm early that takes the time and works with us and have used them on every SOC 2 audit I’ve worked on since.
The cheapest auditors are not necessarily the best. Neither are the biggest. It’s more important to find an auditor or team able to lead and willing to help you understand. The auditor is not just a rubber stamp.
For example, we have an audit scheduled in about a month. Our auditor is meeting with us twice a week, to see what evidence we’ve developed and make sure that the narrative is coming along. It’s that sort of a partnership that I think you need to make sure that you get more than just a piece of paper or a certification. A successful audit is truly a way of proving what you do is seen by independent auditors as the right way to do things.
What are some of the common misconceptions you’ve seen among those pursuing SOC 2 compliance?
I think a lot of times people pursue SoC 2 because they feel like they have to. On the other side of the coin, some don’t pursue it because they don’t think they need it. Truly, in this business environment, security is paramount. I think it’s essential to be able to demonstrate you do things and prove you have done things [to improve security] to the world at large and your business partners, especially for a startup [or SMB] environment.
I think two other misconceptions are that SOC 2 compliance is really tough to get, and that it only takes a short amount of time. Neither of those is true. SOC 2 compliance takes effort, but not superhuman effort. But compliance doesn’t just take two weeks or even two months.
SOC 2 Type 1 is the articulation of control. You can do that fairly quickly if you’ve got all your ducks in a row and can explain to your auditor, “This is what we do, and this is how we’re going to measure.”
SOC 2 Type 2 becomes more difficult. You’ve set forth your controls in your SOC 2 Type 1 report. Now you have to show your ongoing compliance with that regime. SOC 2 Type 1 is a point in time. SOC 2 Type 2 is ongoing. You have to let the system run. You have to let the outputs come out. You have to evidence the outputs, and then you have to put them all together, get them to your auditor, and have your auditor review them. That’s why SOC 2 Type 2 is not an overnight thing.
That brings up another misconception. SOC 2 compliance is an ongoing thing. It’s not something you can open up once, not a file that you’re going to look at and go, “Oh, yeah, we have to do this.” It’s a regime of control that you’re going to use throughout the organization over time.
For more guidance from Bert Friedman, check out his full Everything Compliance discussion with Kimberly. For more on building a solid auditor relationship, read the blog post “SOC 2 Compliance: How to Choose an Auditor.” And for help crafting and navigating your path to SOC 2 compliance, get your copy of the e-book, “SOC 2 Compliance: Why it Matters and How to Get There.”