How automation enables compliance maintenance, audit preparation, and easy scaling for NIUM
Nium is a San Francisco and Singapore-based cross-border payments company. A leader in global real-time money movement, numerous financial institutions, platforms, and businesses rely on Nium’s payments infrastructure to collect, convert, and disburse funds around the world instantly to accounts, cards, and wallets.
SOC 2
ISO 27001
PCI-DSS
Singapore
8 months
Time to complete SOC 2 Type 2 audit
97%
Degree of automation in compliance management
Ready to get started?
Challenge
While already ISO 27001 and PCI-DSS compliant, the need for SOC 2 compliance and an audit report was increasingly growing as Nium started to engage prospective customers in the US.
A more aggressive compliance framework with a demanding audit, Nium wanted to avoid relying on an IT team to fulfill control maintenance and evidence requirements that come with the SOC 2 audit.
“SOC 2 is an intense, evidence-focused audit. If controls are not automated, it adds more burden to IT teams to ensure we do not miss something. If we miss tracking controls even for a day, it results in control failure, and it will be captured in the report,” remarks Raj Viswanathan, CISO at Nium.
To move towards a clean audit report, comprehensive control coverage, continuous monitoring, and accurate evidence were key.
“Our existing control environment was strong, but SOC 2 demands more controls and a greater burden in terms of maintenance and evidence collection. The manual approach would have held us back,” recalls Raj.
To ensure compliance moves swiftly, Nium needed to swiftly complete the SOC 2 audit without disrupting teams and bandwidth. “Automation was crucial,” says Raj. “Instead of adding more people to complete specific tasks like incident monitoring and response, we preferred a solution to automate monitoring, track compliance, and collect evidence at once.”
Automation is a capability that helps us do more with less.
Nium sought a solutions partner capable of deep integration with their cloud stack and automating control testing and evidence collection.
Since this was a major undertaking and part of the broader practice shift from manual to automated compliance management, Nium was keen to collaborate with someone who shared their vision. For, while automating control management offers significant benefits, effort needs to be applied in the right way and stakeholders need to be brought together effectively.
“Sprinto’s was not a scope-led approach but rather a commitment to working together to find solutions—a shared vision aimed at achieving a clean compliance report,” recalls Raj. “The team was dedicated to the path leading to a clean compliance report and worked backward, identifying the necessary integrations and required changes, ensuring alignment throughout.”
From the auditor’s point of view, if there’s no evidence, then there is no control. Sprinto greatly helps with the evidence part of things.
Solution
Since its stack was immediately compatible with Sprinto, Nium could get the platform up and running fast. “Together, we found workarounds for cases where Sprinto couldn’t integrate instead of waiting for full development. Our tech team didn’t need to invest a lot of effort either,” Raj notes.
With its cloud stack integrated, entities defined and classified, and roles configured, Nium jumped right into action. Responsive integration ensured Sprinto pulled all the right information, highlighting misconfigurations and anomalies without false positives or false negatives.
“During this exercise, we realized that we needed to address certain infrastructure-level controls to fulfill specific SOC 2 criteria, such as providing evidence for security controls on endpoints. Fortunately, Sprinto’s automation had us covered,” recalls Raj.
With the dashboard active, Nium could leverage real-time alerts and contextual cues to address instances of non-compliance. Aligned with audit goals, Sprinto maintained momentum and continuity, helping Nium get ready for SOC 2 observation in a matter of weeks. “The dashboard informed us about the controls we needed to address, and these were the only ones for which we didn’t have integrations,” recalls Raj.
Of the 100+ controls, there were no more than 3 controls for which we had to provide evidence manually.
With SOC 2 implementation completed, Nium utilized this controls baseline to transition their PCI-DSS and ISO 27001 program management to Sprinto. Through common control mapping, testing efficiencies are ensured.
Sprinto has consolidated all our compliance efforts into one place. There’s control harmony now!
Post implementation, Nium utilized Sprinto’s auditor dashboard for evidence review. With samples selected and shared in one place, Nium completed reviews in under two meetings! “The only interaction we had was to provide our auditor with an overview and share a few additional pieces of evidence related to our HR function.”
The best thing about using Sprinto for our audit preparation was that the technology team didn’t even realize we had an audit occurring because they didn’t receive a single request from us.
Results
Nium received their SOC 2 Type 2 audit report in under 8 months, following 6 months of observation. Says Raj, “This is the fastest I have ever completed an audit!”
Among other upshots, Raj notes the positive influence of a ‘clean audit report’ on security due diligence. “It’s a lighter due diligence now.”
We are more comfortable responding to due diligence requirements asking for independent attestations. With Sprinto’s ongoing maintenance, compliance is ensured as automation handles testing, evidence collection, and more, eliminating the need for a lot of manual work.
With Sprinto running in the background, Raj takes comfort in the fact that best practices are upheld. With real-time alerts, Nium ensures a responsive process to stay on top of compliance drift and ensure robust security. “I’m not too concerned about the next audit. It doesn’t keep me awake because we’re aware that most of our controls are in check, addressed, and we maintain compliance.”
Additionally, Raj feels more confident taking on compliance mandates now that automation-first machinery is in place. “We have a lot of vendors but limited intelligence on them. We are excited to rely on automation to track risk against vendors. Building on an existing solution is easy now.”