SOC 2

To satisfy customer’s privacy requirements, EPK chose Sensiba for a SOC 2 audit.

Based in Ontario, Canada, EPK Training Solutions Inc. provides an innovative and continually evolving, on-demand learning platform to help companies increase the knowledge of their sales and customer service teams.

  • SOC 2 Readiness Platform: Drata
  • SOC 2 Type II Audit
  • SOC 3 Report

Challenge

EPK Training Solutions Inc. is an on-demand training provider specializing in helping companies improve sales and customer service. When one of its customers requested that EPK provide a SOC 2 report within 12 months in order to maintain the relationship, the company recognized a need to commit to a formal process.

EPK’s first attempt at obtaining their SOC 2 involved engaging with an audit firm whose processes were largely manual and cumbersome. This initial audit firm was applying the traditional approach to performing an audit; an antiquated excel based request list, time consuming document requests and limited organization on the overall project of the SOC 2 engagement. EPK’s CTO Dave Wiese says this effort was time-consuming and frustrating because, as their deadline loomed, the company wasn’t receiving guidance and didn’t feel it was making headway on completing the audit.

“We could tell that with all of the information we were collecting, it was going to be a nightmare to organize and, ultimately, demonstrate we were following our policies and protecting our customers’ data,” Wiese says.

“The guidance and responsiveness we encountered working with Sensiba alleviated our anxiety throughout the remainder of the process. They encouraged us to call when we had questions, and I could sleep at night knowing we were on the right path and had someone in our corner.”

David WieseChief Technology Officer, EPK Training Solutions Inc.
EPK Training Solutions Inc.

Solution

SOC 2 Readiness

After recognizing the challenges with manual data collection, and a fast-approaching deadline, EPK pivoted and began evaluating automation tools. After comparing options, they ultimately selected Drata’s SOC automation platform for data collection, analysis, and continuous monitoring. The platform provides customizable security policies and features a dashboard that helps businesses understand their compliance status and security controls by monitoring devices, applications, vendors, and risks across the company.

SOC 2 Type II Audit

After a smooth onboarding, EPK asked Drata for recommendations on a new audit partner and were introduced to Sensiba — a firm well versed in the benefits of the use of readiness platform tools such as Drata.

“Sensiba was very responsive,” Wiese says. “They helped us identify and prioritize critical aspects of the audit, focus our efforts where it mattered most, and circle back to less urgent elements later in the process.”

While the majority of SOC 2 “trust service principles”— security, availability, confidentiality, and privacy — were addressed in the audit, Wiese says its customer was especially interested in safeguarding the privacy of its employees who were participating in the training modules EPK develops and delivers.

“While we don’t perform transactions and store sensitive payment information, we do have employee names and email addresses to protect,” Wiese says. “We and our customers understand that if any information gets out, that reflects poorly on them, and we have an obligation to protect that data.”

Result

Despite losing time with their prior manual approach and audit firm, using Drata, EPK and Sensiba were able to complete the SOC 2 Type II audit ahead of the customer’s deadline and provide objective confirmation that the company’s security processes and controls are effective.

The successful SOC 2 audit project has provided EPK with several benefits, including the elimination of security-related discussions during contract renewal with its customers and greater confidence in explaining its security and privacy policies to prospective customers.

Perhaps more importantly, Wiese says the audit process caused a cultural shift within EPK’s teams that placed security at the forefront of the company’s internal discussions.

“It has really focused the company to ask security questions first,” Wiese says. “When we started the process, there was some trepidation that focusing on security might make us less agile. That hasn’t happened, and now we’re talking about security in everything we do. Everyone’s bought into the value of compliance, and I’m very happy about that.” In addition to the SOC 2 Type II, EPK also obtained a SOC 3 report to share with its sales and marketing teams.

Asked what advice he would share with other companies approaching a SOC 2 audit, Wiese says it’s important to evaluate SOC readiness tools before starting the process.

“I’d say don’t do this without a dedicated tool,’” he says. “Yes, you can do an audit without a readiness platform, but it’s extremely difficult to track continuous compliance manually. Spreadsheets are great for certain things, but not for compliance monitoring because you don’t want to update a spreadsheet every day with the status of all your infrastructure. You can just automate that.”

As part of that process, he also suggests making sure the audit firm you choose is familiar with your readiness platform.

“That will set you up for success,” Wiese says. “Don’t try to nickel-and-dime the tool and professionals that will help make sure you’re compliant.”

Ready to get started?

Find out how our Risk Assurance team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.