Updated: Mar 2
SOC 2 requires partnership between technology companies pursuing SOC 2, and the accountancy CPA audit firms that are required to sign off the SOC 2 reports. These parties are polar opposites in many ways, which makes for an interesting collaboration!
It was once posed that there's three tribes of companies: startups, large technology businesses, and what's often referred to as "traditional enterprise", in this case represented as financial services and accountancy firms. These tribes tend to have similar characteristics within themselves and often stick to their own kind. They are however, pressured in to mixing in order to achieve their objectives. Startups have the creativity, innovation and disruptive solutions. Large technology have the scale, robust infrastructure and products. Traditional enterprises have deep pockets and important use cases for the technology solutions.
The three tribes of companies
This concept is interesting in the context of SOC 2 reporting, which is important for startups looking to build credibility and trust with enterprise clients. The SOC 2 standard requires a certified CPA firm to sign off the reports, which forces the mixing of two tribes that are often two degrees of separation away from each other.
Risk: Large enterprises tend to view risk as something best minimised in all cases. Stability is favoured. Startups tend to view risk as a necessity for success, and is often a large contributor to their success.
Documentation: The auditor saying goes: "if it's not documented, it doesn't exist". Traditional enterprises have hundreds of page policies and standard operating procedures. Documentation is seen as restrictive for startups, both in time taken to develop that documentation which diverts from more important activities, but also in creating barriers to the rapid change and agility that is favoured for their growth.
Process & Controls: Enterprises operate comprehensive control frameworks with clearly defined processes. Things do go wrong and it's easy to justify things that can go wrong. This leads to layers upon layers of reviews, approval steps, and barriers that prevent the riskier activities. A risk that often isn't considered, is that the processes can become so onerous that it prevents important activities for business growth, and/or can lead to people circumventing the defined processes.
These differences in mentality and approach can create significant challenges to those pursuing SOC 2 reporting. It creates a language barrier and difference in viewpoint between two parties needing to work together. In the past I moved from a big4 accountancy firm to a startup and it was eye opening working with my old colleagues while being part of a new startup world. My understanding of both sides helped to bridge that gap in the startups SOC 2 pursuit. Nonetheless, I was amazed at how little understanding both sides had about the perspectives of the other side.
The ultimate goal of a SOC 2 project, is to find that balance point which retains the strengths of an agile and innovative startup, while recognising the importance of established processes that support enterprise clients risk management requirements. There are risks that become more prevalent with increased scale and servicing enterprise customers.