How to Get a SOC 2

When we set out to build Modern Treasury, we knew that as a company that deals with financial data and stores data in the cloud, our customers will expect us to prove our commitment to security. This proof typically takes the form of a SOC 2 report.

We are proud to have received our SOC 2 Type I when the company was only 7 months old, and we have now passed a SOC 2 Type II audit as well. We know many companies will be interested in going through this process at some point in their lives, so we put together this step by step guide to getting a SOC 2 that we hope will be useful for other teams.

What is a SOC2 report and how are Type I and Type II different?

Companies that use external technology vendors have many difficult decisions to make as they decide which vendor to work with, and security teams focus on a vendor’s approach to security, confidentiality, and availability. The American Institute of CPAs (AICPA) has issued guidelines on what makes a trustworthy vendor. A SOC2 report is an external audit of a company’s security practices based on these AICPA guidelines.

All SOC2 reports cover security, and depending on your business other areas, such as privacy, may be included as well. There are five main areas companies choose to include:

1. Security: how does your company ensure that a client’s data is stored securely and how do you prevent unauthorized access?
2. Availability: how does your company ensure that your service is continuously reliable and how do you prevent outages?
3. Confidentiality: how does your company protect confidential information?
4. Processing Integrity: how does your company maintain the integrity of client data and ensure it’s done in a timely and authorized way?
5. Privacy: how does your company retain, store, and dispose of personal information?

Depending on the nature of a business, these may have various levels of applicability to each company, and as a result some of these are optional. Security is the only non-optional area that must be included in the SOC2 report.

The auditor’s job is twofold: to ensure that a company’s policies are appropriate, and to make sure that a company lives by them. A SOC2 Type I report is the snapshot in time report addressing the policies themselves. A SOC2 Type II report is the report that a company gets after operating for some period of time, proving that it has lived by those policies without material breaches.

At Modern Treasury, we got a SOC2 Type II 12 months after our initial SOC2 Type I.

Doing it early vs. late

Getting a SOC2 audit is commonly seen as an activity that only larger companies attempt due to the necessary preparations and time commitment. While this is true, we’ve found that the preparation and involvement seems to scale exponentially with company size. Earlier stage companies actually have a huge advantage in this respect because changes can be made quickly to systems to bring them into compliance. Getting our SOC2 when the company was only 7 months old was one of the best decisions we ever made. Not only did it give us a big advantage in the enterprise sales process, but it also allowed us to build compliance into our company’s DNA very early on.

The process

The first step we took in the SOC2 process was determining whether we could do all the preparation and work ourselves or get a third-party to help. We quickly learned that doing it ourselves would require a huge time investment not only to learn what the specific requirements are, but also to generate the needed documents and policies that would be required during the audit. That led us down the path of talking to various SOC2 consultants that ranged the gamut from “we write out all the policies and paperwork” to “we just give you the forms to fill out yourself.” We felt this still didn’t save us a ton of time over doing it ourselves, and we would still be on the hook for finding and engaging an auditor.

We then got introduced to Vanta and it has been our choice ever since. Not only did Vanta help us find an auditor but they had an entire web application that plugged directly into our stack (AWS, GSuite, GitHub, etc.) and could monitor and tell us if we were compliant with specific policies and if not, how to fix those issues.

Over the next two months, we started working through the checklist of items to prepare us for the audit. Vanta’s entire system lays out the process and gives strong assurances that you’re doing the right thing. And because it’s plugged directly into our stack, it can give us very specific and actionable instructions on how to change aspects of our system to bring them into compliance.

We did run into a few issues around the timing and scheduling of the audit. We had done most of the preparation work in November 2018 and were looking to get the audit process started as soon as possible. But because Vanta only had a handful of audit partners at the time (they've since tripled the number of audit partners they work with), and because the end of the year is the busiest time for auditors, we had to wait until the end of January 2019 before we could get the audit started. The one big take-away from this process is to confirm the audit date early on in the process. Since going through that process the first time, we now schedule the audit a year in advance to reserve our preferred dates.

The actual audit itself was very straightforward, 90% of the document collection process was self-completed by the auditor being able to see our Vanta profile and download the necessary evidence. The other 10% were some fairly straightforward screen sharing sessions and sending over screenshots of certain internal tools and configuration files. All-in-all the entire process was completed in a week, and three weeks later we had our finalized SOC2 Type I report.

Getting the Type II

Since getting our SOC2 Type I in January 2019, we have since gone through the audit process again to receive our SOC2 Type II in January of this year. As a result of the effort we’ve put into compliance, Modern Treasury is ready to engage with larger companies and pass security check lists often seen as a requirement by information security teams.

We hope the complexity and completeness of the SOC2 process does not deter companies from pursuing technology projects that require it, and that this guide is helpful in thinking through the timing for this process.

For more information, see our Security page.