A strategy turning the SOC-2 audit necessity into a strong and durable strategic advantage in a regulated industry.

1. Fit for Service
A strategy for service organizations.
Michael Werneburg, 2013.04.13
Updated 2015.11.16

2. TL;DR
A technology & service provider can have great products and still get nowhere
because the clients lack trust. An enterprise risk function can overcome this by
guiding improvements to service consistency.
Bend your audits to shift your focus & capabilities, then use your audit report as a
hall pass.

3. You want to sell to the financial
industry.
But it’s becoming harder.

4. The target market—banks and life
insurance firms—are jointly called
“federally regulated entities”.
They are accountable to
several regulators
domestically and abroad.
OSFI CSA
IIROCOSC
MFDA FSCO

5. DEEPLY
Of particular interest to regulators is the preservation at the
regulated entity of strong corporate governance. In this regard
outsourcing activities that may impede an outsourcing firm's
management from fulfilling its regulatory responsibilities are of
concern to regulators. The rapid rate of IT innovation, along with
an increasing reliance on external service providers have the
potential of leading to systemic problems unless appropriately
constrained by a combination of market and regulatory influences.
Outsourcing in Financial Services.
Basel Committee on Banking Supervision,
Bank of International Settlement, 2005
http://bit.ly/1kGr8wv
The regulators are deeply
concerned with third party risk.

6. Selling information services to
these regulated entities means
meeting their stringent regulations.
The vetting process for a new
vendor can involve 80-page RFI’s
full of questions.

7. Dealing with these requirements
ad-hoc can be difficult, lengthy,
and disruptive.
ITLegalComplianceRisk
Mgmt.
PMOVendor
Mgmt.
…

8. But these clients now also want
annual service audits and SOC-2
attestation reports.
Passing these audits can require
new activities for your firm, and
hundreds of new internal controls.
(You do have internal controls, right?)

9. Your clients know the risks can
be complex.
Fatal to the relationship.
Even “systemic”.

10. What to do
Turn the problem into a strength.

11. The service you offer is where you
have chosen to compete.
Performing at the mandated level
is how you will win.1
You can leverage the risk
management function to get
you there.
1. Drucker. Or someone.

12. Key outcomes:
• Consistently excel in all points of
contact with clients.
• Optimize the fit between internal
activities.
• Adopt managed change as a way of
life.

13. Implementing a “fitness” regime
How to turn this mess around and build a resilient business that performs.

14. The evolving SOC-2 standard is embodied
in the AICPA’s “trust services principles
and criteria”1.
1. http://bit.ly/1luCdHr
It sets the level of performance, and
suggests a governance framework
to monitor and foster progress.

15. DO NOT just approach this as a huge list
of controls to implement.
Instead, step back and understand
what you’re really doing:
altering your company forever.

16. I’ve written about this here1 and here2.
1. http://risktopics.com/service-audits-are-risky-business
2. http://risktopics.com/a-strategic-approach-to-the-value-chain
But it’s a fairly simple. When we
make changes to our core practices,
we’re building a new company.

17. Put it this way: your technology firm
already has standards and practices.
But you’re about to review
hundreds of these, and start
making changes.

18. Your business is a unique collection of
processes and competencies. The crucial
ones span departments, and add value
to your clients1.
Change those crucial processes
and competencies, and you’re
finding a new unique mix.
1. Porter. And then everyone.

19. It’s a new company!
But not just any new.

20. You’ll build a more consistent
company. Consistency is the heart of
culture, and of brand1.
Consistency is a natural outcome
of the governance function
built into the audit process.
1. Porter, again.

21. You’ll also be building a more competent
firm; when you build governance into
your processes, your people eliminate
uncertainty.
A certain company where
everyone understands their role
and what to do next.

22. When your people understand that they
are responsible for reaching a certain
bar for achievement, something magical
happens.
People who have taken a quality
standard to heart expect quality
in everything they do.

23. Even when no auditor is watching.
Adults don’t say, “Oh, we have to
do X and Y right, but the auditor’s
not looking at Z.”

24. A holistic approach can make all this
happen. This is “doing things the hard
way”.
But an unplanned approach will
leave your firm with a countless,
seemingly unrelated, controls.

25. Again, I’ve written about this here1 and
here2.
1. http://risktopics.com/service-audits-are-risky-business
2. http://risktopics.com/a-strategic-approach-to-the-value-chain
But enough; let’s have a look at the
company that emerges.

