With data security and privacy paramount concerns for businesses and consumers, organizations are increasingly seeking ways to demonstrate their commitment to safeguarding sensitive information. One powerful tool for demonstrating assurance is the SOC 3 (System and Organization Controls 3) report.

A SOC 3 report is an external audit report based on the AICPA’s Trust Service Criteria. It encompasses categories related to:

Major service organizations spanning industries like cloud computing, SaaS, internet services, and telecommunications are making their SOC 3 reports available publicly. For example, AWS, Google Cloud, and Azure publish their reports to showcase how they prioritize security and privacy standards.

While similar to SOC 2 reports, SOC 3 reports have a distinctive feature–they are designed for public distribution. This means the information within these reports is designed to be understood easily by a broad audience, making them a valuable asset for businesses seeking to build trust and transparency.

In layman’s terms, a SOC 3 report is the public-facing version of a SOC 2 Type report, and in fact, it is actually a summarized version of the SOC 2 Type 2. As such, it can only be issued in connection with the SOC 2 Type II report.

SOC 3 reports serve as a seal of assurance that can be displayed prominently on a company’s website or within its marketing materials. This seal communicates to customers, prospects, partners, and the general public that the organization has undergone an independent audit and adheres to robust controls in key areas.

Unlike SOC 2 reports, which are often shared with specific parties under non-disclosure agreements, SOC 3 reports are intended for public consumption. A completed SOC 2 audit and a SOC 3 report demonstrate a proactive approach to security and privacy, potentially attracting clients who prioritize working with organizations committed to safeguarding their data.

A SOC 3 report is not just a compliance checkbox; it’s a testament to an organization’s dedication to protecting its customers’ data. This enhanced level of transparency fosters trust and confidence, crucial elements in building lasting customer relationships.

By undergoing a SOC 2 audit and getting a SOC 3 report, a company can identify and address potential vulnerabilities in its systems, controls, and processes. This proactive approach to risk management can save an organization from future security incidents and associated reputational damage.

As data protection regulations evolve globally, a completed SOC 2 audit and SOC 3 report can be advantageous for organizations operating in international markets. It showcases a commitment to aligning with industry best practices and compliance standards.

Obtaining a SOC 2 audit and SOC 3 report is not just about meeting compliance requirements – it’s a strategic move toward building a reputation for excellence in security and privacy. SOC 3 goes beyond the checkboxes, instilling confidence in customers, prospects, and partners.

In a digital age where trust is currency, this step can be your organization’s key to unlocking new opportunities and fortifying its standing in the marketplace. To learn more about the potential benefits of a SOC 2 audit and a SOC 3 report, contact us.

Cyber privacy and data protection are growing priorities for businesses operating in Australia, where national regulations and global standards play a central role in shaping compliance expectations. As cyber threats continue to rise, understanding your legal obligations is critical to protecting your organization and customers.

Cyber privacy is how personal information is collected, used, stored, and shared in digital environments. In Australia, privacy is governed by the Privacy Act 1988 and the Australian Privacy Principles (APPs), which apply to most businesses and government agencies that handle personal information.

These laws require organizations to:

In today’s risk landscape, compliance with the APPs isn’t just a legal requirement—it’s foundational to building trust with your customers and stakeholders.

Under Australian law, personally identifiable information (PII) includes any data that can reasonably identify an individual. This encompasses obvious details like names, addresses, and phone numbers, as well as:

The Privacy Act requires organizations to take reasonable steps to protect PII from misuse, loss, unauthorized access, or disclosure.

Australia has enacted several key laws to protect personal data and critical infrastructure from cyber threats:

These regulations form the foundation of the country’s cyber defense posture and impact how businesses collect, store, and secure data.

While often used interchangeably, cyber privacy and cybersecurity address different but related concerns.

Australian organizations must address both. This means going beyond compliance checklists to implement strong security protocols—such as encryption, multifactor authentication, and regular audits—that align with evolving threats and legal standards.

A proactive privacy and cybersecurity strategy should include the following:

1. Regular risk and compliance audits. Review and test your policies, systems, and controls to ensure alignment with both legal and industry standards.

2. Employee training. Empower your workforce with clear guidance on data handling, security best practices, and incident response protocols.

3. Advanced security controls. Implement layered security measures, such as intrusion detection systems, encryption, and secure access management.

4. Continuous monitoring and updates. Stay informed about changes in legislation, emerging cyber threats, and evolving compliance obligations.

In today’s digital environment, protecting personal data is more than a regulatory necessity—it’s a competitive differentiator. By taking a proactive, well-informed approach to privacy and cybersecurity, your organization can mitigate risk, improve operational resilience, and earn the trust of customers and regulators alike.

Sensiba supports clients across Australia and globally in aligning with privacy frameworks, including the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), and other international standards.

To explore how we can help strengthen your compliance program and data protection practices, contact us.

Artificial intelligence transforms industries by automating tasks, analyzing massive datasets, and simplifying decision-making. At first glance, compliance seems like an ideal application. With its vast ecosystem of policies, controls, documentation, and risk assessments spread across systems, AI should be a perfect fit.

And in some ways, it is. AI can draft policies, review evidence, and flag risks faster than humans. So why hasn’t AI fully revolutionized compliance?

The short answer: it’s not about what AI can do but what it must work with.

AI has significant potential to modernize compliance processes, but three key challenges limit its impact today.

Compliance data lives across various platforms: cloud infrastructure, HR systems, ticketing tools, code repositories, and more. Security settings, employee practices, policies, and risk assessments are rarely centralized. AI is only as effective as the data it can access, and when that data is fragmented, AI is forced to operate with partial context.

Even if AI can draft a great policy, it’s not delivering real value if it can’t see the supporting evidence behind it.

How Sensiba’s AI-Powered Audits Help

We work with GRC platforms like Vanta and Drata to automatically pull information from hundreds of integrations into a centralized, structured framework. This gives AI a complete and connected view of your security environment — enabling real compliance intelligence instead of guesswork.

