Over the last three years, AssuranceLab has become the leading provider of SOC 2 in Australia and New Zealand. Like our startup business clients, our success comes from relentless focus on our purpose - serving our tech startup clients - and innovation to set a new standard in our field.
Prior to founding AssuranceLab, I was a Manager leading teams of consultants in a Big4 assurance firm. For those not familiar with "assurance", it's all about trust. We were providing digital trust through reporting on our clients information security controls, using the SOC 1 and SOC 2 standards. These reports are verified through an audit and issued to the customers of our clients, in an approach called 'third-party assurance'.
The problem that defined our purpose...
I was very proud of the role my teams played in supporting large, industry-leading, global clients. But the companies that needed trust the most, were at the other end of the market. The startup businesses. The earlier stage companies pursuing enterprise customers, or scaling into global companies. Without these digital trust solutions, they were at a disadvantage. Enterprise businesses using their third-party services have their own information security and reputation at risk. So without a trusted assurance report to verify their information security practices, enterprise customers steer clear of those startups.
Many startups fail before being able to onboard enterprise customers, which are needed to fuel their continued growth. I was determined to support these startups to give them that chance to grow. It became clear that as a Manager in the Big4, I couldn't do that. Big4 consultancy fees factor in the opportunity cost of other lucrative audit services for the "top end of town". The internal risk teams are determined to protect the firms brand and reputation at all costs. Rigorous frameworks and control libraries have been developed over many years of serving traditional businesses, that don't align to modern operating practices and tech culture.
The foundation of AssuranceLab
AssuranceLab had a number of "false starts" before becoming the business that it is today. The assurance industry was one of the few global industries yet to be (significantly) disrupted by modern innovation and technology. I suffered from "imposter syndrome" in an industry dominated by the big players and their traditional approach. I started off as a consulting services provider, offering clients support on the path towards achieving the SOC 2 standard.
In order to offer our clients a full solution (ie. the actual SOC 2 reports), we relied on the assurance firms auditing and issuing SOC 2 reports. But these firms would focus inwardly on their rigorous risk and quality, and didn't treat clients as customers. While that protected the quality integrity of the standards, it also made it inaccessible; excessively expensive, confusing, and time consuming. I was stuck in the middle trying to bridge the language barrier between the client and audit firm, while neither cared much for the others perspective. In order to really solve our clients needs, we needed to provide the full path to compliance with audit services.
Our landmark partnership
I was fortunate to have a good relationship with the CEO of a high-flying CPA firm in Florida, A-LIGN. We shared the same values and view of the market. A-LIGN was formed for a similar purpose, and making strides in changing the approach to digital trust in the more mature American market. Scott recognised the broader market need outside of the US and that partnerships were the best way to access other regions.
It was January 2018 when I decided it was time to start a business in this 'broken' assurance industry. The founding purpose was to provide digital trust to the thriving startup ecosystem in Australia and New Zealand. But in this broad, complex and ambiguous area of professional services, it was critical to collaborate to achieve the best outcomes for our clients. Our business, PWCollaborations Pty Ltd, was formed in partnership with A-LIGN.
Our partnership-focused model went against conventional wisdom and attracted criticism. But this approach enabled us to leverage the various functions that support our digital trust solutions at scale, without reinventing them ourselves. We could use the functions that our partner CPA firms did well, and focus our attention on the parts that could be done better!
It took a couple of trips to Florida, some honest conversations, and hard work on both sides over multiple years, to turn this into a streamlined partnership that’s thriving three years later.
Our breakthrough technology
We on boarded our first eight clients through 2018. SOC 2 was starting to catch on in ANZ, following a big few years in America. It had become a norm and almost a “must-have” for tech businesses over there.
In the early stages we didn’t have the luxury of funding to grow the team - I had to revert back to my associate days and conduct all the reviews myself. It was a tough grind. Spending several days with each client asking countless questions, documenting up long listings of their control practices, control gaps and recommendations to assist their compliance efforts. They each had similar questions and needed my guidance to understand SOC 2. That didn't leave much time to grow the business or handle the many other admin tasks that come with running a business. Perhaps more importantly, I was spread thin across those clients and getting confused in the detail of each one. There was too much in my head - resulting in inconsistency and errors.
Being in the ecosystem of startups, full of innovators and entrepreneurs, the advice was to automate it. When the concept was first suggested to me, I must admit - I was a skeptic. I was thinking; "you can't possibly automate a consulting function". It sat in the back of my mind. On face value, it sounded great. Maybe it could alleviate the pressure, improve quality and consistency and get some time back in my day!
As I conducted the next few reviews, I noticed the patterns in what I was asking, what responses were valid, and the logical next questions or outcomes that would follow from each question. When I reflected on why audit and compliance was so painful, it was the language barrier between clients and auditors. Clients don't understand the standards and requirements, and auditors don't understand the nature of the clients business. When there's hundreds of questions being asked and only quick and rough notes being taken on the fly, communication breakdowns and inconsistencies happen. If the right questions were asked, in a clear and consistent manner, to determine only valid and clear responses, and with an accurate transcript to refer back to, it could remove the pain points!
I set out to explore the automation. It started with a combination of Excel and Typeform to ask the relevant questions, obtain valid responses, and automate the relevant outputs. When I ran through it in a guided client workshop, it worked so well I questioned whether I needed to be in the workshop at all. As it turns out, it was more effective when clients did it in their own time! They could do it when there was less distractions, more time and focus to think about the right answers, and could refer to other materials as needed.
The automation started as a way to reduce the work on our side, but the client feedback was astonishing. They appreciated the time it put back in their day, the clarity and traceability between their inputs and the outputs, and the simplicity it offered them to get started in their own time without waiting on us.
It's now been revised in over 100 versions to improve and expand the questions, align the outputs to the audits that follow, and add various other functionalities and enhancements. I've been amazed to see the results in time savings for us and clients, end-to-end quality improvements, and our clients positive feedback in an approach that "just makes sense". We took it to a new level when it was migrated into Checkbox.ai, the award winning no-code development platform that brought various UX improvements and automated output reports.
How we set a new benchmark in digital trust services
Over the last few years, we’ve continued to develop our approach to tackle each of the pain points in information security compliance and audits. Our CPA partnerships enable AssuranceLab to perform the end-to-end services to support our seamless customer-first focus. We focus on really understanding our clients and tailoring our service to support their individual needs.
Our technology helps our clients get started, for free, in their own time, and saves the traditional readiness reviews that are onerous and confusing. We developed an operating model to work with our clients continuously, at their pace. That provides support whenever our clients need it in our "agile and collaborative services", rather than leaving it with them outside of the scheduled audit.
We partnered with tech platforms, freelance and small business consultants, including some of our initial competitors, to bring a higher breadth of value to our clients. While retaining independence we've been able to guide our clients in various areas of information security, compliance, and related services beyond what we do ourselves.
-> Read more about why our clients choose us in our post the five reasons clients choose AssuranceLab.
We re-branded to AssuranceLab to reflect what we do. We provide trusted assurance solutions, while continually exploring new ways to do it better. Through our perseverance and in large part thanks to all our clients and partners that put their trust in us, we’ve become the leading provider of SOC 2 in Australia and New Zealand. Our journey is still in its early stages, with big plans for the years ahead!