Thoropass’s Dedication to Independence and Excellence The foundation of Thoropass’s mission is to make information security compliance accessible to all and an enabler of our clients’ innovation and business success. We accomplish this via what we call The OrO™ Way, a customer-centric approach to combining the best in automating technology with the most expert assistance. Both sides of this offer are equally important and are held to equally high qualities and ethics. Specifically, our offer of in-house expertise (including Customer Success Team who offer education and guidance, and Auditors who objectively verify evidence and perform audit tests) is what separates Thoropass from other vendors who stop at offering software before handing clients off to third-party auditors. We value transparency and relationships, so we have always offered both technology and expertise as part of every client relationship we’ve ever had. Quality and independence are at the core of this value offer, so as prospective clients and partners perform due diligence in their research on Thoropass and The OrO Way, we’d like to clearly and transparently outline how we ensure the highest independence possible. Independence Standards In order to maintain public trust in reliance on audit reports and certifications, virtually all governing bodies of information security frameworks and regulations require assessors to practice integrity and objectivity in the audit/certification process. This is done to ensure that the results reported in audits are not influenced by various external factors and can be relied on by end users. For example, as HITRUST external assessors, Thoropass abides by their Segregation of Assessor Duties, which states: In order to ensure independence and objectivity of the authorized External Assessor firm, HITRUST-relevant consulting services must be segregated from HITRUST validated assessment services. HITRUST stipulates that the individual acting as a validated assessment’s CHQP/quality reviewer may not perform any other duty on that assessment, such as client-facing engagement executive, fieldwork lead, etc. This requirement helps ensure that the assessor’s pre-submission quality review is performed with objectivity. Likewise, as auditors on frameworks including SOC 1 and SOC 2, we follow the American Institute of Certified Public Accountants’ (AICPA) Code of Professional Conduct. The AICPA established the Code of Professional Conduct for practicing Certified Public Accountants (CPAs), which details the conduct a CPA must maintain while performing attestation engagements. Within the Code, the AICPA defines independence, details the threats to independence that a CPA may encounter while performing attestation engagements, and provides a conceptual framework for applying professional judgment to evaluate any threat that may appear during an attestation. Specifically, the AICPA defines independence as consisting of two elements: Independence of mind is the state of mind that permits a member to perform an attest service without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism. Independence in appearance is the avoidance of circumstances that would cause a reasonable and informed third party who has knowledge of all relevant information, including the safeguards applied, to reasonably conclude that the integrity, objectivity, or professional skepticism of a firm or member of the attest engagement team is compromised. Thoropass abides by this Code–as well as similar guidelines from other governing bodies–through a careful and direct approach to independence in people, process, and technology. Independence through People For any audit performed on the Thoropass platform, there are at least three distinct parties represented: (1) the Customer, (2) the Thoropass Customer Success team, and (3) the Auditor. Though these parties may interact, the engagement–especially at the beginning of a compliance journey–is consultative and educational. The Auditor can provide recommendations to a Customer, but they can not and do not design or operate their controls. This is no different than how the Big 4 auditors, other cyber security auditors, and technology solutions that utilize third-party audit firms engage their customers. This separation allows the Customer and the Auditor to perform distinct responsibilities: The Customer is ultimately responsible for the design and operating effectiveness of their controls. The Customer takes ultimate responsibility and control for their internal control environment. The Auditor is responsible for evaluating controls and coming to a conclusion objectively and free from any influences. By keeping these two parties separate and acting independently during the audit, Thoropass ensures that every Auditor acts with integrity and objectivity (in line with AICPA’s Code). Independence through Process Like any auditing body, Thoropass (including our affiliated audit entity) submits itself to regular AICPA peer review. Our most recent third-party peer review took place in 2022 in which we received the highest rating possible (“pass”). Our next review will take place in 2025. This review, available upon request, affirms our compliance with AICPA and state board regulations and requirements. It also affirms our quality control system, which includes strict compliance with independence rules. In line with the Independence of People outlined above, Thoropass ensures the separation of Customers and Auditors through distinct processes. Thoropass provides readiness and audit services, but the teams involved are distinctly kept separate: Our Technology provides guidance the Customer needs to design, implement, and operate their controls. Our Customer Success team provide process guidance to ensure Customers are informed of any nuances related to their specific use case. Our Auditors are able to provide recommendations and best practices. The processes involving the last two distinctions or parties warrant parsing. While the Customer Success team and Auditor(s) may meet with a Customer at the beginning of the engagement, and while the Auditor(s) may offer feedback on best practices for preparing for the audit, it is the sole responsibility of the Customer to manage their information security program. Independence through Technology Thoropass technology is designed to automate evidence collection and aid Customers’ journey toward compliance. The automation of the evidence collection is done through APIs that connect to Customer systems of internal control. The software and APIs follow strict software development standards and quality assurance reviews, including completeness and accuracy testing. In addition, these APIs are reviewed on an annual basis by third party auditors to affirm our commitment to completeness and accuracy of the programmatic evidence capture. The technology is also designed to limit the Auditor(s) access to Customer information both during collection and after the Customer has submitted to review. Specifically, Thoropass Auditors can not access Customer information until the Customer submits the evidence for review. Upon this explicit action, even then Thoropass Auditors can only access the information that the Customer has chosen to provide to satisfy the audit request. This is in line with the AICPA Peer Reviewer alert issued in December 2022 addressing the independence of compliance automation platforms. The alert included the distinction: Some SOC 2 tool providers have a ‘related’ CPA firm that provides the audit based on the SOC 2 information generated by the SOC 2 tool. Depending on how the tool is used by the service organization (e.g., whether the tool becomes part of the service organization’s internal controls), there may be a self-review threat that cannot be mitigated to an acceptable level. Thoropass’s platform is not a system of internal control. The technology behind Thoropass acts as a data aggregator and collects information from a Customer’s internal control systems to streamline and automate the compliance management and audit process. Neither the Customer nor the Auditor can manage any tech stack configurations through our platform. Excellence through Independence In the same way that a customer’s needs are behind every decision we make (our OrO Way), independence is behind every aspect of the people, processes, and technology of Thoropass. By clearly defining the roles and responsibilities of our team members, adhering to governing bodies’ codes of ethics, and designing our technology so that it aggregates data from systems of internal control to automate the audit process, we ensure that our product and processes are independent and of the highest quality possible. 60,000+ controls reviewed Thousands of compliant customers Over 500 audits each year How do we know we’re doing it successfully? As of September 2023, Thoropass auditors have reviewed 60,000+ controls, worked with over 1,000 individual companies, and averaged 500+ audits each year. Our audit reports and certifications have been, and are, accepted by leaders in every industry and count a majority of the Fortune 50 among them. Banks, universities, government departments, and healthcare organizations have all accepted and continue to trust Thoropass’s independent audits. Our independence is guaranteed and our excellence is a standard we uphold in every customer relationship. We ensure both through assertive transparency. We’re happy to share our peer review results, demonstrate our technology and associated processes, and discuss how our customers’ faith in our reports is as important as their success.
