Prescient Assurance on how compliance automation is delightful for both auditees and auditors
Leaders in security testing and compliance certification, US-based Prescient Assurance LLC is a trusted infosec auditor for thousands of fast-growing businesses around the world. To cover a wide berth of infosec standards, including SOC 2, ISO 27001, and HiTrust, Prescient Assurance has recently come to embrace compliance automation platforms like Sprinto for managing peer reviews, completing audits, and issuing certifications and reports in an efficient, ‘hi-tech’ manner.
Auditor: Security Testing and Compliance Certifications
Faster evidence review
Ready to get started?
Controls, chaos, and complexity
The rising interest in infosec compliance audits and security certifications has closely trailed the global surge in cloud-native businesses. And while this is a ripe indication of modern companies adopting a security-first culture, it is also a call to arms to ensure regulations and protocols help, not hinder this moment. “Startups – they want to focus on their business, but it can be hard if you have to keep making time to drive compliance and collect audit evidence, week after week,” notes John D Wallace, founding partner at Prescient Assurance.
On a regular day, just implementing good security practices is hard. Without a larger organizing principle and a central practice, implementing any formal security compliance program can become tedious, unpleasant, and worse, altogether ineffective. Indeed, a far broader set of organizational challenges persist for remote-first, cloud-native companies looking to implement security compliance programs and complete audits, such as ensuring the right level of security and privacy training, endpoint security, incident management process, and more. “To add to their woes, the scale and diversity of cloud-native businesses make one-size fits all approach to compliance programs nearly impossible. Remarks John,
Not knowing what controls to implement, and what surprises auditors are going to present are two big concerns for a cloud company looking to do a security audit.
A lead auditor himself, for the better part of this career John has led and guided audits in a manner that can only best be called ‘manual’. “There would be numerous meetings that would lead up to an audit, even for something as basic as SOC 2 Type 1,” John says. “And because there would rarely be a centralized evidence and document repository, a big part of our time went into counseling auditees through the process of evidence collection and maintaining a repository,” he adds. “Sure the drafting process was expedited because you are on site and taking notes but leading up to that point you are on calls and meetings with your auditees, doing extensive documentation work, which put together, would take up to 20 hours,” adds Kate Dunn, who oversees SOC 2 audit ops at Prescient.
Remarking on the dynamics at work Kate says, “From the auditee’s perspective, going through an audit can feel like taking a test – a whole different ball game in terms of stress. As auditors, you want to do a good job and work on quality assurance across the board. At any point, this relationship is successful only if there is trust, integrity, and due diligence on both sides”
Compliance automation: A Cambrian moment
In terms of advancement, there hasn’t been much movement from the governing bodies. Lack of engagement and poor promotion of technology ground the practice of compliance and audits in methods that mandate human effort – something inherently time-intensive and prone to errors. “If you ask me if I could do what I was doing 2-3 years ago for 30 more years, that’d be tough,” exclaims John.
With compliance automation, the larger compliance ecosystem has undergone a tectonic shift. By mapping key compliance criteria to the controls and checks thereof, compliance automation platforms like Sprinto remove one of the weakest links in the audit process – evidence. Notes Kate,
There’s no need to weigh pros and cons – the value of compliance automation is instantaneous.
Chiefly, compliance automation platforms solve for alignment. By removing internal friction that takes a toll on IT leaders, a compliance automation platform connects the organization, prioritizes compliance tasks, organizes roles and responsibilities, and implements workflows across the board to drive the entire org, at once, toward compliance. “In essence, it solves for expertise or lack thereof,” hints John.
From an auditor’s perspective, compliance automation is a game changer. Without platforms like Sprinto and the assistance they offer from a consulting perspective, companies would be lost in Excel sheets and filling out questionnaires. Compliance automation streamlines the process from beginning to end. It pieces together an overall picture of what they are doing with audits, which adds visibility for auditees and auditors.
Unlike older, manual methods, which focused heavily on technical controls, compliance automation platforms do not abstract the context away. As flexible systems, they reflect a business’s present reality, embracing its modus operandi to unlock compliance. “The platforms do a good job of defining high and low priorities as per the business,” highlights John.
Powered by integrations, compliance automation platforms have proven helpful in ensuring businesses never lose sight of what governing bodies demand of them. “A thing for compliance automation is that it helps mature practice. It is a platform that can grow with you,” notes Kate. “As things change, you add more people to headcount, frequencies of the test must change, and be refreshed, and this where I think automation platforms have an upside – you always know when something needs revising; there is benefit in terms of helping clients stay on top of things,” she adds.
“In fact, once you are plugged in after that first year, year after year compliance becomes simple. It’s kind of on autopilot, so you are able to focus on business and grow and scale it, without worrying about a daunting audit every year,” adds John.
Compliance automation pays dividends and it works with you.
Audits made delightful
Compliance automation platforms like Sprinto ensure precise, performant, and delightful experiences for auditees and auditors.
For auditors, automation provides substantially high assurance. To the point that many, including Prescient, have modified their processes and systems around compliance automation. “This is equally an opportunity to make audits enjoyable for auditors and positively influence their day-to-day,” remarks John.
One of the benefits of leaning on compliance automation platforms is the assurance of high-quality evidence.
Because platforms like Sprinto go the length to show actual evidence, not just tests passing against a control, auditors can carry our evidence sampling easily and more confidently. “Sprinto is a great tool to kind of help the process – instead of having to have numerous meetings and documents all over, we get a well-defined screenshot repository. This makes the process much faster and smoother for auditors.” In terms of the impact on the audit, in Prescient’s experience, the quality of audits holds as before. “If its accuracy and quality of audit that is the cause for concern, I will say that auditors do not blindly pass stuff. We operate from a place of integrity and do the due diligence needed. What changes is the efficiency with which we do our job. There is no part of compliance automation for which the auditor covers their eyes,” she highlights.
Working with Sprinto
“In terms of how we work with Sprinto, it looks different because of the white glove service the team offers to their clients,” remarks Kate. “A lot of the work we do with others is to help them get unstuck. Pre-audit isn’t there with them. And it is a challenge to get clients to complete things n time and remediate anything that they forgot to provide before we start reviewing and drafting,” she adds.
With Sprinto, that whole experience for us is very efficient and streamlined, the things are coming to us ready.
For auditors to do what they are required to – review, draft, and attest compliance – quality evidence is key. Sprinto snapshots evidence when checks pass and logs it in a manner that is auditor-grade. “It’s simply a matter of reviewing evidence, accepting or rejecting it – this is efficient and scalable”, notes Kate.
Audit firms like Prescient have turned a new leaf by embracing compliance automation platforms like Sprinto. Beaconing a new, more efficient, and scalable way of carrying out audits, John remarks how this technology has made the audit experience altogether better. “It is refreshing that there’s a new way of doing things and we can move the industry forward. At Prescient we can play a part in moving the industry forward,” notes John.