Unlike many business processes, compliance isn’t internal only. It’s a three-way relationship involving:

Even if a company adopts AI for internal audits, external auditors and customers may not trust or use AI themselves. That disconnect limits its utility unless AI outputs are aligned to standards everyone recognizes.

How Sensiba’s AI-Powered Audits Help

We connect AI capabilities with industry-standard control frameworks, ensuring outputs are audit-ready and credible to customers and third-party assessors alike.

Compliance isn’t one-size-fits-all. The requirements for your organization depend on your infrastructure, operating model, data types, industry, and geography.

For example, two companies using AWS may have entirely different obligations if:

AI can generate policies, but without metadata and operational context, those policies may not be appropriate or effective.

How Sensiba’s AI-Powered Audits Help

Our tools map your compliance metadata—including infrastructure, toolsets, and regulatory scope—to ensure AI recommendations are accurate, relevant, and actionable. The result is a compliance program tailored to your unique risk profile, with an audit process that’s faster and more efficient.

To get the most from AI, your compliance program must be unified and structured. That means:

At Sensiba, we partner with Vanta and Drata to provide this foundation. Our AI-powered audit solutions integrate directly with these platforms, ingesting your compliance data, delivering real-time insights, and syncing audit outputs back into your systems. We also offer free compliance mapping tools to help you structure your program for AI efficiency and long-term growth.

To learn more about increasing efficiency and effectiveness in your compliance programs, contact us.

One of the most effective ways for service organizations—a broad category that includes cloud service providers — to demonstrate they have implemented security controls for safeguarding sensitive data to meet their service commitments is by obtaining a System and Organization Controls (SOC) 2 report.

Developed by the American Institute of CPAs (AICPA), a SOC 2 report offers a framework that allows a third-party accounting firm to examine a service organization’s security practices and controls, and to prepare an objective attestation whether the provider’s security measures are designed and operating effectively.

The report is based on five Trust Services Criteria (TSC) highlighting various aspects of a service organization’s information protection posture. Typically, a service organization will have to meet the Security (also known as the “Common Criteria”) criterion to undergo a SOC 2 examination. However, organizations can opt into four additional Trust Services Criteria based on their service commitments and customer requirements.

The other criteria are Availability, Confidentiality, Privacy, and Processing Integrity. For cloud service organizations, a combination of Security, Availability, and Confidentiality represents the most common selection.

Deciding whether to include categories beyond the required security criteria depends on factors including specific customers’ or prospects’ concerns, the types of data a service provider handles on behalf of its customers, or the service organization choosing to present as comprehensive of a report as possible.

A SOC 2 report is considered “restricted use,” and is intended to be shared only with customers, prospects, business partners, and regulators. Because the report includes detailed system information and a controls matrix specific to the service organization, which may include proprietary information, it should not be shared publicly.

A SOC 2 is not the only type of report a service organization may be interested in obtaining. A SOC 1 report is a formal audit of a company-specific service provider’s controls that could affect their customers’ financial reporting. The other type of report is known as a SOC 3, which is a summarized version of a SOC 2 type 2 report. This report, intended to be used as a marketing tool to an unrestricted audience, provides a generalized opinion on controls related to one or more of the Trust Service Criteria.

Service organizations can elect to undergo two different SOC 2 audits. A Type 1 report evaluates whether controls are designed properly at a specific point in time. A SOC 2 Type 2 evaluates whether those controls are designed and functioning as intended over a specified period of time, typically six or 12 months. When customers are asking for a SOC 2 report, they are generally referring to a SOC 2 Type 2. The Type 1 report is usually performed as part of initial readiness at the beginning of your SOC 2 journey.

To prepare for a SOC 2 audit, a service organization will develop comprehensive documentation of systems, processes, and controls. A SOC 2 readiness tool, such as Drata or Vanta, can help service organizations implement necessary controls based on the applicable Trust Services Criteria for their organization.

During the review, an independent audit firm will assess and validate the service organization’s controls before issuing a report summarizing its findings. The best outcome for the service organization is when the audit firm issues an “unqualified opinion” that the organization under examination can achieve its service commitments and its controls are designed and operating effectively.

A SOC 2 audit is typically performed annually, so the service organization will likely use the report’s findings to fine-tune and maintain its controls before its next examination.

Having a SOC 2 attestation to share with prospects and customers can provide many benefits for service organizations. For example, a SOC 2 report is often considered a qualifying factor in the due diligence process as companies (especially large enterprises) evaluate potential vendors.

Similarly, undergoing a SOC 2 audit may be a contractual requirement between a service organization and its clients. Some customers may accept a SOC 2 report in place of a security questionnaire.

In short, a SOC 2 report provides assurance that a service organization or other service organization has implemented strong security controls and procedures to conform with industry security best practices for protecting systems, data, and managing risk.

To learn more about SOC 2 reports and how they can benefit your organization, contact us.

Does focusing on environmental, social, and governance (ESG) mean you have to sacrifice financial performance or shareholder returns? Recent studies suggest the opposite – that ESG and sustainability priorities benefit valuations over the long-term, particularly when integrated into the company’s core strategy.

ESG falls under the broader triple-bottom line sustainability umbrella wherein investors, analysts, and business leaders evaluate the impact of the industry- and sector-specific sustainability issues on a company’s risk profile and performance. For decades, leading investment funds like TPG, KKR, and BlackRock have incorporated ESG considerations into their evaluation process, with positive results that point to long-term value creation as a result of measuring and monitoring their sustainability-related risks and opportunities.

In years past, sustainability reporting frameworks were scattered, divergent, and confusing, making consistent and efficient measurement and reporting challenging for most companies because they weren’t sure where to start their baselining and benchmarking efforts.

This has changed in recent years as a few key guiding frameworks have begun to develop harmonized standards for how companies are evaluated on key ESG issues such as climate, diversity, equity, and inclusion (DEI), data security, and corporate governance. Among the most commonly referenced frameworks include the Principles of Responsible Investment (PRI), the ESG Data Convergence Initiative (EDCI), and the International Sustainability Standards Board (ISSB).

