SOC 2: New lines of business, new workflows

Mergers and acquisitions are exciting — they bring new capabilities, expanded market reach, and fresh opportunities. But from a compliance perspective? It can get a bit chaotic!

In the past year, Nutrient completed its acquisition of Integrify, which has now been welcomed into our diverse product lineup as Workflow Automation Platform. Workflow Automation is also in scope for our SOC 2 audit, so consider checking out the details in our Trust Center.

Taking on a new line of business involves breaking down silos between highly independent and freestanding business units and turning them into a collaborative and integrated team — it’s a tall order even before you factor compliance into the mix.

Since we began our compliance journey, we’ve onboarded new lines of business into our compliance initiatives several times over the years, and this blog post will discuss some of the key takeaways.

The best of both worlds

When two companies come together, so do their approaches to security and compliance; in other words, we found ourselves with overlapping but slightly different ways of handling comprehensive information security programs.

Rather than forcing one approach over the other, we took the opportunity to reassess by asking the following questions:

• What policies do we share? How could we take the best elements of both organizations and merge them into our policies?

• What language could be improved? Is there something we can learn from our new business unit and integrate it into wider company policy?

• Are our existing policies scalable and adaptable to new lines of business? How to we adapt our existing language to account for the expansion in our business scope?

• Do we have redundancies in our controls that can be consolidated for efficiency?

Many organizations approach acquisitions with the assumption that the larger entity’s processes should take precedence, throwing out anything the smaller organization did well already.

However, by taking the opportunity to reflect and learn from our new partners, we blended the most effective practices from both organizations, refining our security posture while ensuring a smooth transition for the teams involved.

Operational challenges and rebuilding the mountain

In many ways, the compliance journey is like climbing a mountain. From afar, it’s easy to look at the snowy peak in the distance and flippantly wonder to oneself, “That doesn’t look too big. How hard could it be?”

However, once you pack your bags and start climbing, it very quickly turns into a different story. You planned your path ahead of time, but once you’re actually out on the trail, you get to face the steep and gravelly trail ahead of you, one exhausting step at a time.

You think to yourself, “Wow, it would be way easier to walk up this trail if I weren’t carrying a backpack that weighs half as much as I do.” But at the end of the day, you actually really need the stuff you’re carrying, despite how heavy it all is.

If compliance is the mountain trail on the evergreen heights of a successful business, then operational resources are the backpack you have to carry to get yourself up to the peak. When you onboard a new line of business, you’re effectively picking up an extra backpack so that you can climb an even taller peak. Needless to say, if you want to carry all that stuff, you have some reorganizing to do.

The toughest challenges of consolidating a new line of business into an existing compliance program end up being the operational realities — all the “extra stuff” needed to climb the compliance mountain — that need to be brought into line with existing policies and practices to meet compliance expectations. We had to rebuild our path up the proverbial mountain to ensure we could continue to scale it successfully.

Security compliance isn’t just about the product itself: The daily nuts and bolts of operations play an enormous role in achieving organizational compliance goals. As part of the consolidation process, we had to tackle some of the more unspoken but incredibly complex operational challenges that have come with onboarding new lines of business into our compliance program:

• Aligning workstation configurations to keep new employee systems consistent with endpoint security policies.

• Refactoring system descriptions, architectural diagrams, and documentation to account for increased integration with our systems.

• Consolidating user identity for third-party platforms to make use of company SSO login patterns.

• Deploying the existing company password manager for onboarded employees, and training a whole new set of staff around the policies and expectations that come with our use of a password manager.

• Onboarding infrastructure to our compliance automation platform and retooling the channels by which automated compliance evidence collection flows.

• Integrating HR tooling and aligning processes, such as offboarding and access controls.

These are the kinds of details that, if overlooked, can create hidden security risks. Addressing them as part of our larger compliance initiative ensured a smoother transition and a stronger overall security posture, and it continues to build our organization into something larger than just the sum of its parts.

New rules: Navigating the differences of new auditor expectations

In the interest of consolidating our workflows (pun intended), one of our early decisions in the acquisition process was to bring Workflow Automation into the fold with our audit partners as opposed to continuing to juggle a separate and disconnected audit engagement for our new line of business.

It’s difficult to understate how complex this switch was; switching audit firms isn’t like swapping out one cog in a machine to a new one. Auditors bring their own perspectives, and switching from one set of expectations to another is a learning curve. It’s easy to see SOC 2 as one standardized monolith of control expectations, but there’s a wide range of evidence that different auditors review as part of their control attestations.

Onboarding a new organization from one audit firm to another means first translating evidence requirements from the new firm; only then can we review existing control structures and evidence collection to determine where retooling and revisions are needed.

In some ways, retooling for a different auditor can be more challenging than starting the audit process from scratch. Two controls may be worded identically, yet different auditors can have entirely distinct — and sometimes conflicting — interpretations of how their requirements should be met. Letting go of previous assumptions about control implementation can be difficult, especially when prior auditor expectations have shaped existing processes.

Our skilled audit partners at Prescient Assurance were able to work closely with us to provide guidance and expectations for the changes that needed to come into play to ensure our Workflow product and business organization met the evidence standards set for our audit throughout the transition from the prior auditor.

Bridging the gap to meet the expectations of a new auditor for the Workflow team required clear communication, some control redesigns, and a bit of back-and-forth to ensure we were meeting SOC 2 requirements to the expectations of our audit partners.

Conclusion

Integrating Workflow Automation (formerly Integrify) into our SOC 2 audit cycle meant untangling a web of policies, controls, and expectations while keeping regular operations running smoothly.

Merging a new line of business into our SOC 2 program wasn’t easy, but it was a valuable opportunity to refine and strengthen our processes.

By embracing the challenges, keeping an open mind, and focusing on security as a shared goal, we were able to turn a complex audit cycle into an invaluable collaborative effort that helped build interdepartmental communication.