Disclosure: ByteChek approached us and asked if we wanted to collaborate on content creation. We wrote this article and will be joining them for a LinkedIn Live discussion about SOC 2 compliance.
Compliance is never easy, but there’s no shortage of vendors trying to make it easier these days.
ByteChek is another SOC 2 compliance software vendor, but they have a somewhat different offering compared to the rest of the market. While all of the vendors will provide a SaaS solution, their users will need to work with an unaffiliated auditing firm to actually complete the audit process. ByteChek breaks from this norm by providing both a SOC 2 SaaS solution and a complete SOC 2 audit for just one fee.
It works like this: a company looking to get compliant signs up with ByteChek (the SaaS company). The company proceeds to use ByteChek’s software much like they’d use any other software vendor: create and edit policies, connect services and upload data, self-check for evidence. When it’s audit time,
ByteChek Assurance, a separate and independently owned CPA firm, serves as the auditor.
“For the customers, they sign up for the tool, work with the tool. And as a result of using the tool, they get the report,” said AJ Yawn, CEO and founder of ByteChek.
While this two-company one-umbrella approach is new to the SOC 2 compliance software space, it’s nothing new in the world of general SOC 2 compliance – or the wider accounting world as a whole. “I’d like to take credit for this unique thing, but this is common in the industry,” said Yawn, who is also a former Coalfire employee. Coalfire and A-LIGN are two enterprise-tier cybersecurity and IT services companies. They both provide consulting services to large organizations to help them build cybersecurity programs and get compliant. They also have their own related-but-not-actually-related CPA firms: Coalfire Controls and A-LIGN Assurance. This enables them to provide the “SOC 2 under one roof” experience that ByteChek is aiming to achieve. The distinction between ByteChek (the SaaS company) and ByteChek Assurance (the CPA firm), Coalfire (the consulting company) and Coalfire Controls (the CPA firm), and A-LIGN (the consulting company) and A-LIGN Assurance (the CPA firm) is important, because external audits are meant to be independent reviews of a company’s work. The independence of an external auditor is critically important for ensuring the quality of said audit. While the consultant-auditor-in-one relationship exists and has led to thousands of successful audits, it has also gone spectacularly wrong in the past.
The infamous Enron Scandal was at least partially the result of the conflict of interest generated by the fact that Arthur Andersen, Enron’s accounting firm, provided both consulting and auditing services to the doomed company. Specifically, Arthur Andersen did over $50 million in services for Enron in one year alone – about 27% of the accounting firm’s total revenue in Houston.
However, there are lots of differences between that situation and the business these cybersecurity firms do.
Coalfire and A-LIGN collectively issue thousands of SOC 2 reports every year. ByteChek is a new player but is looking to do the same. Additionally, these consulting and audit contracts tend to be in the tens-of-thousands to hundreds-of-thousands range, as opposed to tens of millions of dollars. Each client will only account for a small percentage of business for these firms.
The comparatively low reward per contract is not worth the existential risk scandalous operation threatens. If a client wants to act shady, it’s far easier for these cybersecurity firms to simply end their contract.
Additionally, the American Institute of Certified Public Accountants (AICPA), which also provides the standards for SOC reports, provides guidance on the “Use of a Specialist.”
The AICPA says the following about using specialists for audit evidence:
The auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the auditor’s use of the work of an auditor’s specialist. Nonetheless, if the auditor using the work of an auditor’s specialist, having followed this section, concludes that the work of that specialist is adequate for the auditor’s purposes, the auditor may accept that specialist’s findings or conclusions in the specialist’s field as appropriate audit evidence. (AU-C 620.3) Auditor’s specialist – An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient appropriate audit evidence. An auditor’s specialist may be either an auditor’s internal specialist (who is a partner or staff, including temporary staff, of the auditor’s firm or a network firm) or an auditor’s external specialist. (AU-C 620.06)
In plain English, the AICPA is saying:
The auditor is responsible for what the SOC 2 report says, but that auditors may use specialists to collect evidence. A specialist could be at the same firm as the auditor, from a firm affiliated with the audit firm, or the specialist could be from a completely external/unrelated firm.
Ultimately, these provisions do allow for the type of relationships that ByteChek, Coalfire, and A-LIGN provide.
Yawn is a retired U.S. Army Captain. After six years of armed service, he landed his first civilian job at Coalfire where he worked his way up to being a principal at the company. His experiences at Coalfire now help guide the direction of ByteChek.
AJ Yawn, Founder and CEO of ByteChek
“I saw the full lifecycle of what went into the audit and saw what customers look for when going into audits,” said Yawn. “I realized they don’t like them, they don’t like the experience … I realized at Coalfire there’s some fat we can trim, and I also realized we can use software to automate things.”
On the software and automation side, ByteChek is particularly focused on automatically monitoring SOC 2 readiness. Each control is mapped with ID to the appropriate SOC 2 control and is given three status boxes: Self Assessment, ByteChek Engine, and Auditor Status. The Self Assessment and Auditor Status boxes are common – each party can check off what they have done with the control. The ByteChek Engine is what’s different. The ByteChek Engine is a machine learning AI built into the product that assesses whether or not a control is pending, in service, or out of compliance.
Once a customer reaches about 80% SOC 2 readiness, they meet with ByteChek Assurance to begin the audit process. Obviously, all evidence is reviewed and handled through the ByteChek platform, similar to how most other SOC 2 compliance software vendors have built-in audit workflows.
If you’re using a SOC 2 compliance software vendor, it is also important to select an auditor that will be comfortable using the program. Many of the vendors covered in our white paper have partnerships with several auditing companies and will refer their customers to auditors that know their software. But Yawn believes it’s better to get a SOC 2 done with just one vendor relationship and one fee, instead of two. “I saw a gap. There’s no one out there that has founded a company that knows it from both sides, auditor and customer,” said Yawn. “I’m looking at it from both sides, you can’t automate compliance without understanding both sides.”
In March 2021, ByteChek was selected by the AICPA for their Startup Accelerator program and received $25,000 in funding. Yawn founded ByteChek in 2020 and currently has about 9 employees.
Stay tuned for a LinkedIn Live discussion between AJ Yawn and Fractional CISO’s founder, Rob Black!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.