ESG has also sparked controversy, with detractors complaining that it is redundant, measurement is subjective and difficult to benchmark, it requires sacrificing returns, and it creates an overall distraction from a company’s most important issues. Despite this pushback, ESG and sustainability considerations are trickling down to the middle market. General partners who don’t pay attention to this megatrend are at risk on multiple levels, especially as it relates to accessing limited partner capital and the risk of reduced terminal values.

According to Ryan Williams, PhD, former Chief Sustainability Officer at Coatue Management and Sustainability Operating Partner at NextWorld Evergreen, and current strategist with VITAL, “Anti-ESG backlash is simply the politicization of ESG that was initiated in several state legislatures as a response to what they perceive as ‘woke capitalism,’” he says. “Effective ESG integration, on the other hand, is a value creation strategy that creates outcomes for key stakeholders—customers, employees, and investors, that drive financial performance.”

Michael Whelchel, Co-Founder and Managing Partner at Big Path Capital, an investment banking advisory firm working with leading mission-driven companies and private equity funds agrees about the value creation impacts inherent in integrating sustainability principles.

“Companies that integrate sustainability principles into how they develop and deliver their product or service activate value creation on two different levels,” he says. “First, they reduce business risk and cost, thereby creating a more resilient business model. Second, they increase upside for their business by being in step with customer interest and better identifying areas of innovation.”

Several recent studies reaffirm the assertion that good ESG practices support long-term value creation and can help lead to optimal results for GPs.

A 2023 Pitchbook Sustainable Investment Survey interviewed hundreds of private market GPs and LPs about their opinions on impact investing and ESG frameworks, and determined that “investing for profit and investing for purpose…need not be mutually exclusive.” Proponents for ESG integration cited the following considerations:

A 2023 analysis by McKinsey & Company of over 2,200 public companies came to a similar conclusion that “financially successful companies that integrate environmental, social, and corporate governance (ESG) priorities into their growth strategies outperform their peers—provided they also outperform on the fundamentals.”

Their research highlighted companies they dub “triple outperformers,” which evaluate total shareholder returns (TSR), financial performance, and ESG ratings. The analysis shows how growth and profitability are positively impacted when a company also demonstrates leadership on ESG issues, by up to 7 percentage points above the study’s baseline.

A 2022 KPMG study on Managing ESG Due Diligence in EMA Deals surveyed 150-plus dealmakers across Europe, the Middle East, and Asia about the importance of conducting ESG due diligence.

While the study clearly acknowledges that ESG enhances value (80% of dealmakers said they consider ESG in M&A and that material concerns could be a dealbreaker), it also highlights some common difficulties related to performing ESG due diligence accurately and consistently. These include undefined scope, poor data availability, lack of written policies, and difficulty quantifying metrics and targets.

This data illuminates the growing recognition of ESG considerations among dealmakers and underscores the opportunity to approach ESG as a platform for venture capital and private equity. The platform approach is a compelling opportunity for portfolio engagement to leverage shared learnings, create tools, and identify best practices to maximize value creation potential. Furthermore, because most small and medium sized funds focus on a subset of business models within an industry, there are inherent synergies across most portfolios such that GPs can build out a small but effective suite of material metrics to monitor across the portfolio. 

“ESG considerations have increasingly become a strategic negotiation tactic for private equity firms where the absence of an ESG program can be identified as unknown risk that may influence the valuation,” says VITAL’s Williams. “Companies that disclose ESG topics in due diligence often have a stronger negotiating position and may attract a broader range of buyers when they are able to provide ESG metrics.”

There is also growing recognition that the fiduciary responsibilities for board members are expanding to include ESG issues. If your board is not currently conducting comprehensive sustainability or ESG due diligence assessments, you may be lagging in effectively managing risks, meeting stakeholder expectations, and capitalizing on long-term opportunities. Momentum is continuing to shift toward more urgency, transparency, and disclosure on sustainability issues. Terminal values are being affected, regulations are on the horizon, and access to LP capital is increasingly at stake.

ESG risks do influence valuation and mitigation is frequently critical to a company’s exit strategy and investor returns. And while a lot of work remains in terms of data standardization and consistent comparison, progress is being made by groups like the ESG Data Convergence Project to support the investor due diligence process.

It is critical for GPs to engage in due diligence and performance monitoring now, and not as a pre-exit exercise, because doing so will position them for success, help mitigate risk, enhance the value of their investments, address stakeholder expectations, and create sustainable value for the long-term.

GPs looking for a place to start should perform an ESG Due Diligence assessment to help them better understand company- and industry-specific sustainability risks and opportunities for their portfolio companies, and begin to understand how to integrate these considerations into their core strategies. Contact us to learn more.

Service organizations such as cloud providers and Software as a Service (SaaS) companies look to demonstrate they have effective internal controls and comply with security and privacy standards. To do so, they often pursue a Service Organization Control (SOC) audit and, most often, a SOC 2 report.

SOC 2 reports are a standardized way to validate security, privacy, and processing integrity. The next question considered is whether a SOC 1 audit may be beneficial (or required).  

This decision depends on factors including the types of controls that will be examined and the end users of the report. Both SOC standards are established and maintained by the American Institute of Certified Public Accountants (AICPA), and a SOC examination is usually conducted by auditors working for an independent accounting firm. 

SOC 1 and SOC 2 reports look very similar and there is some overlap between the two, but there are fundamental differences between the reports and their audiences. 

Both reports are valuable in assuring customers, prospective customers, regulators, and other stakeholders that the service organization can protect data and manage risk effectively. The SOC audit process also provides insight to help the service organization evaluate and enhance its security and data governance processes.

Providing a SOC 2 report is becoming a common contractual requirement, especially within the vendor qualification requirements of large enterprise customers. In some cases, the SOC 1 report will be an additional requirement that may show up for new customer opportunities, or the request for the SOC 1 will come from long term customers. These organizations want to ensure their data will be processed consistently and accurately, and increasingly rely on SOC 1 reports for that assurance. 

The testing procedures for SOC 1 will focus on financial controls and transaction processing, while SOC 2 will examine general IT controls (ITGC) testing and validation. As most SOC 1 systems are built on information technology systems, many controls from a SOC 2 report can be mapped to a SOC 1 report.

