Thoropass & the OrO Way: The origin story of why we’re fixing audits

Eva Pittas, Austin Ogilvie and I founded Thoropass to ensure compliance is never a blocker to innovation by addressing the significant pain points felt by technology leaders when it comes to information security compliance and IT audit.

Suppose you’ve ever experienced an information security audit done the “old” way. In that case, you know the pain and frustration that comes with traditional audit’s outdated approach and inadequate digital solutions. Trust me, I feel you. I feel you because I am you. I have first-hand experience with the business impact a subpar audit process can have—not only on your blood pressure but also on your business’s bottom line.  

My journey as an entrepreneur unveiled an urgent and growing need in the world of B2B SaaS for a better way of managing compliance and doing audits. This light bulb moment ultimately led to the launch of Laika (now Thoropass) and the development of the OrOTM Way, a revolutionary compliance and audit solution for technology businesses.

My Entrepreneurial Journey

My entrepreneurial journey began in 2016, after business school, where I launched my first company—Zinc Platform, in the InsurTech space. We even had the privilege of going through Y Combinator and raised a seed round from renowned venture investors. 

But, as many entrepreneurs will tell you, the road to success is often paved with failures and lessons learned, and that first venture ultimately did not succeed. While the disappointment stung, I couldn’t help but view it as a valuable learning experience.

During this rollercoaster ride of entrepreneurship, I stumbled upon a significant pain point that would eventually shape the future of Thoropass: information security compliance and IT audit. 

My goal today with Thoropass is to help other founders and tech leaders avoid learning this lesson the hard way—as I did at Zinc. Whether you have yet to embark on your compliance journey or already have an established compliance program that you have to maintain and scale, you don’t have to (nor should you) tackle this task alone while simultaneously trying to grow your business.

Discovering the Compliance Conundrum

Building a robust compliance program is a crucial part of running a successful organization, but the way there can be a time-consuming and daunting process, not to mention one that can make or break a young company. 

When I launched Zinc Platform, we were going through the procurement process with a large insurance provider. They were asking us all kinds of questions we didn’t have or know the answers to. We were a 15-person startup then; we didn’t have the headcount for that. We knew we needed a SOC 2 report, and fast. 

I turned to Google to find an auditor. Let me tell you, I learned the hard way that not all auditors are created equal. Like many traditional auditors, they weren’t cloud-native, and they relied on an Excel tracker and emails for communication. Plus, we had to manually enter all monitors and controls and write our policies from scratch. I only had five engineers at the time—we needed all hands on deck to create revenue-generating code, not taking screenshots for our SOC 2 audit.

Traditional Audits: A Source of Frustration

Sadly, my story isn’t a unique one. The traditional way IT audits are done is a headache felt by many. Whether it’s the cumbersome process of selecting the auditor, manual evidence collection, or taking valuable time out of your day to evaluate various vendors with variable pricing structures—It’s like a never-ending maze of paperwork and decision-making.

Slow and Outdated Audit Processes & Tools

Traditional IT auditors don’t operate at the pace required and expected by high-growth technology companies. They cling to outdated tools like SharePoint and Excel spreadsheets, and rely heavily on email for communication, which means that mistakes are all too common. IT audit has very specialized workflow and communication patterns that off-the-shelf productivity tools cannot provide. 

Interpretation of Compliance Standards

Compliance standards are often written in a way that allows for interpretation—and for good reasons because every business and tech stack is different. However, this means that each auditor might have their own take on what these standards entail. Such discrepancies lead to confusion for compliance managers and entrepreneurs attempting to navigate the audit process efficiently. Too many “it depends” with no clear rationales besides “this is how it was done before here.”

Managing Multiple Auditors and Vendors

The process of selecting and managing auditors can be time-consuming, including making sense of and dealing with separate billing structures, working with separate auditors for different compliance frameworks, and endless paperwork. This complexity adds an unnecessary layer of work for entrepreneurs already juggling multiple responsibilities or risk managers who would rather spend their time on strategy and the technical side of security.

