Key Takeaways
- Know Your Controls: Success starts with a clear understanding of systems and controls. SmartDollar’s team owned their processes and provided strong evidence throughout.
- Stay Organized and Communicate: A structured approach to evidence collection and clear internal communication helped keep the audit on track and efficient.
- Leadership and Culture Matter: Strong management support and a culture of accountability and improvement drove timely execution and team alignment.
There is no question that SOC reports are an important part of the compliance landscape. Many service organizations have clients that require annual SOC reports to allow them to be confident in the service organization’s security practices. At LBMC, we have performed SOC audits for many years and have seen that while all clients want to be fully engaged, efficient and organized, there are some who really stand out in these areas.
A Case Study: Ramsey Solutions and SmartDollar
We recently performed a SOC 2 audit for a client that set themselves apart in their efficiency, timeliness, organization and commitment. Ramsey Solutions provides financial guidance that has helped millions of people get out of debt, save money and build wealth. One of the services they offer is called SmartDollar. Ramsey Solutions chose LBMC to perform their SOC 2 Readiness, Type 1 and Type 2 audits for the SmartDollar system. It didn’t take long to know that they were on top of their game and ran a great organization. And this was evident in the audit process as well.
What Made the SOC Audit So Successful?
Since the project went so smoothly, the LBMC team sat down afterward to identify just what made it so successful. In addition to our thoughts on the project, we reached out to Cliff Neeley, Sr. Vice President of SmartDollar to get his insight on how they were able to achieve such a successful SOC audit. We identified several areas where the SmartDollar team excelled:
1. Deep Understanding of Systems and Controls
The SmartDollar team had a clear understanding of their system, the controls they have implemented and how they operated. It is imperative to know that the controls operate effectively throughout the audit period. We have seen some audit firms that prescribe controls to their clients in order to speed up the audit process and produce SOC reports faster. However, it is important for clients to own their controls and know that they are effective and how to produce good solid evidence.
2. Exceptional Organization in Evidence Collection
They were very organized in collecting and providing evidence to us. In an organization the size of Ramsey Solutions, evidence can come from many different places, and there needs to be a solid process for collecting, reviewing, tracking and providing evidence. LBMC uses a state-of-the-art software solution called Fieldguide for requesting and collecting evidence. Ramsey kept organized internally by using a tracker in Microsoft SharePoint. This was initially developed during the readiness assessment and continued to provide value through the SOC 2 Type 1 and Type 2 audits. The centralized tracker captured essential information, and each control was linked to a secure folder for uploading the supporting documentation, making it easy to stay organized and respond efficiently to internal requests. For the upcoming SOC 2 audit, the SmartDollar team is implementing a Governance, Risk and Compliance (GRC) tool to make the process for collecting, organizing and providing evidence even better.
3. Strong Internal Communication
Good internal communication was an essential part of the successful audit process. When the SmartDollar team communicated evidence requests to the larger team, they included necessary information like the detailed request, due date, and scope, but also the specific label for the files in order to make it easier to identify what the evidence was for. There was consistent follow-up on requests to ensure they stayed on track. While we were on site and in our weekly status calls, we could see that there was good communication among the various teams.
4. Adherence to Timelines
They were effective in adhering to timelines for evidence. During any audit process, there is a great deal of evidence to track down, review and provide to the auditor. One of the most challenging parts of any audit process is to stay on track with the evidence collection deadlines. The SmartDollar team kicked off the process internally with a meeting with the core team, followed by a meeting with all the potential evidence contributors. They laid out key milestones and asked team members to block time in advance for collecting evidence and the in-person interviews. By engaging the whole team early, they were able to avoid surprise requests that would interfere with the normal workday activities.
5. Committed Management Support
Management supported the project and set the tone for getting things done. The whole team understood the importance of the SOC 2 audit, which helped drive strong participation and on-time submission across the board. I really can’t emphasize enough the importance of a whole team being unified in their drive to achieve a goal. This indicates strong leadership and an effective culture within the organization.
6. Openness to Feedback and Continuous Improvement
The team sought feedback on their controls and processes. The Ramsey SmartDollar team had a genuine interest in continuous improvement. Any recommendations we made were appreciated and acted upon.
7. The Value of In-Person Interviews
The in-person interviews helped to kick off the process, fostered great collaboration, and helped clarify questions in real time. Since COVID, many clients prefer to have remote interviews, and we certainly have the tools and experience to do so. But we are always available to come on-site, and we do see many benefits and efficiencies when we can meet face to face with our clients.
Final Thoughts and Congratulations
Congratulations to the Ramsey Solutions SmartDollar team on successfully completing the SOC 2 readiness, Type 1 and Type 2 audits! We look forward to continuing our partnership with them in the future. At the conclusion of the process, Cliff Neeley said, “We really appreciated the responsiveness and flexibility of the LBMC team, especially during the in-person interviews. Fieldguide was also a great tool for keeping both sides aligned on open items and overall progress.”
Best Practices for Your Own SOC Audit
If you are planning a compliance audit, these practices can help you be successful too.
- Take the time to really own and understand your system and the controls you have in place to protect it.
- Get organized and have an effective way to communicate regularly with internal team members so deadlines can be met to keep the project on schedule.
- Make sure you have management support. This sets the tone for the project and how important it is to the organization.
- Be open to feedback from your audit team in order to improve your overall security posture.
- And if possible, meet in person with your audit team for interviews; this truly helps build valuable partnerships!
Partner with a Trusted Audit Provider
We appreciate that Ramsey Solutions chose LBMC to be their partner for SOC 2 compliance. If you are considering a compliance audit, it is essential to work with an experienced auditor who can guide you through the process. LBMC helps companies of all sizes and in all industries with their compliance efforts for SOC1, SOC 2, SOC 3, HITRUST, PCI, HIPAA risk assessments, ISO, penetration testing, and cybersecurity consulting.
Content provided by Richard Beard, Senior Manager, Cybersecurity, LBMC, PC