A SOC 1 examination centers on internal controls over financial reporting (ICFR) a service provider has in place to ensure transaction or data processing is done consistently and reliably. A SOC 1 report focuses on business processes specific to the service organization and there is more variability than in a SOC 2 report, because the control environment will be specific to each service organization.

A SOC 2 report examines controls that address the Trust Services Criteria (primarily security, but there are five criteria to choose from) and is relevant for service organizations entrusted with custody of their customers’ data. The Trust Services Criteria provide a pre-defined framework that can be applied to a wide range of service providers. 

The relevant trust services criteria are:

Our article “Choosing the Right Trust Services Criteria for Your SOC 2 Audit” provides more details on identifying relevant SOC 2 criteria.

Selecting the most appropriate report depends on the intended audience and the factors leading you to consider a SOC audit. Does your organization touch customer’s financial data and reporting? Are customers asking about information security and data governance?

A SOC 1 report, with its focus on ICFR and the related IT controls, is best suited for evaluating the security of financial data and processing. The primary audience is the organization’s management, customers, and the organization’s external financial statement auditors.

A SOC 2 report, aligned with the trust services criteria listed above, has the same audience and adds potential customers and business partners evaluating the service organization as part of their vendor selection or due diligence process.

For more information and help determining whether a SOC 1 vs. SOC 2 audit report is best suited for your needs, get in touch with our team.

Suppose your business operates in California or handles the personal information of California residents. In that case, you’ve likely heard of the California Consumer Privacy Act (CCPA) and its more recent counterpart, the California Privacy Rights Act (CPRA).

These laws have reshaped consumer privacy rights in the U.S. and introduced new compliance obligations for organizations of all sizes. But what exactly do these laws require, and how do they differ? Here’s what you need to know.

The California Consumer Privacy Act, or CCPA, took effect on Jan. 1, 2020. It gives California residents greater transparency and control over how their personal data is collected, used, and shared.

Under the CCPA, consumers have the right to:

The CCPA applies to for-profit entities that do business in California and meet at least one of the following thresholds:

If your business meets any of these criteria, CCPA compliance is required.

The CCPA defines personal information broadly. It includes any data that identifies, relates to, describes, or could reasonably be linked to a specific individual or household. This covers:

Because of the expansive definition, most organizations must assess the full scope of the data they collect and store.

CPRA, sometimes called “CCPA 2.0,” does not replace the CCPA—it expands it.

Approved by California voters in November 2020 and fully enforceable as of January 1, 2023, the CPRA added several important changes, including:

To comply with the CCPA (and CPRA), businesses must:

Getting compliant requires more than just updating a privacy policy. Here are five key steps to take:

1. Conduct data mapping. Understand what personal information your business collects, where it’s stored, how it’s used, and who has access to it.

2. Update your privacy policy. Ensure your policy is easy to find, written in clear language, and reflects the rights granted by both CCPA and CPRA.

3. Build processes for consumer rights requests. Set up secure, user-friendly systems to process access, deletion, and opt-out requests. Be ready to handle high volumes.

4. Train your team. Employees, especially those handling customer data or inquiries, should be familiar with the law’s requirements and how to respond to requests.

5. Review third-party contracts. Ensure agreements with vendors and service providers reflect CCPA and CPRA responsibilities, particularly regarding data use, protection, and retention.

Navigating California’s privacy laws can be complex, but it doesn’t have to be overwhelming. Our team can help assess your compliance readiness, implement effective processes, and support your audit and documentation needs.

To learn how your business can meet CCPA and CPRA requirements with confidence, contact us.

Google Cloud Platform (GCP) and Google Workspace offer a robust suite of tools, settings, and support materials to help organizations meet the security and compliance requirements of Australia’s Consumer Data Right (CDR) framework.

The CDR is often described as the backbone of Australia’s future digital economy. Initially focused on Open Banking, it requires financial institutions to securely share consumer data with third-party service providers, as long as those providers have earned consumer consent and proper accreditation.

To become an Accredited Data Recipient (ADR), organizations must undergo an independent audit and submit an assurance report from a qualified auditor. This requirement has been one of the main barriers to adoption, with only a limited number of accreditations granted nine months following the CDR’s launch in July 2020.

As with most standards, however, the compliance journey becomes more streamlined over time. The ecosystem matures, best practices emerge, and tools improve. While the CDR outlines what must be done, it does not specify how to do it. This article explains how to meet those security requirements using Google Cloud and Workspace solutions.

CDR security requirements span four key domains:

Each of these areas must be addressed to satisfy the CDR’s rigorous standards for data security and privacy.

Google’s tools and documentation allow for building a secure, auditable environment that aligns with CDR obligations. Here’s a high-level overview of how to get started:

To learn more about how Google Cloud and Workspace can support your CDR compliance journey, contact us.

Mental health in the workplace has gained much-needed visibility in recent years. At Sensiba, it’s a topic we talk about openly—and one we integrate into our culture through vulnerability, empathy, and intentional action.

“We are human, and vulnerability is the key to success at our business.”

One of our core values at Sensiba is vulnerability. We reinforce it in 1:1 meetings, team check-ins, and performance conversations. When team members feel safe sharing what’s challenging—personally or professionally—it builds deeper trust and drives healthier collaboration.

To help foster this self-awareness, we’ve rolled out a personality assessment rooted in the Myers-Briggs methodology. The results have been remarkably accurate and insightful, offering new perspectives on working best as individuals and as a team. It’s more than a fun team-building activity—it’s a tool to support communication, growth, and leadership development across the organization.

Vulnerability often starts at the top. Sensiba partner Nick Lew Ton is a passionate advocate for mental health and leads by example. He shares his experiences with the team in open forums, helping normalize difficult conversations and encourage others to ask for help when needed.

To further our mental health awareness efforts, many Sensiba team members participated in the Push-Up Challenge—a campaign to support men’s mental health and break down the stigma around seeking help.

