From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
Bruce Edwards is Thoropass’s Senior Manager of PCI Assurance. He has over 14 years of experience.
PCI DSS’s (Payment Card Industry Data Security Standard) current version, v 3.2.1, will be retired on March 31, 2024. Organizations seeking to maintain PCI DSS compliance will have from April 1, 2024, to renewal (or March 31, 2025, whichever comes first) to upgrade to v 4.0. The latest version features new requirements and updates to keep pace with the rapidly evolving digital payment ecosystem.
What does this mean for your organization? And what, if anything, do you need to do to remain compliant in the coming year?
First, as Thoropass says: “Relax. We fixed audits.” We’ve previously covered this announcement, and have many support documents to help you through the process regardless if you’re new to PCI or hoping to continue with full compliance.
Second, there are specific things that you need to know, and to do, ahead of the deadline. I’m listing them here, but also encourage you to visit PCI’s webpage on the changes to ensure that you and your organization are fully aware of the pending changes.
The latest version of PCI DSS was announced two years ago, in 2022. And while the sunsetting of v 3.2.1 has been ongoing since then, the March 31st deadline simply marks the last time when this previous version will be available. From April 1st onward, only v 4.0 will be available, and previous users will have up to a year–until March 31, 2025–to implement the latest version. However, if your organization is up for renewal before then (for example, July 1), you will be pushed to update with the latest version.
At its heart, v 4.0 brings with it two significant changes: 64 new requirements, and a more customizable approach to applying PCI to an organization’s unique usage needs. The net result is a more up to date and more robust approach to ensuring digital payment safety, especially as mobile and online payments continue their rise in prominence.
In terms of specific updates in the latest version, PCI v 4.0 addresses:
While there are dozens of changes throughout the new version, nearly all of them are designed to streamline adoption and maintenance while also providing additional protection for companies.
What you need to do about v 4.0 depends on whether or not your organization is already on v 3.2.1. However, regardless of an organization’s current PCI DSS compliance, the following steps are a good place to start:
As a QSAC, Thoropass can walk both current and new PCI DSS users through the upgrade process, from scoping to auditing and maintaining. The easiest way to ensure compliance is by talking with a compliance expert, and the best time to do this is ahead of the March 31st deadline so that you can be sure to be up to date ahead of the changes ahead.
From Thoropass co-founders Sam Li and Eva Pittas:
Thoropass was founded nearly five years ago on the principle that true compliance innovation would only be served by seamlessly providing infosec compliance automation and high quality audit capability together as a single, simplified platform.
The proof of this approach is in the numbers: thousands of high quality audit reports universally accepted by members of the Fortune 500; approval and support by the highest governing bodies in compliance including AICPA, HITRUST, ISO, PCI etc.; hundreds of satisfied customers; and an immeasurable number of hours saved.
All of this was done in house, and all of it was accomplished while increasing quality.
Over the same time, numerous vendors have arrived in the market attempting to create rapid scale through low-cost offerings. Meanwhile, some of the established players have looked to expand the number of out-sourced service partners under the guise of offering more choice, with little regard for increasing quality.
We’ve stayed true to our mission.
An audit report from Thoropass commands respect and builds trust between businesses. We know this because of our commitment to unparalleled internal standards, and because our customers tell us, both as they maintain compliance and expand into new frameworks. The quality of our audits translates directly into the velocity of their business growth.
But we also know this because of the organizations who seek us out after receiving sub-par service and reports elsewhere. Unfortunately, they know what a lack of quality looks like:
Thoropass customers have none of these concerns for one very simple reason: our AI-infused automation technology is built and approved by auditors, and our auditors work with clients to scope their audits and ensure audit reports that are of the highest quality and acceptance rate in our industry.
Our deep intersection between compliance automation and audit technology is unmatched. And while other compliance vendors will tout the tooling they provide to support the audit process, or other audit firms will tout their connection to the compliance tools, the fact remains that these will always be disparate systems with different goals and different motivations. No matter how integrated, they will always be separate.
With separation come gaps that–as we’ve unfortunately seen–can quickly fill with unpredictable problems reflected in inferior compliance processes and audits.
We are proud to lead the industry forward as we enter a new, ever more complex operating environment. Our customers realize that compliance is no longer a check-the-box item that can be set on autopilot. They recognize that the quality of their audit provides a key point of differentiation. They understand the value of being continually “audit-ready” and adaptable as they engage new compliance frameworks, launch new products, and enter new markets.
We codified our integrated approach to compliance acceleration under the moniker “The OrO Way™” six months ago, but it has been five years in the making.
The interests of our customers and our mission are aligned. Our success is truly only measured by their success, which is one reason why we’re graduating beyond our previous mission of merely supporting innovation, and are now committed to being the world’s favorite compliance and audit solution.
To be a favorite comes with responsibility that we don’t take lightly. On top of being accessible and innovative, we are also duty-bound to set our customers up for success. To do so requires that we meticulously design and oversee every aspect of the compliance journey: from scoping and evidence collection to issuing the final audit report. Together we’ll build the future of compliance audits.
