Article by Mike DeKock, Founder and CEO at MJD Advisors
Throughout history, the prevailing narrative surrounding compliance has been one of necessity, not choice, and audits are approached with a sense of inevitability rather than opportunity. This conventional framing has branded the auditor as a necessary evil and means to an end, allowing a lack of evolution in the industry. However, that is all changing as innovators have given attention to solving a problem of growing importance.
Regulations like the California Consumer Privacy Act (CCPA) and the wave of international and state data privacy regulations that continue to grow are just signs of the times — data is valuable, and companies must go the extra mile to protect it. And, for SaaS companies that create value only when allowed to interact with that data, reassuring others they deserve trust is a critical business objective.
One method for sharing an organization’s approach to security growing in popularity and importance is completing a System and Organization Controls 2 (SOC 2®) report. This voluntary compliance framework showcases the policies and procedures companies put in place to protect sensitive information so potential clients can gain confidence. In turn, SOC 2 reports become a selling point for SaaS companies, especially amid growing cybersecurity concerns. These reports demonstrate an objective and independent third party (an auditor) has verified a company’s security commitments.
As SOC 2 reports and other compliance initiatives have been positioned to drive opportunity (or avoid stagnation) it’s placed the governance, risk, and compliance (GRC) function in the spotlight. What once received little attention suddenly serves as a lynchpin for growth and is driving new investments and fresh ideas into the space, which is revolutionizing the approach and attitude towards compliance.
Why the time for simplified compliance is now
There has never been a better moment to be a SaaS company than today. In 2023, almost half of all venture capital investment went to companies with this business model. As companies need more digital tools to automate workflows, SaaS companies, big and small, continue to innovate with tailored solutions for companies of all kinds to run in the cloud.
At the same time, it has never been more challenging to be a SaaS company. A recent survey of over 600 security practitioners revealed that 79% of these businesses had cybersecurity incidents in the past year. Malicious actors know too well that SaaS businesses grapple with high amounts of sensitive data, making great cyberattack targets.
In the quest to stay secure, companies want to know they’re hiring the right vendors to host or support their services in the cloud and are protected from these attacks by way of compliance. This is where auditors come in to help companies become the best version of themselves to deliver top-notch services and build customer confidence. And the good news is CPA firms can adopt digital approaches to bridge the gap between company and auditor, simplifying examinations for both parties.
Evolving requirements offer new relationships with auditors
Ever-expanding complexity and the availability of new technology have created opportunities for a new type of auditor. The goal of a SOC 2 report is to demonstrate a company is living up to its commitments, not meeting the expectations or standards of the auditor. This approach requires significant judgment, technical skill, and a deft touch that can only be delivered by a highly experienced professional interacting directly with the client. Such a process wasn’t practical until very recently with automation tools and other compliance software.
What’s exciting about this new tech is it allows the most talented members of an audit team to interact directly with the client. These individuals have broad knowledge and can share best practices to strengthen compliance and security in the companies they’re auditing.
There is a growing compliance community approaching these services with a niche focus that builds on its knowledge and skills with each engagement. That experience can enhance an organization’s data security operations and deliver the assurance their customers need.
Technology makes for simple, streamlined compliance
It cannot go unsaid this new relationship between companies and compliance used to be impossible. Compliance has historically been viewed as hard and complex because it was hard and complex!
The complexity of being “compliant” has remained relatively static, but the tools supporting these efforts have seen transformational enhancements in recent years. Almost overnight, the industry went from spreadsheets and paper checklists to automated tools and billions of dollars in investment in the space as we have continued to see GRC SaaS unicorns.
The biggest obstacle in modern compliance is often translating specific company requirements and sorting through evidence. Once understood, the individual tasks are quite simple, but there are many tasks and no clear roadmap.
Compliance tools create the roadmap for companies to complete their SOC 2 report, and allow them to “tether” their operations to compliance systems that let auditors track their activities and operate the controls. All of this happens while maintaining organizational velocity, which is critical to any SaaS company.
Through technology, companies can organize their compliance efforts and share them with auditors in a language they both understand — removing much of the noise that often comes from the back-and-forth in compliance examinations. At a minimum, these tools result in a streamlined and simplified approach, and when you find the right combination of auditor, company, and compliance platform, that is the recipe for a strong security program and a healthy organization.
This article includes a client of an Espacio portfolio company
