Background

Bennett/Porter & Associates is a technology company specializing in Managed IT Services, ERP solutions, including Sage 100,  and other platforms. With a privately managed cloud infrastructure and a growing client base, they faced new demands from their software vendors—mainly, the requirement to obtain a SOC 2 certification in order to continue hosting client environments.

The responsibility for compliance fell on a small but experienced team: Dionne Allison, Manager of the Technology Services Team; Tom Smith, Senior Systems Administrator; and Brandon Smith, Senior Network Administrator and Cloud Architect. Each of them played a hands-on technical role in maintaining infrastructure and supporting clients, which meant the effort to become SOC 2 compliant had to fit into an already demanding schedule.

“We’re a small company, but we have a large and diverse client base,” said Dionne. “Getting SOC 2 certified wasn’t just a best practice—it became a requirement from one of our key partners. That pushed us to find a solution that could work for our unique infrastructure and limited bandwidth.”

The Challenge

Before Strike Graph, the team evaluated traditional consulting and audit prep firms. Most options either lacked the flexibility to accommodate their private cloud model or came at a price tag that simply wasn’t viable for a small business.

“We were quoted $70,000 to $80,000 per year,” Brandon shared. “That was just to get ready for SOC 2—not including the audit. It was shocking.”

Tom added, “We didn’t have prior experience with SOC 2 or internal audit frameworks. A lot of vendors expected us to already have foundational pieces in place, which we didn’t. We weren’t even sure where to start.”

Most of the early options they considered were expensive, consultant-heavy, or overly prescriptive. What they needed was an adaptable platform that could fit around their cloud architecture—and a team that could meet them where they were.

The Strike Graph solution

When they discovered Strike Graph, the team said “It felt like one of those things that was too good to be true.” Dionne said, “But as soon as we saw the platform and met with the team, we realized this was exactly what we needed.”

Strike Graph’s platform allowed Bennett/Porter to build their SOC 2 program from the ground up, with tailored support and tools built for self-service without sacrificing sophistication:

• Pre-built templates and documentation gave the team a strong starting point. “The policy templates alone were worth the cost,” Tom said. “Drafting all of that from scratch would have been overwhelming.”
• Flexible scoping let them align the audit to their actual infrastructure. “We’re running a custom private cloud—not AWS or Azure—so being able to tailor what’s in or out of scope was huge,” Brandon noted.
• Automation for 85 of 91 controls cut hours off future audit prep. “We’re managing controls through SharePoint,” Brandon said. “I just drop updated files in a folder, and it syncs. It’s basically hands-off from there.”
• Customization of SOC 2 made it easy to streamline. “We unchecked the Availability Trust Service Criteria because it didn’t apply,” said Brandon. “Just like that, all those controls disappeared from our list.”
• Centralized content management helped to organize years of scattered documentation. Dionne explained, “We pulled in documents we had used for cyber insurance, HR, and past audits. It was a relief to finally put everything in one place.”
• Dedicated support became a key success factor. “Our success manager, Cayla, kept us accountable with weekly meetings, deadlines, and clear next steps. Without her, we never would’ve finished in time,” said Dionne.
  
  
  

Results

After less than a year of working with Strike Graph, Bennett/Porter successfully completed their SOC 2 Type 2 audit —starting from zero and finishing with a fully documented, automated, and organized compliance program.

• Massive cost savings: “Compared to the quotes we got, Strike Graph was a fraction of the price,” said Tom. “We put in more elbow grease, but it was absolutely worth it.”
• Significant process improvements: “We used to piecemeal everything—different documents on different platforms,” said Dionne. “Now it’s centralized, standardized, and future-ready.”
• Faster sales cycles and new opportunities: “It’s already April and we’ve had new opportunities come in because we’re SOC 2 certified,” said Dionne. “That wasn’t something we were expecting so quickly.”
• Stronger security posture: “Even if we weren’t being audited, our policies and processes are a hundred times better than before,” said Tom. “We now have structure, version control, and visibility.”

Looking ahead

With SOC 2 Type 2 successfully behind them, the Bennett/Porter team is now focused on continuous compliance. They plan to maintain their SOC 2 report annually and may consider expanding into additional SOC 2 modules or even ISO 27001 down the line.

“We were warned it would be brutal doing SOC 2 Type 2 in one year from scratch—and they were right,” Tom said with a laugh. “But having all of our controls, documentation, and automation in place means future audits will be so much smoother.”

As for how the platform influenced their broader operations, Dionne noted: “It’s changed the way we do things. We’re building new processes around compliance—before we even bring someone on, we’re thinking about how to meet those requirements.”

Key takeaways

• Strike Graph empowered a lean, IT-focused team to complete SOC 2 Type 2 certification in under a year—without consultants
• The platform’s policy templates, evidence automation, and customizable framework mapping made it easy to tailor controls to their infrastructure
• Centralizing compliance documentation helped modernize internal operations and eliminated disjointed systems
• Support and education were essential—weekly calls with a success manager helped demystify the process and keep things moving
• Strike Graph delivered a high ROI: cost savings, improved posture, and even new leads generated through certification—all in the first few months post-audit