How FloQast’s Compliance Department Was Built
Sep 06, 2022 | By Vicky Levay
"Compliance is different at every company; what is it at FloQast?"
This is the question that I get asked almost daily. And this was also the question that I asked myself when I joined FloQast two years ago to build our company's first ever Compliance department.
The mission was straightforward at first: Maintain our SOC 1, get our SOC 2, and establish a risk management program. In executing on those initiatives, I found myself really getting to know the company, my boss, and my new teammates, which would heavily influence what came next. Once those goals were accomplished (and the celebrations were over), we took a step back and got to work on our next initiative: Identifying how Compliance can best serve FloQast as it continues to quickly grow and build new, innovative products for our customers.
At FloQast we take a unique approach. At most B2B SaaS companies, the Compliance function is bottom-line driven: comply with laws to mitigate legal risk, deliver compliance reports that speed up the sales cycle, etc. Our approach is very different at FloQast - for us it begins with the customer. FloQast is obsessed with its customers, in no small part because so many FloQasters are former accountants who love the accounting function and want to uplevel the profession - to make it more efficient, more impactful, and more enjoyable. Everything we do as a Compliance department is influenced by this mindset. My mission at FloQast is not only to support the bottom line, it is also to support our customers and to preserve our customers' trust. To best serve our company is to best serve our customers.
Once I defined our department’s mission, I started working on our strategy. Just like the mission, our strategy started with considering what our customers want and need - so we listened to what they asked for. They wanted:
- Their data to be secure, accurate, available, and private;
- Evidence of those things being consistently done; and
- To adapt as their needs, external laws, and industry practices change.
Based on those needs, we crafted a trust-preservation strategy to include those three components: Preserve Trust = (Be Trust-Worthy + Be Transparent) * Be Responsive.
With that, we went to work!
Doing the Work
To build the compliance function we were aspiring to, we first put key foundational elements in place.
- People - We established a Compliance Advisory team, consisting of IT, Security, Legal, DevOps, and Engineering which enabled us to make decisions and enact change as a united, cross-functional effort
- Process - We built our operational processes, including risk, issue, policy, and audit management
- Technology - we implemented our FloQast application as our internal compliance management tool to provide greater transparency within the organization
We found that the best way of operating internally was working cross-functionally, focusing on being trust-worthy, responsive and transparent and that is how we approach our work for our customers as well.
Trust is something you gain over time by doing a lot of things right, but that you can lose in an instant by doing one thing wrong. FloQast’s culture includes a strong sense of corporate responsibility to do all of the little things really well and consistently. The company was built by accountants for accountants, and that cannot be overstated. We have dozens of former auditors working here, and there is a company-wide drive to not just pass our audits, but to raise the bar for the auditors by maintaining the highest standard of controls intended to truly do things right.
We are extremely proud to report the following accomplishments as examples of quality and consistency we uphold
- We continually add SOC 1 controls to our audit in an effort to hold ourselves to a higher standard. We have added 39 controls since our first SOC 1 audit.
- In our 6 years of audit history we have never had a single finding, exception, or qualified opinion.
- Our first ever ISO 27001 audit found that not only did we meet the certification standards perfectly, but direct feedback from auditors showed we exceeded them at levels rarely seen in the industry.
If we’re going to truly do right by our customers, we have to watch the market and respond to the latest emerging risks and trends.
We have a dedicated, independent compliance function that is accountable for doing so.
For example, a recent trend of zero-day vulnerabilities and software supply chain attacks have emerged as some of the most prevalent advanced threats today. We defined a cross-functional process involving Security, IT, and Compliance to monitor and respond to these emerging risks. We have completed investigation, response, and delivered communication to customers within 2 business days as a result of our increased efficiency and innovation.
Privacy laws and regulations are quickly changing across the globe and best practice standards are being raised constantly. FloQast has to be ahead of those trends and we understand the need to adapt as they evolve. We excel at that! We have a foundation that enables us to support what is here today and what is coming tomorrow. We embrace new expectations, and we meet them far sooner and far better than most software companies can.
“Trust starts with truth and ends with truth.” – Santosh Kalwar
Given our wealth of audit experience, we collectively respect the due diligence efforts of our customers and love to participate in that process. Seriously.
FloQast customers don’t need to be experts in third-party software due diligence: We are! We understand what these teams care about and we have produced the documentation and information we can hand our customers to move quickly and efficiently through their internal processes. The Compliance Department has an entire function dedicated to making sure FloQast answers all questions timely, accurately, honestly, and in a way that makes our customer’s jobs easy every step of the way.
We support our customers in their own audit and compliance processes in a number of ways:
- We have developed a packet of clear documentation around our controls and processes that includes the technical and regulatory information our customers need in a format that is easy to access and understand
- We proactively publish quarterly and annual updates to this documentation so our customers always have the latest information at their fingertips
- We developed a button within the FloQast application that allows customers to access all the compliance documentation they need from us on demand
- We enabled our sales organization to guide our prospects through the documents and information required for their internal Legal, Security, Privacy, and Compliance reviews
- We have worked with the Legal and Compliance teams at our subservice organizations to establish processes to provide swift access to their SOC and ISO reports for our customers’ own audits
Trust is the whole reason compliance exists, and everything we do is to achieve this goal.
FloQast's Compliance department aspires to uphold the principles of the complex and quickly shifting landscape of laws, regulations, and risks across our organization, and to demonstrate to our customers that we do so in a lasting, meaningful way so that they can rest assured that their use of FloQast is safe, secure and compliant with the relevant laws and regulations.