Chris Barbeau | VP, Operations | Omniware Solutions Inc.
Mark Cravotta | Chief Revenue Officer | The Crypsis Group
Lawrence Cucka | Information Security and Compliance Consultant | Zafin
Jennifer Butts | Director, Information Security & Compliance | PowerPlan
Q: What did you learn during your SOC engagement that surprised you about your organization?
I always learn so much during these engagements. I’m surprised that we continue to repeat the same mistakes over and over versus rectifying them. This is a priority as we continue with the audit.
The one thing that came as a surprise was the fact that we had more non-tested controls than I had expected. While this doesn’t necessarily have to a bad thing, it has raised a flag on the company
Q: What criteria did you find challenging to achieve?
Being a small company, the HR components were challenging given we don’t really have a proper HR department.
The privacy criteria was super challenging so we tabled it for this year and will approach it as an individual project next year.
As an auditor, I don’t have full time access on many of the systems, thus sometimes the evidence was not so easy to be extracted from the different platforms. Being a small and dynamic team, getting the engineers’ attention to provide that evidence sometimes was indeed challenging.
Providing evidence that we are evaluating employees’ performance. Our company has moved away from formal performance reviews and documented evaluations in favor of more regular conversations between employee and managers that are focused on career growth and development. This less formal process makes it more challenging to provide documented evidence that performance meetings and conversations are occurring.
Q: What was a helpful recommendation you received during the audit?
There were many and I’d suggest that the most helpful recommendation was to breathe (that was my watch going off all the time…;) Really, being our first formal SOC engagement, there wasn’t any one recommendation that stuck out. In reality, the patience of your team getting us up to speed was probably the most helpful for us.
I had many helpful recommendations – I appreciated the feedback on our Risk Management plan which is now if full effect due to COVID19
Although there we no recommendations left as part of the report, working with the auditors provided me with some very good knowledge base on the future controls.
To setup automated alerts when an AWS root account is used.
Q: What's an action item you created as a result of the audit?
We created a master sheet to control all SOC related activities and divided it into those that are scheduled and those that we need to be proactively aware of as/should they occur. It became easier to manage SOC controls, at least for us, when we thought of them in one of those two categories.
We have accelerated many automation projects as a result of the audit and the criteria of the audit.
Again, report wise nothing required our attention, but personally the experience helped me create processes so that on the next audit the information can be acquired more easily.
To build out some additional fields for tagging records so that they can be pulled accurately and easily for audit populations and reduce manual tracking on spreadsheets.
Q: What's a beneficial way that you have used the SOC Report?
While we haven’t used the report this way as of yet, we do believe the report will increase the value of Omniware as an organization.
We don’t have our SOC report yet but this is a critical requirement for our Clients. They ask weekly about the status.
Our SOC report has been frequently provided to existing and potential clients as proof of our company’s efforts in terms of information security while providing our services.
Many of our customers attempt to write into their contracts that they will have a right to audit us. If each customer were to do independent audits of our company and solution, it would not be scalable for our business and we would divert a lot of resources to individual customer audits and the resources should instead be focused on other company initiatives. Because we undergo SOC 2 audits, we are able to redline the contracts to remove the “right to audit” clause from the contract and instead agree that we will be SOC 2 audited. Additionally, the SOC 2 audits help us address many customer inquiries related to security, and we can redirect the customer to review the SOC 2 report for evidence that we are performing various security activities. This helps our business be much more efficient while also addressing customers questions and giving the customers confidence that we are securing our applications and our business.
Original questions & answers were recorded in April 2020.