Nearly 1 in 10 men experience some form of depression or anxiety, yet fewer than half seek treatment (Anxiety & Depression Association of America, 2024). That silence is what this challenge aims to disrupt.

One of our team members, Tom Faithfull, led the initiative and shared his reflections:

“The challenge raises awareness for mental health and the reality that we all have ups and downs—despite outward appearances. It gives us a healthy outlet to open up through exercise. As someone who’s battled mental health issues most of my life, I’ve seen how much of a difference movement can make. Whether it’s push-ups, dancing, walking, or hitting the gym—every bit helps. I’m proud of the Sensiba team for logging over 5,000 reps in June. Every rep counted, and every conversation mattered.”

Tom’s leadership brought colleagues together around a common purpose and helped spark more open, meaningful dialogue throughout the firm.

Sometimes, asking for help is the hardest step. People may struggle to articulate their needs or expect others to “just know.” Using clear, inclusive language makes a difference.

Author and speaker Simon Sinek offers a powerful reminder in a short video on how to say, “I need help,” in ways others can hear and understand. It’s worth a watch—and a share. Have a watch!

Mental health advocacy doesn’t start and stop with a single initiative. It’s a continuous journey—and we’re committed to building on it.

If your organization is exploring ways to foster a stronger culture of wellness, psychological safety, or vulnerability-based leadership, contact us to learn how we can help.

For companies serving customers internationally, obtaining an ISO 27001 certification provides a tangible demonstration of their ability to protect customer data.

The certification can also unlock business opportunities as companies evaluate the information security capabilities of their prospective vendors and partners.

The standard, known formally as ISO/IEC 27001, helps organizations manage cyber-risks and controls. It provides a recognized framework for ensuring the confidentiality, integrity, and availability of their data through the effective design and operation of their information security management systems (ISMS).

Obtaining ISO 27001 certification requires an audit and a determination issued by an accredited firm that the organization under review is compliant with the standard’s requirements. 

ISO 27001 doesn’t offer prescriptive guidance about the cybersecurity steps an organization must take. Instead, it outlines requirements for the organization’s policies and procedures to meet the standard. Similarly, ISO 27001 certification provides third-party validation the organization is following its stated security policies.

At its heart, ISO 27001 is focused on three aspects of information protection:

Being certified can help the organization achieve and demonstrate compliance with various cybersecurity and privacy laws, regulations, and customer requirements. In many instances, ISO 27001 certification matches the requirements of other security mandates.

ISO 27001 provides a cost-effective cybersecurity framework to help organizations understand their security risks and the steps they can take to mitigate them. This knowledge can be especially beneficial for a growing company scaling up its operations.

Investing in ISO 27001 certification can help an organization reduce its total cybersecurity costs by identifying security weaknesses that may result in costly breaches and disruptions. For instance, a single security incident can produce direct costs, such as repairing the breach and notifying customers. A breach can also cause indirect costs resulting from business disruptions, damage to the organization’s reputation, or lost opportunities.

Having a certification for ISO 27001 can provide competitive advantages by allowing a company to meet customer expectations that sensitive data will be used and protected appropriately. This can enable service providers to compete effectively, potentially with larger customers that have strict security requirements. Being certified sets an organization apart from its uncertified competitors and helps customers make more informed decisions about whom they can trust.

The ISO 27001 standard offers a framework for protecting the confidentiality, integrity, and availability of an organization’s information that helps it identify and mitigate risks through the appropriate controls.

The 2022 revision of the standard lists 93 controls aligned into four categories:

As an internationally recognized standard, obtaining an ISO 27001 certification is valuable for organizations with global clients or operations. U.S.-based entities will often start with System and Organization Controls (SOC) 2 attestations as those are commonly sought in the U.S. market.

Whether ISO 27001 or SOC is the most appropriate standard for an organization’s operations and customer base, there is considerable overlap between the two frameworks. Most organizations can benefit from pursuing an ISO 27001 certification and a SOC 2 attestation report at the same time.

Bringing in an audit firm qualified to assess an organization’s compliance with both standards can help it save time and money. A review of its policies, procedures, and controls aligned with one framework gives it a head start on demonstrating compliance with the other.

Since obtaining both doesn’t require twice the time or effort, many organizations undergoing SOC 2 or ISO 27001 may include the other as a simultaneous or overlapping project.

ISO 27001 certification can be a valuable resource for organizations that want to showcase their commitment to managing information security. A company’s ability to implement ISO 27001 can play a huge role in protecting sensitive data and mitigating cyber risks.

Additionally, obtaining certification can improve brand reputation, increase customer trust, and create new business opportunities. Although getting ISO 27001 certification can be a challenging process, the benefits it offers are worth the effort for companies that give high importance to data security.

Interested in learning more about how an ISO 27001 certification can help your business? Contact us.

As 401(k) plan sponsors plan for 2024 and subsequent years, they can take advantage of several improvements to the 2022 SECURE Act (known collectively as SECURE 2.0). These changes simplify plan administration while making retirement plans more accessible and attractive to employees.

Some of the key provisions affecting plan sponsors include:

Plan managers need to understand the SECURE 2.0 changes to 401(k) administration to ensure compliance with the changed regulations and their ability to meet their existing responsibilities.

SECURE 2.0 allows plan sponsors to make discretionary amendments to increase participant benefits for a previous plan year. Effective Dec. 31, 2023, changes will be permitted after the end of a plan year, provided the amendments are adopted by the due date of the sponsor’s next federal tax return. This changes the current requirement that plan amendments be adopted by the end of a plan year in which the amendment is effective.

In late August, the IRS announced a two-year delay in implementing SECURE 2.0 regulations that would have required employees older than 50 and earning more than $145,000 annually to make “catch-up” contributions only via Roth IRA post-tax accounts.

These provisions were delayed until 2026 after feedback from employers and retirement program managers. The employers and managers said they would not be able to implement the provision in time, given the administrative complexities of setting up systems to ensure highly compensated employees would only be making Roth catch-up contributions.

Under current law, employees who have attained age 50 are permitted to make catch-up contributions more than the otherwise applicable limits. Section 109 increases limits to the greater of $10,000 or 50% more than the regular catch-up amount in 2025 for individuals who have attained ages 60, 61, 62 and 63. The increased amounts are indexed for inflation after 2025.

