Blog Compliance Setting the record straight on independence December 21, 2023 Eva Pittas Let’s start with a truism: You can’t build a compliance company without using industry-valued standards as the foundation. Since co-founding Thoropass in 2019, my colleagues and I have lived by that truism: putting ethical and best practice considerations into the heart of everything we do, starting with providing time-saving software in concert with audits provided by independent auditors operating in-house. This approach–the first of its kind in our industry–paved the way for what we like to call The OrO Way of doing business. It also places the highest professional standards at the cornerstone of our business. We are proud to have our customers’ audit reports accepted by every industry, including players in the Fortune 50. The reports we prepare for customers are clear, error-free, and the product of decades’ worth of experience across our audit team. The universal acceptance of Thoropass audit reports is both the foundation for, and evidence of, our success. Yet the concept of “independence” continues to come up in conversations with potential customers despite four years of exceptionless transparency and success. Why? Is it because our approach is controversial? Is it because we’re hiding failures, or are shying away from scrutiny? The answer to these questions is a simple “no.” We’re proud of our innovative approach and have made our process public in a way that welcomes any and all questions people may have. The simple answer as to why this question comes up is that some of our competitors have made the term “independence” itself (and our application of it) seem more subjective than it actually is. The fact that these competitors don’t have in-house auditors (and instead pass customers off to third-party auditors who have business deals with the referring company) tells you most of what you need to know as to why they’re raising this doubt as a competitive tool to begin with. However, we’re only too happy to use it as an opportunity to again explain our stance, show our proof, and convince any and all readers why we believe we fixed audits. The aim of this article, then, is to better educate consumers on exactly how we maintain the high quality standards that a term like independence stands for. Regardless if you’re interested in compliance, audits, or our rebuttals to incorrect competitor volleys, defining a key term at the heart of one’s business is something every leader should do, especially as they strive to grow and innovate while being true to their core mission. As for us, it’s one thing for us to tell people we’re independent, but we believe it’s easier for us to show you. Defining independence Recently, our company released a detailed statement on independence, citing direct language from some of the biggest standard-bearers in the industry, including the American Institute of Certified Public Accountants (AICPA) and HITRUST. Far from simply cutting/pasting their language, we continuously take the time to unpack their language, educate consumers on the intent behind it, and demonstrate how we apply it to our technology, people practices, and processes. Defining independence, it turns out, is not as subjective as some would have you believe. For example, independence is about keeping things separate. For our auditors, this means clearly separating their independent, objective auditing duties from the evidence collection that our software helps with, and the implementation of controls that the customer tends to. It’s truly that simple. It’s also in line with the clear guidelines that the AICPA Code of Conduct provides, where independence is broken into two parts: Independence of mind is the state of mind that permits a member to perform an attest service without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism. Independence in appearance is the avoidance of circumstances that would cause a reasonable and informed third party who has knowledge of all relevant information, including the safeguards applied, to reasonably conclude that the integrity, objectivity, or professional skepticism of a firm or member of the attest engagement team is compromised. Again, not surprisingly AICPA’s definition of independence comes back to this idea of separation, both from internal motivations and external processes. Granted, the former is a bit more difficult to outwardly demonstrate, but both are clearly bound by lines between auditor and customer. In a pen and paper world this was simple enough, but in the same way that fewer Americans do their taxes by hand, fewer companies are seeking compliance in these old ways. Technology meets independence Although Thoropass is an integrated platform with firewalls separating customer data and customer authorized auditor data (thus enabling a high degree of efficiency) we maintain clear separations between technology, customers, and auditors. And while we proudly advertise ourselves as all-in-one, closed-loop, and in-house, it turns out it’s not hard to maintain independence while still cutting down on friction of customers. Here’s how: Our technology is directly informed by our experts. Everything from the integrations we offer to which controls to feature are auditor-approved to be effective and efficient for customers looking to achieve compliance. While our process is customizable, our experts ensure that customers are only going down relevant paths that will save them time and keep them safe. Once a customer begins a compliance journey, they are in sole control of how they use our technology. Both our technology (winners of multiple G2 Usability awards) and processes work to simplify and articulate the requirements of compliance in a straightforward manner. But it’s our customers who are required to implement, design, and operate their information security programs once they’ve been set up. Furthermore, our customer success managers guide and assist customers throughout the journey, but our auditors never have access to our customers’ application, and–in fact–can only see evidence that the customer explicitly releases and approves to be tested and reviewed at the time of audit. Meanwhile, our people and processes are kept in distinct, separate roles as a compliance journey plays out, too. Like the big 4 auditors (and many competitors in our space) we introduce our auditors to our customers at the beginning of the engagement. They provide education, tips, and assurance for the work ahead, but once this introduction is over, they are separated from the work our customers perform on our platform. It seems pretty simple and straightforward, no? AICPA’s insistence on separation of customer and auditor is a line in the sand that we never cross under any circumstances. In fact, the separation is baked into our entire process. One could further argue that software companies who over-rely on automation, and then pass those automated results off to a third-party auditor, are putting their customers at undue risk. The AICPA recently released new guidelines about auditors avoiding blindly trusting data imported through automation without satisfactory oversight. At Thoropass, even though we use automation to help customers get to audit faster, we ensure that our auditors follow these guidelines. We recently added processing integrity to our Thoropass SOC 2 audit reports, and had a third-party auditor test controls related to our integration and data collection services, to ensure our technology pulls complete, accurate, and timely data into the Thoropass platform. Having in-house automation and auditors, but adding this extra layer of assurance, creates even more certainty in the process and the product of the eventual audit report. Why the questions persist Still, though, we’ve increasingly heard concerns around FUD (fear, uncertainty, and doubt) brought up in the past year by actors who doubt independence can exist in this streamlined way. To them, they hide behind a cut/paste version of an “independence means completely different” argument. What we find particularly ironic in such unfounded attacks is that these same actors would have you believe that using separate software and auditing services is more efficient (or safe!) than having it streamlined. According to this myopic approach, collecting compliance evidence on one platform and then passing it off to a (vetted? compensated?) third-party auditor is somehow more independent and secure even though that third-party auditor is a regular, approved vendor of the software creator. For better or worse, many of these third-party auditors–through no fault of their own–are entirely dependent on certain software platforms for their livelihood. To us, and to anyone using industry standards as a guide, this scenario seems even less independent than the one we’ve successfully leveraged for hundreds of customers to date. However, we have no interest in questioning others’ independence beyond wishing that everyone within our space continues to uphold the independence and industry standards that bind us all together. For now, we’re looking to save companies time and resources, and ensure that their information security is held to the highest standards, with as little friction as possible. That’s our OrO Way, and while it’s frustrating at times to hear falsehoods raised on behalf of our competitors, it’s also our surest way of knowing that our approach is working: as each new customer is audited and each new report is accepted by the top companies in the world, we’re showing anyone watching how you innovate without compromising standards in a traditional space. Share this post with your network: Facebook Twitter LinkedIn