Let’s start with a truism: You can’t build a compliance company without using industry-valued standards as the foundation.
Since co-founding Thoropass in 2019, my colleagues and I have lived by that truism: putting ethical and best practice considerations into the heart of everything we do, starting with providing time-saving software in concert with audits provided by independent auditors operating in-house. This approach–the first of its kind in our industry–paved the way for what we like to call The OrO Way of doing business.
It also places the highest professional standards at the cornerstone of our business.
We are proud to have our customers’ audit reports accepted by every industry, including players in the Fortune 50. The reports we prepare for customers are clear, error-free, and the product of decades’ worth of experience across our audit team. The universal acceptance of Thoropass audit reports is both the foundation for, and evidence of, our success.
Yet the concept of “independence” continues to come up in conversations with potential customers despite four years of exceptionless transparency and success.
Why? Is it because our approach is controversial? Is it because we’re hiding failures, or are shying away from scrutiny? The answer to these questions is a simple “no.” We’re proud of our innovative approach and have made our process public in a way that welcomes any and all questions people may have.
The simple answer as to why this question comes up is that some of our competitors have made the term “independence” itself (and our application of it) seem more subjective than it actually is.
The fact that these competitors don’t have in-house auditors (and instead pass customers off to third-party auditors who have business deals with the referring company) tells you most of what you need to know as to why they’re raising this doubt as a competitive tool to begin with.
However, we’re only too happy to use it as an opportunity to again explain our stance, show our proof, and convince any and all readers why we believe we fixed audits. The aim of this article, then, is to better educate consumers on exactly how we maintain the high quality standards that a term like independence stands for.
Regardless if you’re interested in compliance, audits, or our rebuttals to incorrect competitor volleys, defining a key term at the heart of one’s business is something every leader should do, especially as they strive to grow and innovate while being true to their core mission.
As for us, it’s one thing for us to tell people we’re independent, but we believe it’s easier for us to show you.
Defining independence
Recently, our company released a detailed statement on independence, citing direct language from some of the biggest standard-bearers in the industry, including the American Institute of Certified Public Accountants (AICPA) and HITRUST. Far from simply cutting/pasting their language, we continuously take the time to unpack their language, educate consumers on the intent behind it, and demonstrate how we apply it to our technology, people practices, and processes.
Defining independence, it turns out, is not as subjective as some would have you believe.
For example, independence is about keeping things separate. For our auditors, this means clearly separating their independent, objective auditing duties from the evidence collection that our software helps with, and the implementation of controls that the customer tends to. It’s truly that simple.
It’s also in line with the clear guidelines that the AICPA Code of Conduct provides, where independence is broken into two parts:
Again, not surprisingly AICPA’s definition of independence comes back to this idea of separation, both from internal motivations and external processes. Granted, the former is a bit more difficult to outwardly demonstrate, but both are clearly bound by lines between auditor and customer.
In a pen and paper world this was simple enough, but in the same way that fewer Americans do their taxes by hand, fewer companies are seeking compliance in these old ways.
Technology meets independence
Although Thoropass is an integrated platform with firewalls separating customer data and customer authorized auditor data (thus enabling a high degree of efficiency) we maintain clear separations between technology, customers, and auditors. And while we proudly advertise ourselves as all-in-one, closed-loop, and in-house, it turns out it’s not hard to maintain independence while still cutting down on friction of customers. Here’s how:
Our technology is directly informed by our experts. Everything from the integrations we offer to which controls to feature are auditor-approved to be effective and efficient for customers looking to achieve compliance. While our process is customizable, our experts ensure that customers are only going down relevant paths that will save them time and keep them safe.
Once a customer begins a compliance journey, they are in sole control of how they use our technology. Both our technology (winners of multiple G2 Usability awards) and processes work to simplify and articulate the requirements of compliance in a straightforward manner. But it’s our customers who are required to implement, design, and operate their information security programs once they’ve been set up.
Furthermore, our customer success managers guide and assist customers throughout the journey, but our auditors never have access to our customers’ application, and–in fact–can only see evidence that the customer explicitly releases and approves to be tested and reviewed at the time of audit.
Meanwhile, our people and processes are kept in distinct, separate roles as a compliance journey plays out, too. Like the big 4 auditors (and many competitors in our space) we introduce our auditors to our customers at the beginning of the engagement. They provide education, tips, and assurance for the work ahead, but once this introduction is over, they are separated from the work our customers perform on our platform.
It seems pretty simple and straightforward, no? AICPA’s insistence on separation of customer and auditor is a line in the sand that we never cross under any circumstances. In fact, the separation is baked into our entire process.
One could further argue that software companies who over-rely on automation, and then pass those automated results off to a third-party auditor, are putting their customers at undue risk. The AICPA recently released new guidelines about auditors avoiding blindly trusting data imported through automation without satisfactory oversight.