Under current law, participants are generally required to begin taking distributions from their retirement plans at age 72. SECURE 2.0 increased the required minimum distribution (RMD) age for participants to 73 starting on Jan. 1, 2023, and increases the age further to 75 starting on Jan. 1, 2033. IRS Notice 2023-54 provides interim transition relief for plan administrators, payors, participants, IRA owners, and beneficiaries in connection with the change in the required beginning date for RMDs.

Section 350 provides a grace period of 9-1/2 months after a plan year ends for sponsors to correct, without penalty, errors associated with the automatic enrollment of employees into a plan. The grace period also applies to errors related to the automatic escalation of contribution amounts or contribution matches for current plan participants.

Section 350 is effective to errors after Dec. 31, 2023, and should provide peace of mind for HR professionals who may have been worried about potential penalties under the current regulations.

Starting Jan. 1, 2024, plans will be required to allow employees who have worked more than 500 hours in three consecutive 12-month periods to contribute elective deferrals to the plan.

Employers are not required to make matching contributions on behalf of these employees, but may choose to do so.

This change means employers will have to track employee hire dates and hours worked dating back to Jan. 1, 2021, to determine the eligibility of specific employees. Employers need to consider the implications this broader eligibility may have for plan administration. It may be easier, for instance, to allow all employees to contribute rather than tracking hours to determine eligibility.

Starting in 2025, the three-year threshold for part-time eligibility will decrease to two consecutive 12-month periods.

New SECURE 2.0 provisions allow workers to withdraw up to $1,000 from their savings penalty-free to meet personal or family emergencies. Only one withdrawal is allowed per year and employees have the option to repay the withdrawal over three years, but are not required to.

Similarly, an employee affected by domestic violence can withdraw the lesser of $10,000 or, or 50% of their account balance, without incurring a tax penalty. This provision also includes a three-year repayment period.

Participants affected by natural disasters can withdraw up to $22,000 penalty-free. The amount taken must be repaid within three years, or the participant can pay taxes on a non-repaid distribution over three years.

For plan administrators, the penalty-free feature of these provisions reduces the need to calculate and assess the 10% additional tax typically associated with early withdrawals.

Section 101 requires 401(k) plans to automatically enroll participants upon becoming eligible (the employees may opt out of participation). All current 401(k) plans are grandfathered. The initial automatic enrollment amount is at least 3% but not more than 10%, and will increase each year by 1% until it reaches at least 10%, but not more than 15%. Section 101 is effective for plan years beginning after Dec. 31, 2024.

SECURE 2.0 also authorizes, for plan years that began January 1, 2024, the creation of pension-linked emergency savings accounts (PLESAs) by non-highly compensated employees. The U.S. Department of Labor (DOL) defines PLESAs as “short-term savings accounts established and maintained within a defined contribution plan.”

Employers can offer to enroll eligible participants in these accounts beginning in 2024 or can automatically enroll participants.

Some key provisions:

Section 110 permits an employer to make matching contributions under a 401(k) plan with respect to “qualified student loan payments.” For purposes of the nondiscrimination test applicable to elective contributions, Section 110 permits a plan to test separately the employees who receive matching contributions on student loan repayments.

To understand potential 401(k) plan audit implications going forward, contact us.

As sustainability and environmental, social, and governance (ESG) considerations gain momentum in the marketplace and the media, implementing sustainability in manufacturing is becoming increasingly crucial for businesses. The manufacturing industry is multifaceted and can be complex, but the many benefits of ESG work apply throughout sub-segments in the manufacturing world.

Below, we outline nine of the best business case reasons for your company to start or continue your ESG and sustainability journey.  

Governments worldwide are increasingly imposing stricter environmental regulations. Europe has its Corporate Sustainability Reporting Directive (CSRD) and the U.S. Securities and Exchange Commission (SEC) has proposed climate-related disclosure rules. Additionally, California has enacted two bills, SB 253 and 261, to mandate climate-related disclosures. Adopting sustainable practices helps manufacturers stay compliant, avoiding fines and legal issues.

Sustainable manufacturing often reduces resource consumption and waste production, while generating energy savings that can lower operational costs over time. Typical steps include adding solar, upgrading to Energy Star appliances, installing low-flow faucets and toilets, and using grey water in eco-friendly landscapes. You can add batteries to your solar arrays to control production during rolling power outages or switch your power during periods of peak rates.  

Assessing and reducing your carbon footprint is also key. This involves measuring greenhouse gas emissions from your operations and setting science-based targets to progressively reduce those emissions. Quantifying and decreasing your carbon footprint, such as reducing energy use and business travel, saves money while ensuring compliance and improving climate resilience.

Sustainability initiatives often drive process improvements and innovation, increasing operational efficiency. Investing in sustainable R&D can lead to breakthroughs in cleaner production methods and technologies. Optimizing production processes can enhance productivity and reduce waste.

Demonstrating a commitment to sustainability and ESG can improve a company’s reputation and brand image that, in turn, can attract environmentally conscious customers and investors. Sustainable manufacturing practices can build customer loyalty as consumers prefer to support environmentally responsible manufacturers and companies that align with their values. Patagonia’s customers, for instance, are highly vocal about supporting the brand. Their loyalty and brand advocacy help market the company in the most authentic way, lowering its marketing costs.

We recently had our marketing team investigate what new marketing swag we wanted to have this year. They made a list and then overlaid which companies were sustainable, B Corp, or minority owned. The companies that weren’t didn’t receive further consideration.

Sustainability efforts can help leaders identify and mitigate potential supply chain disruptions, climate change, and resource scarcity risks. This can ensure a more reliable flow of materials and reduce the impact of disruptions. For example, the companies that localized their supply chain before COVID had a much better survival and easier bounce back.

Resilience in the face of these challenges can protect the long-term viability of the business while increasing organizational agility.

ESG performance is increasingly considered by investors, banks, and insurance firms when making investment, lending, and coverage decisions. Companies with strong ESG practices may have easier access to capital, and lower borrowing and premium costs.