For all these reasons (and more), it was clear that the traditional audit tools and processes no longer served modern technology businesses that play in the Cloud. The process was broken, and a solution was desperately needed. So, Eva, Austin, and I made it our next entrepreneurial mission to build one.

The Genesis of Laika, Thoropass, and the OrO Way

Recognizing these significant pain points, my co-founders and I saw an opportunity to help solve this growing pain point for tech leaders. Thoropass (then Laika) was born in 2019!

We had the vision to build a robust solution to serve as the single source of truth for organizations’ compliance program, empowered by SaaS integrations for evidence collection, security operation workflows, and data room and security questionnaire tools for our customers to demonstrate their compliance posture. The “Carta” and “TurboTax” of infosec compliance, as we liked to call it.

However, we soon realized that focusing only on “readiness” is not enough. The audit process that follows remained as a point of frustration for our customers. Without a seamless solution that marries what we had built with the auditor’s workflow, we couldn’t solve the problems highlighted above and fix the infosec audit. 

Here’s where it gets exciting.

Eva, Austin, and I made a bold decision: we went out of our way to integrate audits organically into the Thoropass experience, giving birth to what we now proudly call the OrOTM Way. This revolutionary approach tackles three significant challenges head-on:

1. Trustworthy Monitoring: With Thoropass, we ensure that all monitors and controls are audited and approved by the auditors themselves. This means that data collected from third-party tools can be trusted wholly and directly in the audit process, eliminating the need for additional evidence submission and endless communication loops. Businesses can finally trust their auto-collected evidence results at face value.

1. Collaboration: The OrO Way allows auditors and clients to collaborate seamlessly within the platform. Clients can tag auditors, leave comments, and receive feedback related to the evidence they submit. This streamlines communication, improves the overall audit experience, and reduces back-and-forth email exchanges, facilitating real-time discussions.

1. One Audit, Multiple Reports: Thoropass was designed to handle multiple compliance frameworks, making it ideal for companies subject to different compliance standards. Instead of undergoing separate audits for each framework, Thoropass enables one audit to produce multiple reports, saving precious time and valuable resources. No longer will companies pursuing compliance with multiple frameworks spend their entire year “in audit.” With the OrO Way, you go through one audit a year and receive the reports and attestations required to do business.

The OrO Way for companies large and small

The impact of the OrO Way extends across the entire spectrum of businesses and industries, from startups to enterprises. 

For startups and smaller companies, adopting Thoropass early in their journey means a more efficient compliance process. They can focus on essential tasks like product development and growth while simultaneously building a solid security and compliance foundation from the outset. The OrO Way streamlines the end-to-end experience and frees you from the complexities of traditional audits.

Large corporations also stand to benefit significantly from experiencing audits the OrO Way. Not only do they deal with the same challenges as their smaller counterparts, but on a much larger scale, they often have larger employee bases to train and more frameworks to maintain. 

Collaboration becomes even more important for larger companies and enterprises, and the OrO way provides a single source of truth for multiple stakeholders to stay informed in real-time. For large companies with more integrations and larger swathes of data, Thoropass streamlines integration and collection, making audits faster and more cost-effective, resulting in higher-quality audits delivered in less time and at a lower cost.

---

---

A quick note on auditor transparency and independence

What sets the OrO Way apart is our in-house auditors. Not only are they experienced in working with technology companies, but they have also reviewed and approved the monitors, controls, and policy templates used in the readiness process.

This transparency is not to be confused with a lack of independence. Rest assured, we maintain a strict policy that ensures independence between our auditors and the software product team. This policy is at the core of our commitment to delivering the highest level of quality in our audit reports. Audit reports that are requested and accepted by many Fortune 100 companies.

Final thoughts

Thoropass and the OrO Way represent a seismic shift in the world of compliance and audits. My entrepreneurial journey, my and my co-founders’ unique experience and expertise, and our unwavering commitment to solving the pain points of compliance have culminated in creating the OrO Way—a first-of-its-kind, truly end-to-end compliance and audit solution that represents the future of audits. 

By incorporating audits into the compliance process, Thoropass has paved the way for a more efficient, transparent, seamless, and cost-effective approach to compliance and security in the modern business landscape.

---