At Thoropass, even though we use automation to help customers get to audit faster, we ensure that our auditors follow these guidelines. We recently added processing integrity to our Thoropass SOC 2 audit reports, and had a third-party auditor test controls related to our integration and data collection services, to ensure our technology pulls complete, accurate, and timely data into the Thoropass platform. Having in-house automation and auditors, but adding this extra layer of assurance, creates even more certainty in the process and the product of the eventual audit report.
Why the questions persist
Still, though, we’ve increasingly heard concerns around FUD (fear, uncertainty, and doubt) brought up in the past year by actors who doubt independence can exist in this streamlined way. To them, they hide behind a cut/paste version of an “independence means completely different” argument.
What we find particularly ironic in such unfounded attacks is that these same actors would have you believe that using separate software and auditing services is more efficient (or safe!) than having it streamlined. According to this myopic approach, collecting compliance evidence on one platform and then passing it off to a (vetted? compensated?) third-party auditor is somehow more independent and secure even though that third-party auditor is a regular, approved vendor of the software creator. For better or worse, many of these third-party auditors–through no fault of their own–are entirely dependent on certain software platforms for their livelihood.
To us, and to anyone using industry standards as a guide, this scenario seems even less independent than the one we’ve successfully leveraged for hundreds of customers to date.
However, we have no interest in questioning others’ independence beyond wishing that everyone within our space continues to uphold the independence and industry standards that bind us all together.
For now, we’re looking to save companies time and resources, and ensure that their information security is held to the highest standards, with as little friction as possible. That’s our OrO Way, and while it’s frustrating at times to hear falsehoods raised on behalf of our competitors, it’s also our surest way of knowing that our approach is working: as each new customer is audited and each new report is accepted by the top companies in the world, we’re showing anyone watching how you innovate without compromising standards in a traditional space.
Audits suck.
For everyone.
As the most important way to demonstrate compliance, audits are a necessary evil. Since conception, Laika has been working to make the audit process easier for our customers, our compliance architects, and auditors.
We are thrilled to announce that Laika is offering an end-to-end audit experience directly through our platform, powered by our trusted audit partners.
Laika was born from an ambition to revolutionize the compliance space for growing startups. While Laika’s expert-built platform streamlines compliance implementation and demonstration to enterprises, we wanted to make lengthy, expensive audit processes a thing of the past.
In 2011, the AICPA introduced a SOC 2 audit report. This kicked off our current state of information security audits in the US. SOC 2 audits examine the security of service providers, including cloud technology and cutting-edge digital-based startups, but the process is maddeningly outdated.
Picture it: you’ve successfully implemented hundreds of controls to secure your business’ and customers’ data. It’s finally time to pass your evidence along to auditors, who you’ve spent endless hours interviewing since SOC 2 was just a glimmer in your eye.
The process begins with an auditors request list, typically between 80 and 120 requests. This kicks off a manual process of gathering information, taking screenshots of system settings, organizing, and sharing evidence. Inevitably, auditors will have additional questions (some of which won’t even apply to your business) and need more documentation, and your inbox will fill with urgent correspondence for about 10 to 14 weeks.
You’ll need to take more screenshots, follow up on their questions with your stakeholders, implement last-minute changes to controls, and spend hours manually testing procedures with your auditors. And you’ll have very little insight into the process itself, from where the auditors stand to any issues that have been identified.
On average, assessors spend 150 to 200 hours testing SOC 2 controls.
And let’s be clear: auditors don’t love this either. Technology to automate and streamline processes is virtually nonexistent. There is no other way to pass through information and verify security practices.
Until now.
Our team has been working to make Laika a platform loved by our customers and auditors.
In March, we quietly launched our integrated audit feature. When we say “integrated audit,” we mean that there is no experiential separation between building or maintaining your compliance and auditing it. Our customers access all audit updates through our platform. Through a proprietary and independent application, Laika Compliance auditors programmatically examine compliance postures to issue high-quality reports.
Laika customers experience the smoothest audit process wrapped in Laika technology. This is the only transparent, tech-enabled audit with the best IT auditors in the industry. Customers track their progress throughout the audit, communicate with auditors, and see directly into the audit management process with our compliance architects. And over 80% of our customers are already taking advantage of this feature.
In partnership with Leith Khanafseh, Laika Compliance’s principal and head auditors, our team wrapped the process in technology to create reproducible and transparent audits. We deliver the highest quality IT audit reports in 60% less time than the industry standard.
We’re eliminating risky procedures in audits that result in variable reports.
No two auditors or audits are the same, particularly with frameworks like SOC 2. With nothing standardized about the audit except the framework, we removed the guesswork by verifying evidence through technology as often as possible and formalizing control reviews.
This faster, more cost-effective approach produces a higher-quality audit than reliance on emails, spreadsheets, phone calls, and scattered communications. Any business can subscribe to Laika+ and execute their audit directly on our platform.
We now have more subscription plans for small, medium, and large businesses. And we can’t wait to show them to you. Reach out for a demo today.
