Cristina’s Compliance Corner: Expectation vs. Reality – What to Expect in your First Year of Compliance

Picture this – you’re building a rocketship startup and you’re heads down on creating something successful and meaningful. You start pitching your company to prospects, with visions of landing an infinite amount of customers to continue building and improving on your already existing success. But, procurement offices and DDQ (due diligence questionnaires) stop you in your tracks, requiring that you obtain an audit or certification prior to being able to successfully move forward with vendor discussions.

We have seen this scenario with  numerous prospects and customers who have sought guidance from us at Thoropass (formerly Laika). In fact, many prospects start this conversation with little to no idea what’s going on – it’s precisely what brought me into this industry. However, there are many who have come to us with some set ideas, expectations, and even some horror stories.

To get those expectations out in the open and set the record straight, I invited Sebastian Cuellar, Senior Account Executive at Thoropass, to join me and talk candidly about sales prospects, their ideas of compliance when approaching the subject, and give better context to the reality of getting and staying compliant . We always have a lot of fun together, but this one was great – check out the recording below to hear some wisdom from the sales floor.

First-year Audit Seekers 

When a prospect reaches out to us, we know they are most likely in one of two scenarios:

1. They know security and compliance are important, and it’s only a matter of time before they will need to get certified.
2. A prospect, client, or customer has requested (or worse, required) a compliance certification, such as SOC2 or ISO27001, before proceeding with procurement. 

As compliance and security gain increasing traction in the business world as a non-negotiable, common audits such as SOC 2 or ISO27001 have become household names. With that said, however, there is still uncertainty and preconceived notions that comes with approaching one of these audits. This has led to many myths and misconceptions. 

Expectations vs. Realities

Below are three of the most common expectations, or myths, that prospects come to the table believing about achieving compliance in their first year. Read on to see a breakdown of where these expectations come from, where there may be an ounce of truth, and how to prepare. 

1. Where do I even begin?

We get it; compliance and auditing can feel like daunting tasks. This feeling often comes from the fact that there is so much uncertainty when approaching a project where onw might not have experience. I’ve often heard from prospective customers that compliance feels like a foreign language. 

For one, this is why working with experts to help guide you in these situations makes all the difference. Hiring compliance or security personnel isn’t always possible, especially for young start-ups. This means that completing an audit or certification often falls on the plate of someone with little-to-no experience in the area. With assistance from an expert in the field, you’ll be able to understand the process better, ask the right questions, and move confidently in the direction your organization needs.

Secondly, compliance and security can mean a lot of different things. You may be looking to implement best practices, mature your organization, or structure your organization more efficiently. Whether by pursuing an auditable framework, such as SOC2 or ISO27001, or simply considering best practices, I recommend always starting with policies. Strong policies allow an organization starting from zero, to lay a foundation upon which you can continuously build. 

The expectation of not even being able to begin because there is no good starting point may be true to some degree. With proper expertise and the tools for success, compliance can be just like any other task in life – one step at a time. 

2. Time-suck for my team

This is probably one of the most common misconceptions when conducting an audit. In short, an audit is an added project that will require resources and time to complete. However, it is important to understand how to manage resources and time best, so it doesn’t burden the team. I have two keys to success that I’ve repeatedly reminded my customers of

• Distribution of responsibilities. It is commonly misunderstood that seeking a compliance certification falls solely on the technical team. While a significant number of controls are technical, many are also operational. This means that individuals on different teams can handle the completion of requirements with the appropriate assignment of tasks. Sharing the work across different teams further promotes responsibility and accountability for the control design and implementation process.
• Organization and project management There are many moving parts when it comes to an audit, especially in the first year, so having a project plan and path to success is key. Even if you don’t have a specific date for the completion of a certification, it is always prudent to set a realistic target. This helps keep the momentum on completing tasks and progress towards overall audit goals. It also helps ensure that certain audit components, such as periodic or annual requirements, don’t fall behind or out of schedule.

I fondly tell ecstatic customers once complete with their audits that I understand they have day jobs, and compliance was just a side hustle. With the jokes aside, undertaking another project when there is already so much going on at the organization can feel daunting. Spreading the responsibility and keeping close tabs on the project helps ensure success.

3. One-and-done

While many prospects may wish that pursuing an audit was only a one-time thing, many learn quickly it, unfortunately, is an annual endeavor. The expectation that you can crush through the work and bang out an audit only once is sadly not true. However, prospects don’t often know that not every audit year is the same.This is one of the reasons I encourage all my customers to work toward an audit sooner rather than later. It allows an organization to be:

1. thoughtful in their design and implementation of controls, 
2. work more calmly and diligently on tasks, 
3. and build scalable practices that won’t need to be redone every year

Start Now

Approaching any new project, especially with foreign subject matter, can be intimidating. But, it doesn’t have to be! There are key ways that you can be successful in your first year of audit, but the one key takeaway I have for all inquiring prospects is to simply start. Start having the conversations, start implementing best practices, and start thinking about what your future of compliance looks like. There is never a ‘too early’ when it comes to compliance, but I’ve definitely seen situations of ‘too late’! 

Myth-busting Solution

If you are a first year audit seeker feeling overwhelmed by the complexities of it all, consider the experts at Thoropass to guide you through the process from beginning to end. With our hands-on support model, efficient certification process, and automated workflow audits, Thoropass makes staying within compliance as straightforward as possible. Speak to a member of our team today to learn more.

Recommended for You

Never miss a moment of Cristina’s Compliance Corner

Catch every episode and subscribe to be the first to know about upcoming episodes and the latest insights from Cristina.

Subscribe to the series