Sustainable practices can drive innovation in product design and manufacturing processes. Companies that innovate in sustainability often gain a competitive edge in the market. Reducing your packaging or changing to recycled materials can lower costs directly and indirectly. Eco-friendly packaging materials are usually lighter, so you spend less to ship heavier materials.

As employees seek purpose-driven organizations, demonstrating a commitment to sustainability can attract and retain top talent. When we added our B Corp logo to our recruiting booth, students flocked to us, and other firms started to notice and ask what a B Corp was. We also have many hires that say, when weighing offers, they reviewed our Sustainability Impact Report and were sold on our company. Sustainability matters to your employees.

Sustainability practices are critical for the long-term viability of the manufacturing sector. As resources become scarcer and environmental pressures mount, companies that embrace sustainability are more likely to thrive.

You have been making business decisions based on financial metrics for years. Adding  non-financial ESG metrics gives you a bigger picture of the health of your organization so you can make better business decisions for a longer-term view.

Starting to work through sustainability and ESG initiatives for your business is a financial imperative due to many business risks. It’s essential to analyze your specific situation, identify potential benefits and risks, set clear goals and targets, and develop a comprehensive strategy for integration. Contact us today to undergo a High-Level ESG Assessment to better understand which ESG metrics and sustainability risks are material to your manufacturing business.

An important way for restaurants to increase efficiency and profitability is by optimizing the technologies underlying their operations. Building the right tech stack helps keep restaurants ahead of their competition and sets the foundation for ongoing success.

Implementing the appropriate tools provides a systemized process to optimize your workflow and provide management with real-time visibility into the company’s operational and financial data.

In turn, being able to analyze a restaurant’s operations in real-time enables rapid decisions without having to wait for data to be collected and formatted into reports that become outdated quickly. A well-designed tech stack can streamline processes, improve productivity across organizational departments, and allow management to focus more on team members and the guest experience.

An effective tech stack also lets you automate repetitive tasks, such as processing invoices, that otherwise require manual efforts that could introduce errors in your data and reports. For example, mailing a stack of vendor invoices from a restaurant to a corporate office for processing adds needless time and cost.

Automating time-consuming processes can also help teams optimize labor costs by enabling staff members to focus on higher-value tasks. Instead of processing invoices or reconciling bank balances, for instance, the finance team can invest its time in analyzing data and preparing forecasts to support more effective management decisions.

A single-unit restaurant company would likely be served with a basic accounting package, but adding and integrating software tools can increase efficiency as an operator adds locations and expands into new geographic areas.

While the most suitable tech stack will vary according to how many locations a restaurant company is operating, the most common technologies can be found below.

As you evaluate potential technology tools, integrating and sharing data with the rest of your tech stack through APIs (application programming interfaces) offers important benefits in reducing manual processes, increasing efficiency, and reducing operating costs.

As restaurant operators consider technology implementations, it’s important to first understand the processes they are thinking about automating and to eliminate any inefficiencies before they start an implementation. It’s a common mistake for companies to try to make their software fit an inefficient process and to blame the technology if they don’t receive the expected productivity gains.

Another common mistake is implementing a technology tool and immediately customizing it to match ingrained processes. The closer you can stick to an off-the-shelf implementation, the less you must worry about adding needless complexity to your tech stack or having an automated process broken by a future software update.

To learn more about optimizing your restaurant tech stack, contact us.

A private company with a variable interest in another entity needs to understand the accounting requirements for consolidating that entity’s financial results within its own reporting.

A variable interest entity (VIE) is a legal structure in which a company, known as a “reporting entity” in accounting guidance, has a controlling interest in another business, and that interest exposes or entitles the reporting entity to the economic risks or rewards of the other organization.

Typical arrangements using a VIE structure include:

Under U.S. GAAP, ASC 810 defines requirements for reporting entities to determine how to consolidate the financial results of both organizations under the voting interest and variable interest models.

In some circumstances, private companies may elect not to consolidate VIE results, but companies considering this election need to understand the requirements, and the potential implications of not consolidating, to make the best choice for their situation.

For example, a private company whose strategic plans include a public offering in the future may choose to consolidate its VIE results to avoid having to later unwind the election not to. Because public companies are required to consolidate VIE results, a private company that plans to become public should follow the same VIE accounting guidance as a public business entity.

Reporting entities shall evaluate entities for which the company has a variable interest under ASC 810 to determine if consolidation is appropriate. After all variable interests are identified, a company shall first use the variable interest model, then the voting interest model, to determine if consolidation is required.

Any entities identified as having majority ownership under the voting interest model shall be consolidated for financial reporting. Entities scoped out of the variable interest model shall be evaluated under the voting interest model.

In October 2018, the FASB issued guidance allowing private companies to make an accounting policy election to forego applying VIE guidance when certain criteria are met:

This policy election must be applied to all current and future legal entities under common control that meet the specified criteria. The alternative cannot be applied to some common control arrangements and not to others.

To determine if the private company (the reporting entity) and the VIE are under common control of a parent for the purpose of applying this guidance, reporting entities would only consider a parent’s voting interests in the private company and the legal entity.

A private company is required to provide detailed disclosures about its involvement with, and exposure to, a VIE under common control. If the reporting entity elects not to evaluate its variable interests, it must provide an explanation that, based on the ownership structure and guidance under the Voting Interest Model, management has determined its VIEs are not are not appropriate for consolidation. As such, the nature of the relationship, details of transactions with the entity, and other relevant information will be disclosed in the financial statements.

If the election is not taken, common disclosures include:

In applying the disclosure guidance, a reporting entity under common control should consider potential exposures through implicit guarantees. For instance, if they have an economic incentive to act as a guarantor or to make funds available to the VIE. To learn more about VIE consolidation and the optional elections available to private companies, contact us.

As December comes to a close, it’s time for calendar-year entities to perform physical inventory counts. An accurate and efficient inventory count is essential for financial reporting, tax compliance, and effective business planning. In this article, we’ll explore best practices to help streamline your year-end inventory counts and minimize discrepancies.

