Guide
SOC 2® Cost Savings Quantified
How Hyperproof used our own platform to save 205 hours and $20,500 for our SOC 2® Type I and Type II reports
Overview of SOC 2®
A SOC 2® report is an important asset for organizations to obtain, and it’s becoming more of a mandate than a nice-to-have. Developed by the American Institute of CPAs (AICPA), a SOC 2® report provides insight into internal controls that exist with an organization to address risks related to security, availability, processing integrity, confidentiality and/or privacy. This report is independently validated by a CPA and uses specific criteria, methodology, and expectations that enable consistency in comparison across organizations. Before a SOC 2® report is issued, an independent CPA conducts an assessment of the scope, design, and (for Type II reports) the effectiveness of internal control processes. Hyperproof is compliance operation software that helps organizations complete SOC 2® Type I and Type II reports faster and more cost effectively.
SOC 2® Type I
A SOC 2® Type I examination evaluates controls at a point in time. The design of the controls are assessed, and implementation is confirmed, but consistent performance is not evaluated in a Type I report. If an organization is new to SOC 2®, getting a SOC 2® Type I report is the first step.
| ACTIVITY SEQUENCE | OBSTACLES | HOW HYPERPROOF EXPEDITES THE PROCESS |
|---|---|---|
| Design controls to address risks related to security, availability, processing integrity, confidentiality, and/or privacy. | Lack of SOC 2® expertise. | Hyperproof’s out-of-the-box SOC 2® Type I template comes with requirements and illustrative controls that provide the information you need to get started quickly and seamlessly. |
| Implement controls | Lack of security and compliance expertise. | Hyperproof seamlessly scales a common control set across your organization’s multiple products to minimize control redundancy. Automate many controls and orchestrate the rest, making it easy for employees to complete their compliance tasks in tools they already use. Leverage 100+ out-of-the-box control templates, including a detailed SOC 2® Type I template, to add new frameworks quickly and easily. With Hyperproof, you can even map controls across frameworks and assign control owners to product lines, entities, geographies, or specific groups. |
| Gathering evidence for the audit (Type I) | Spreadsheets, emails, file storage solutions, and ticketing systems make for a clunky solution. No visibility into progress. | Hyperproof allows you to: 1. Assign evidence collection tasks to team members (on controls or on Labels). 2. Link evidence to one control or multiple controls with Labels. 3. Keep evidence organized with Labels 4. Live sync the latest files from cloud-based storage systems into Hyperproof. 5. Use Tasks, Comments, Mentions, and Activity Feed to keep people in sync on work that needs to be done and get status updates. 6. Program a dashboard to keep track of progress and work that needs to be done. |
| Internal testing to validate control performance | Takes a long time to gather data needed to validate control performance. | Hyperproof ensures your standards are maintained across your organization by automating workflows to test control validity, hold control owners accountable, and remediate issues. Unique to Hyperproof, our no-code automation workflows allow your operators to design efficient and repeatable processes. |
| Interact with auditors during an audit | Information presented to the auditor is incomplete, mislabeled, or disorganized, prompting follow-ups. | Invite your auditor to work alongside your team in Hyperproof’s dedicated audit space to make information sharing easy while ensuring they only have access to what they need. This reduces the number of exchanges your team needs to have with their auditor and streamlines the audit process so you don’t have to jump between platforms to communicate, view evidence, and upload new files. |
SOC 2® Type II
A SOC 2® Type II examination covers the operating effectiveness of controls over a specific time, such as a six- to 12-month period. A SOC 2® Type II report is a higher bar than a Type I because in addition to evaluating the design and implementation of control processes, it also assesses whether the controls were consistently performed throughout the specified period. This provides a greater level of confidence in the effectiveness of control processes for customers and business partners.
