Tugboat Logic’s expert Monica McMahen and Parul Purohit, Compliance Manager at Accern, hosted a webinar discussing why Accern embarked on their SOC 2 compliance journey and what they’re doing with their SOC 2 success.
Acceleration is at the core of Accern. Accern is a no-code AI platform that enables financial organizations to create machine learning models in minutes, not months. They help uncover risk and investment insights from a vast amount of data.
The webinar was a chance to dive deep into Accern’s experience with Tugboat Logic’s platform. And a unique opportunity for attendees to discover SOC 2 roadblocks and surprises to avoid before starting their compliance journey.
Why Accern Pursued SOC 2
The gold standard of trust is a SOC 2 audit. It’s the number one way an organization can prove its trustworthiness and demonstrate that they manage customer data securely.
“When you are in a client environment where you need to onboard many clients to run your services or your business, you need to have some sort of competitive advantage over others in similar industries. SOC 2 Type 2 specifically, gives us this edge and shows the operational effectiveness of our controls,” explains Parul.
Working closely with the financial services industry required Accern to meet SOC 2 compliance, reflecting their client’s security needs.
When Parul joined the Accern team as Compliance Manager, she hit the ground running and faced the SOC 2 tasks head-on. She was the coordinator between the external auditor and the process owners. She understood the auditor’s expectations and was responsible for ensuring Accern’s evidence collection occurred correctly and promptly.
“I’ve done many information security audits previously but this was my first SOC 2 experience,” explains Parul. “I understand controls and most of them are very generalized. So in that sense, I understood SOC 2 controls and what providing evidence for those controls looks like.”
Accern’s SOC 2 Process
SOC 2 Type 1 reports on controls governing data security and privacy at the time of your audit. Preparation takes time but the actual audit takes only a day to complete. Once you’ve received your SOC 2 Type 1 report, that’s it. You can’t get it again. If you need to prove compliance at some point in the future, you’ll need to complete a Type 2 audit.
SOC 2 Type 2 looks at the same set of controls as Type 1 but reports how effectively you maintain them over six-12 months through your policies, processes and technologies. Therefore, it takes about the same time to prepare for a SOC 2 Type 1 audit.
Accern kick-started their compliance journey with a SOC 2 Type 1 before pursuing their SOC 2 Type 2. As a new company, there was a lot of work going on behind the scenes implementing several controls before moving on to the audits.
The Type 1 audit ran for four to six weeks. For Accern’s SOC 2 Type 2, there was a six-month observation period. Accern and their auditor communicated and collaborated in the Tugboat Logic platform in both instances, which kept everything running smoothly.
“We mutually agreed on a six-month observations period with our auditor.
But some controls are completed annually, right? So our auditor explained that for the controls that did not fall into the six-month observation period. So in auditor language, they called it a nonoccurrence,” explain Parul. “But auditors still want to see that Accern has the control in place. So when we renew our SOC 2 Type 2, they will see the functionality.”
Because Accern completed a Type 1 and Type 2 so close together, there were very few nonoccurrences on their report, giving Accern and their clients additional security assurance.
Accern’s SOC 2 Type 2 Speedbumps
The heaviest lift in Accern’s SOC 2 Type 2 process involved population extraction and collecting evidence.
“Population extractions for SOC 2 Type 1 are simple. For example, suppose you onboarded a few users within a month. In that case, the auditor may require evidence for one of those users. But SOC 2 Type 2 requires you to extract a set of populations for the auditor. For example, you need to pull a list of users who were onboarded for the entire six-month period. As well as a list of those who leave left the organization.”
Extraction is a team effort and at Accern, Parul had to work with multiple departments. For example, the customer success team and the products team. Each team is responsible for pulling evidence and populations accordingly. To handle the workload, Accern assigned control owners within Tugboat logic.
“Everything was labeled and each control was assigned. I could see the status of those controls, which helped keep us on track,” explains Parul. “The other thing that helped us was to have these recording status meetings. We created a Slack channel and invited the appropriate stakeholders to communicate and document everything transparently. Any queries we had or delays, we kept in touch.”
Reflecting on Accern’s Experience and Success
Accern learned a lot on their SOC 2 journey, but Parul has an important pearl of wisdom for organizations pursuing SOC 2 for the first time.
“There are universal controls for SOC 2 are very generalized. Some controls will apply to you and others won’t. It’s important to set expectations with your auditor during scoping so that you don’t work on the wrong controls. It’ll eat up a lot of time and take away the time from the controls that are relevant to your organization.” Parul shares.
Even though Accern completed their SOC 2 Type 1 and Type 2 quickly and without many hiccups, Parul says that their biggest challenge starts now that they need to maintain ongoing compliance.
“Now that we’ve completed the exercise and have our SOC 2, we’re in a much better position to serve our customers. And if we want to go for ISO 27,001 next, it’s easier. As I mentioned earlier, SOC 2 has a lot of information security controls that are generalized globally. So any similar audit that you would plan next, there’s already so much overlap with the other audits,” explains Parul.
Tugboat Logic Assists Accern in Acing SOC 2
Parul used spreadsheets and worked through processes manually in her previous compliance work. But one of the first tasks Parul took on when she joined Accern was familiarizing herself with Tugboat Logic.
“The greatest thing about Tugboat Logic is that I can manage the entire project within the tool,” explains Parul. “Even the auditor was onboarded. So they can look at the evidence within the tool and that cut down on email!”
Sending emails is quick. Waiting for a response is time-consuming. Everyone is busy! Using Tugboat Logic, Parul could notify relevant individuals—even the auditor. Compliance was able to happen in real-time. The auditor could see uploaded evidence instantly, streamlining the path to completion.
“Completing everything in one place was convenient for our auditor as well. They had everything in one place. They could also see our integrations,” Parul explains.
Accern was also pleased that their integrations continue to run and pull evidence on a set frequency. It helps them maintain continuous compliance.
“Automating our integrations removes a lot of manual work. It’s more important for us now to focus on strengthening our controls rather than doing the same exercise repeatedly, pulling those same kinds of reports. Why do that when Tugboat Logic automates it for you? It’s been so helpful,” explains Parul.
You can watch the full video here to hear all the webinar attendee’s questions and the advice Parul shares!
Learn More About Tugboat Logic
With our SOC 2 automation, you’ll have a clear roadmap to certification so that you can complete your SOC 2 quickly, confidently, and cost-effectively. Just like Accern!
Our platform guides users through every step of the process. It even provides prebuilt policies and controls mapped to the SOC 2 framework. It’s a central system of record to assign controls to owners across your organization and store all evidence, clearly proving all SOC 2 controls are implemented.
So, if you’re looking for a stress-free and straightforward way to get through SOC 2, grab a free trial of our product. And if you’re ever confused or a little lost, our team of ex-auditors and security veterans has over 100 years of combined experience working in security. We’re always here to help.