FloQast Takes Financial Data Security to the Next Level With New Certification
Apr 27, 2021 | By John Siegel
It’s a big day for the FloQast team.
This morning, FloQast announced that we completed our SOC 2 Type 1 certification — a major step in the company’s history and added assurance that the FloQast application meets the highest security, availability, and confidentiality requirements standards established by the AICPA.
For users, it’s a big deal: Publicly traded companies need to demonstrate to SOX auditors that the systems they rely upon meet security standards, and SOC 2 certification makes it easier for them to do so. For other companies, SOC 2 certification means additional confidence in the security of the tools their teams rely upon.
For FloQast, this is the culmination of a major effort on behalf of the compliance team, led by Director of Compliance Vicky LeVay. The SOC 2 initiative was one of the first projects she started on upon joining FloQast a little over a year ago. Recently, I spoke with Vicky about the work the project demanded, what it means for FloQast users and potential users alike, and what’s next for her and her team.
Why is SOC 2 important to a company like FloQast?
SOC 2 is especially important for FinTech companies like FloQast because our goal is to help companies achieve faster, easier, and more accurate financial information. When that information passes through our software, we care deeply about keeping it safe. Customers are trusting us with very sensitive information, and we take that responsibility seriously. That's especially true at a company like FloQast. We have a bunch of CPAs working here, including our CEO, who have built their careers on accounting principles and know firsthand how important financial data security is to our customers.
You've been with FloQast for a little over a year now. Where was the company with its SOC 2 certification when you joined in March 2020?
One of the first things I did when I joined FloQast was an enterprise risk assessment. That's a standard compliance best practice. I wanted to see what our biggest risks were and whether we were focusing our resources sufficiently to reduce those risks. I was really impressed with what I found. I spent eight years doing risk assessments for companies all across the U.S. In my career, I have never seen results as positive as the ones I saw at FloQast. Our executive leadership was extremely aligned on what they felt our biggest threats were. When I created a risk register and started planning actions to defend against those threats, everything we needed to do was already in progress or almost done. FloQast has a leadership team that knows exactly what they're up against and is actively combating those threats.
Next, I did our SOC 2 gap analysis and found FloQast was doing the right things to meet SOC 2 standards, they just needed to document and track them in a way that would pass an audit. Ultimately, my job became more about highlighting all the steps FloQast had already taken than actually fixing things.
Describe the collaboration that was necessary to achieve SOC 2 certification. How many different teams contributed to achieving this certification?
The reason I love compliance is it gives you an opportunity to peek under the hood of every department. I get to sit with our best experts and hear what they're proud of, what they're struggling with, and what they want to improve next. I also get to offer them backup to make those improvements when they overlap with compliance requirements. And, I get to be involved along the way to make sure we have the information and documentation needed for our audits. If compliance is the roadblock, I get to work collaboratively with people to figure out if there's another way to do things safely to remove that roadblock.
Something that's unique about SOC 2 is it's not a report that helps you avoid fines and penalties — it's a report that helps businesses grow. In my experience, people would see compliance as a way to avoid bad things, so it was necessary, but not helpful to their individual objectives. Here, there's enthusiasm about compliance. It's seen as a benefit to sales and a reason to make improvements.
What does this certification — and all the hard work that went into the process — mean to you professionally, and personally?
I feel proud and grateful. I was pushed out of my comfort zone quite a bit on this project. Working in a rapid-growth FinTech environment presents very different challenges than the large, steady, traditional organizations I've primarily worked with in the past. For example, when I ask for evidence of something, I am used to getting a screenshot showing the system is set up the way it's supposed to be. At FloQast, the evidence I get is lines of code. I've had to quickly learn new skills and get comfortable with things like rapid deployment, open-source software, and zero-trust networking. I'm giddy that I got to experience all of that. Those concepts are fascinating and I have been elbow deep in them for a full year. I'm grateful for that, but I'm even more grateful that I got to do it within a company of exceptional individuals. Here at FloQast, you don't have to deal with all the nonsense that comes with a toxic culture. You just get to work with smart, authentic, and strong people. That's rare, and I'm incredibly lucky to be here.
What's next for you and your team?
I'm looking forward to shifting my focus to ISO 27001 next. That framework is all about how you manage your security and compliance program — which is what my job is really all about — so that framework impacts my role more directly. Privacy laws are changing and getting stronger right before our eyes so I will also be focused on making sure we keep up with those changes. And, I will be spending more time helping our departments get ready for IPO and all the compliance requirements that come along with that. My first compliance program was SOX so I'm excited to get back to my roots and do some SOX work here.