Daniel Garigen, CPA Partner
As the business landscape continues to change drastically, a growing number of organizations are outsourcing critical business functions to external service providers. Given the increasing frequency of data breaches and misuse of sensitive information, before deciding to work with a service provider, vendor management departments require a high level of assurance that the service provider will properly protect any shared data.
The American Institute of Certified Public Accountants (AICPA) has created a framework (for CPAs) to assess and give assurance on the design and operating effectiveness of internal controls as they relate to data security—"SOC 2" reports. This has become the gold standard for vendor management departments looking to gain a high level of comfort that their outsourced service providers are handling shared data securely and in line with their service commitments.
SOC 2 examination reports are becoming a near-automatic ask by vendor management departments. When service providers are first asked about SOC 2, the panic sets in. For the untrained, the SOC 2 standard can be extremely daunting. Service companies A.) Worry about compliance with the standard and B.) Are fearful that they lack the internal bandwidth to meet the readiness requirements and ongoing monitoring. That is where the team from Dansa D'Arata Soucia (DDS) can help.
By providing a clear roadmap for clients to get through SOC 2 with a minimal time-drain on internal resources, DDS has demystified SOC 2 reporting. They operationalize this in conjunction with a Company called Vanta, a SOC 2 readiness assistance and testing automation platform. Vanta offers a policy generation tool, has a defined list of recommended controls to implement, and integrates directly into clients' cloud infrastructure providers and other relevant software that they use (task trackers, code repositories, HR platforms, etc.) to automate the evidence gathering that historically has taken hundreds of hours to gather and provide to the SOC 2 auditor “manually”. This allows DDS to automate its testing. "Rather than hundreds of screenshots and weekly meetings, we are able to get read-only access to our clients' Vanta dashboards and document compliance without our clients having to be bothered at all for a large majority of the SOC 2 relevant controls," says Daniel Garigen, the CPA Partner at Dansa D'Arata Soucia (DDS).
We have spent a significant amount of time to not only become experts in the AICPA's attestation standards for performing SOC 2, but also to learn how to work with SOC 2 automation tools like Vanta
Vanta even uses agents installed on servers and workstations that report back on controls such as hard drive encryption, certain configurations, firewalls and anti-virus controls, screensaver locks, and much more.
A combination of Vanta as readiness and automation partner and DDS as an auditor can help make a first-time audit manageable. "We have spent a significant amount of time to not only become experts in the AICPA's attestation standards for performing SOC 2, but also to learn how to work with SOC 2 automation tools like Vanta," mentions Garigen. Before SOC 2 automation tools like Vanta became available there was a major industry problem. Companies needing to have a SOC 2 examination did not know where to start. They did not know what controls were required. CPA firms could not answer these questions, help write SOC 2 compliant policies, and issue an opinion because of independence issues. CPA firms like DDS cannot issue an opinion on what would be considered their own work. "Vanta is our conversation starter and our client's readiness partner. We then supplement Vanta by finding a way to document our independence while still providing plenty of assistance," states Garigen.
DDS specializes in SOC 2 attestation for companies going through the process for the first time. Rather than taking a "rubber-stamp", "pass or fail" approach to its attest function like most auditors take, DDS truly wants to see clients succeed. Drew Sutherland, Delivery Manager at Invisible Technologies, said, "DDS's team of professionals took away all of the anxiety and mystery surrounding a SOC 2 audit for us. We were able to get our questions and uncertainties answered and clarified months ahead of time, so there were no last-minute surprises or action items. The audit itself was seamless; we felt like we were working and collaborating with a team that wanted us to improve and succeed. We are 100 percent satisfied with how the entire process was conducted and have already recommended them to other firms."
Having established a unique niche, DDS has recently moved into a new space at 500 Pearl Street in Buffalo, New York. This is the newest, most impressive space in Buffalo. The company has made this investment to accommodate its growing staff and visions for its future. "We have increased our staffing levels by approximately 30 percent over the past year alone and doubled the size of our department that performs SOC 2 examinations. We will continue to look to hire top talent to supplement our SOC department," concludes Garigen.