Before starting a physical inventory count, it’s essential to develop a comprehensive plan. Important steps include:

Efficient inventory management starts with proper categorization and classification. Group items based on their characteristics, such as product type, size, or value. This makes it easier to organize the counting process and ensures no items are overlooked.

Write off unsalable items and dispose of them properly before the count begins. Ensure non-inventory items are marked clearly and identifiable separately.

Leverage technology to enhance the accuracy and speed of the inventory count. Barcoding systems, RFID (radio frequency identification), and inventory management software can significantly reduce human errors and streamline the counting process. Consider investing in technology that integrates with your existing systems for seamless data management.

Perform pre-count audits to identify discrepancies and address any issues before the official count begins. This helps in minimizing the chances of errors and ensures a smoother counting process. Correcting inaccuracies early on can prevent larger problems during the final count.

To make the physical count faster, some items that aren’t expected to be used before year-end can be counted a few days in advance. Pre-counted items should be tagged and placed in sealed containers. If a broken seal is noticed on the day of the actual physical count, the items in the container should be recounted.

Establish a freeze period that restrict any movements or transactions involving inventory items before the count begins. This prevents additional stock from entering or leaving the premises, reducing the likelihood of errors during the count.

Provide clear instructions on counting methods, the use of technology, and any procedures unique to your business. A well-trained team is more likely to conduct an accurate and efficient inventory count. Ensure the teams understand the unit of measure that needs to be counted.

For example, a part that comes in boxes of 10 units might be listed in the system as a single box or as 10 items.

Count tags and results should be processed timely and significant variances from the books should be investigated. Recounts should be performed by a separate team or supervisor. Supervisors should perform random audits of completed counts.

Thoroughly document the results of the inventory count. Note any discrepancies and investigate the reasons behind them. Communicate the findings to relevant stakeholders and implement corrective measures to prevent similar issues.

After completing the year-end inventory count, conduct an analysis to identify areas for improvement. Solicit feedback from team members and assess the effectiveness of your procedures. Use this information to refine your inventory management processes for the upcoming year.

If your company issues audited financial statements, one or more members of your external audit team will be present during your physical inventory count. They aren’t there to help you count inventory. Instead, they’ll observe the procedures, review written inventory processes, evaluate internal controls over inventory, and perform independent counts to compare to your inventory listing and counts made by your employees.

Be ready to provide your auditors with invoices and shipping/receiving reports. They’ll review these documents to evaluate cutoff procedures for year-end deliveries and confirm the values reported on your inventory listing.

Year-end inventory counts are a critical aspect of business operations, impacting financial reporting and strategic decision-making. By following these best practices, businesses can enhance the accuracy and efficiency of their inventory counts and improve their overall inventory management.

As auditors, we’ve seen the best (and worst) practices over the years. For more information on how to effectively perform year-end inventory counts, contact us.

As demand grows for SOC 2 reports and the market for GRC compliance tools expands, the AICPA is reminding companies and providers about the importance of auditor independence in delivering audit and nonattest services, as well as the risks of an audit provider reviewing its own work.

The new guidance comes after market changes in which some SOC 2 readiness and audit firms are developing offerings and tools that blur sector lines by offering services traditionally done by the other type of provider. In late 2022, the most recent changes to the AICPA’s SOC 2 Guide placed a heavy emphasis on the concepts of independence and “nonattest” services in response to how much the SOC 2 industry has changed over the last several years.

During the last several years, SOC 2 has exploded in popularity. Combining the trends in cloud computing and outsourcing, and the significant emphasis on vendor risk management, has led to a perfect confluence driving exponential growth in SOC 2 demand.

This surge has spurred a whole new SOC 2 readiness industry. Numerous GRC platforms and SOC 2 readiness tools are rushing to market, some backed by major venture and private equity investors seeking to take advantage of this mini-goldrush.

Because they have tremendous amounts to spend on marketing, many of the SOC 2 readiness platforms and GRC providers act as a funnel for the numerous companies that need SOC 2 reports and are referred to CPA firms to conduct audits and issue the reports.

A pillar of the AICPA standards for audit and attestation engagements is that a CPA should be “independent” of the entity they are auditing or providing attestation services to. For example, the CPA should not have financial or other interests in their clients.

The AICPA also focuses on the important concept that CPAs should not audit their own work. In the context of SOC 2, this would mean an auditor should not implement controls, take management responsibility, or insert themselves as a decision-maker in the design and operations of a system. This makes sense as objectivity and independence are central to the ultimate value of the SOC 2 opinion.

As noted above, the SOC 2 readiness industry, which would meet the definition of a nonattest service, has been a huge money-maker. But if you look at the total opportunity, readiness is only one part of what is charged to the customer, with the audit firm getting the other portion for executing the audit and providing the audit opinion.

Some readiness platforms have seen this and have spun up their own audit firms. At the same time, some CPA firms have seen explosive growth on the readiness side and, looking to take advantage of demand, are creating readiness tools and GRC implementations to drive revenue.

Other nonattest services that need to be considered include penetration testing, vulnerability management, and incident response. All of those services are central to the control environment, and thus represent a threat to independence if such services are delivered by the same entity responsible for auditing the client’s environment.

The recently updated SOC 2 Guide is the primary guidance provided by the AICPA defining SOC 2, and built up the AICPA audit and attest standards including professional conduct for CPAs. In reference to SOC 2, the AICPA has established Statements on Standards for Attestation Engagements (SSAE) that specify how the CPA should engage with their clients, perform their work, and handle client interactions effectively.

At the end of the day, the new AICPA guidance is a re-emphasis on independence and specifically focuses on the threats to independence created by nonattest services. This is especially true for auditors reviewing their own work, which is a real risk if the auditor is also providing readiness services.

The AICPA is not an enforcement agency; however, they have made it clear that they see the proliferation of services that are central to the system being threats to auditor independence if they are provided by the CPA firm. We fully grasp this concept, and believe it is central to the objective insights and value that we provide. Contact us for your SOC 2 readiness and audit needs while ensuring auditor independence.