| ACTIVITY SEQUENCE | OBSTACLES | HOW HYPERPROOF EXPEDITES THE PROCESS |
|---|---|---|
| Managing control owners | 1. Lack of clarity on who is responsible for a control. 2. No single place to keep track of who does what and assign tasks. | Hyperproof allows you to: 1. Assign/re-assign control owners, set due dates and auto-reminders. 2. Use Tasks, Comments, Mentions, and the Activity Feed to keep people in sync about work that needs to be done and status updates. |
| Collecting evidence | 1. Spreadsheets, emails, file storage solutions, and ticketing systems make for a clunky solution. 2. No visibility into progress. 3. Reminding people to submit evidence manually is time consuming. | Hyperproof allows you to: 1. Automatically keep evidence up-to-date with native integrations, Hypersyncs, a live data sync through Zapier, and an API for developers. 2. Automate reminders for control owners to provide fresh evidence as-needed. 3. Assign tasks to individuals or teams and leverage our native Integration with Jira. 4. Use Comments, Mentions, and the Activity Feed to keep people in sync on work that needs to be done and status updates. 5. Use our built-in dashboards to drill-down reports to keep track of progress and work that needs to be done. |
| Internal control testing | Takes a long time to gather data needed to validate control performance. | Hyperproof ensures your standards are maintained across your organization by automating workflows to test control validity, hold control owners accountable, and remediate issues. Unique to Hyperproof, our no-code automation workflows allow your operators to design efficient and repeatable processes. |
| Interacting with auditors during an audit | Information presented to the auditor is incomplete, mislabeled, or disorganized, prompting follow-ups. | Invite your auditor to work alongside your team in Hyperproof’s dedicated audit space to make information sharing easy while ensuring they only have access to what they need. This reduces the number of exchanges your team needs to have with their auditor and streamlines the audit process so you don’t have to jump between platforms to communicate, view evidence, and upload new files. |
How much time Hyperproof spent on our internal SOC 2® process
Hyperproof’s founder and CEO, Craig Unger, led the charge on Hyperproof’s internal SOC 2® compliance effort in 2019 and 2020. Prior to Hyperproof, Craig had co-founded Azuqua and also led their internal SOC 2® compliance effort while he served as the CTO.
There are two key similarities between the two experiences: Both companies had roughly the same number of personnel when they began the SOC 2® process and both are B2B SaaS companies selling software to highly security-conscious customers.
But there were a couple of major differences as well. For one, at Hyperproof, Craig served as both the compliance project lead and the system administrator overseeing multiple HR systems that fell under the scope of the SOC 2® audits. At Azuqua, there was a separate individual who was the administrator of HR systems.
Second, at Azuqua, the compliance team used spreadsheets, emails, and cloud-based file storage systems to manage the SOC 2® process. For Hyperproof’s SOC 2® audits, Craig utilized the company’s flagship compliance operation software to expedite the process.
Time savings quantified
297 total hours spent on SOC 2® Type I and Type II at Azuqua*
112 total hours on SOC 2® Type I and Type II at Hyperproof, using Hyperproof*
205 total hours saved on SOC 2® Type I and Type II
across four activity types: control design; evidence collection; interacting with auditor during the audit; and managing control owners
*not counting control implementation or internal control testing
In other words: Hyperproof reduced total time spent by 69% and saved $20,500 dollars*
*an assumed $100 hourly rate
Time taken to achieve SOC 2® Type 1 Report
| ACTION | AZUQUA | HYPERPROOF | TIME SAVINGS WITH HYPERPROOF |
|---|---|---|---|
| Design controls | 40 hours | 12 hours | 28 hours |
| Implement controls | Fire-drill mode before audit | Smooth, incremental process | Hard to quantify, not counted |
| Gathering evidence for the audit (Type I) | 60 hours | 20 hours | 40 hours |
| Internal testing – validating control performance | N/A | N/A | Hard to quantify, not counted |
| Interacting with auditors during an audit | 45 hours | 30 hours | 15 hours |
| Total hours | 145 hours | 62 hours | 83 hours |
Getting a SOC 2® Type II report
| ACTION | AZUQUA | HYPERPROOF | TIME SAVINGS WITH HYPERPROOF |
|---|---|---|---|
| Manage control owners | 6-8 hours | 3 hours | 4 hours |
| Gathering evidence for the audit (Type II) | 100 hours | 32 hours | 68 hours |
| Internal testing – validating control performance | N/A | N/A | Hard to quantify, not counted |
| Interacting with auditors during an audit | 40-50 hours | 15 to 20 hours | 30 hours |
| Total hours | 152 hours | 50 hours | 102 hours |
Download the PDF