26. A Case Study
The story of a successful approach to SOC-2, by a technology & service provider.

27. We were a fifteen person firm.
With one client.
And big ambitions.
We’d been in business for a decade.
But new, regulated clients wanted
that SOC-2.

28. We were a fifteen person firm.
With one client.
And big ambitions.
We’d been in business for a decade.
We did SOC-2 “the easy way”,
implemented countless controls.

29. Executive: setting and communicating objectives; evaluating operations and financial
performance; service level management; business continuity planning; budget approval;
vendor management.
Human Resources: background checks; asset entitlements management; hiring and
termination policies; privacy; acceptable use; code of conduct; confidentiality; whistle-
blowing; site security; staff evaluations.
IT: SDLC; change control; disaster recovery; technology standards; patch management;
security incident management; information classification; log monitoring; viruses; bring-your-
own-device; data disposal; encryption; firewall management; remote access.
Internal control: internal audit; risk management; policy management.
(This is a sample; It is not practical to list everything.)
The scope was daunting.

30. Processes
&
controls
Clients
COBIT
Trust
Services
Auditors
Regulators
Vendors
CICA
The sources were many.

31. We did not know where we were going.
As unplanned as our initiative was,
it began to pay off at once.

32. 1. Immediate sales benefits
• Easy RFP’s and RFI’s. Just hand over the
documentation.
• No more one-off requests for proof of
capability from vendor managers, IRM,
legal, etc.
• Shortened and easier sales cycle.

33. In the words of one software executive;
“Now that we have our audit report, we’re
having a whole other level of discussion. The
gate-keepers simply ask for the report and
we’re done. Everyone thanks us for making
their jobs easier.”

34. 2. Operations running smoothly:
• Delivering software updates in a reliable
fashion (1 error in 557 releases)
• Hosting our service in a secure and
uninterrupted fashion (no downtime after
four years and counting).
• Stable processes free the time of SME’s and
management.

35. 3. Life was easier for existing clients
• No more one-off requests for proof of
capability from vendor managers, IRM,
legal, etc.
• Improved “story” for service owners.
• More interest in expanding services with
us.

36. Confident and transparent
• Reduced need for monitoring by clients.
None has ever called for an ad-hoc audit.
• Clarity around roles and responsibilities.
• Comprehensive service level attainment is
demonstrable through reporting.

37. 4. Leaders free to make decisions
and lead:
• Far fewer procedural questions.
• Far fewer mistakes due to uncertainty or
improper process.
• Stable processes free the time of SME’s and
management.

38. Cross-team processes smooth:
• Mature practices mean teams work together
as expected.
• Entrusting functional managers with
governance process leads to automatic
correction of deviations.
• A strong sense of ownership of product and
service.

39. 5. Low turnover:
• People not wearing out from rework and
confusion.
• They enjoy the blend of responsibility and
quality outputs.
• Stable processes free the time of SME’s and
management.

40. 6. Growth:
• Stable processes allow a business to scale.
• Problems that creep in turn up at the first
quarterly risk control self-assessment.
• Persistent problems turn up in the auditors’
report.

41. 7. The magic of being “approved”:
• Having that audit report indicates that
you’re part of the regulated industry.
• Once you’re reached the level of being an
approved vendor, you’ll find yourself able to
rapidly grow in your industry.
• Partners will seek you out. Others will more
readily accept you as a mature organization
with the right types of clients.

42. These things occurred to us
with time.
And only when we had gone
through rounds of corrections
sensing that they were possible.

43. The results are worth it.
Your challenge is to do it
“the hard way”,
to realize the benefits the first time.

44. Having a great product got you
to the door.
Your risk management capabilities
are the security pass to get you in
and keep you in.

45. I can help
My role as a specialist in governance, risk, and strategy.

46. Reach out! I like to advise:
• Understanding risk analysis (MSc in Risk Management).
• Understanding service delivery strategies (20+ years experience).
• Understanding IT and IT governance frameworks (e.g. ITIL, COBIT).
• Mapping the governance framework to business strategy.
• Knowledge of regulated financial industries and the software/service
firms that support them.
• Business process renewal and the writing of process manuals.
• Managing the auditors. (Certified Internal Auditor designation).
• Project management (I am a PMP).

47. Michael Werneburg
647-896-3850
michael@risktopics.com