Don't Let Auditors Design Your Security Controls

Gone are the days of letting certified public accountant (CPAs) auditors tell you what security or governance controls you need to have for your organization. CPAs are not experts in security or compliance. They are experts in testing and quality assurance. Listen as Justin Beals and Sam Oberholtzer discuss some of the taboos of audit culture.  

Justin Beals: (00:02)
Hey there, Sam. Welcome to another one of our Strike Graph videocast. It's great to see you.

Sam Oberholzer: (00:07)
It's great to see you again, happy that you made it back from the mountain nice and safe.

Justin Beals: (00:15)
I did get some turns in this last weekend. There was plenty of powder out there, it was a lot of fun. Yeah.

Sam Oberholzer: (00:20)
So exciting. I cannot wait to go to Colorado next week.

Justin Beals: (00:24)
Good. That'll be fun. Well, we have kind of a controversial topic today, don't we?

Sam Oberholzer: (00:30)
Just a little bit.

Justin Beals: (00:33)
It's always fun to dig into these things. I have to say that today we're going to talk about auditors and where should you draw the line? Right. It has shocked me that auditor behavior in this marketplace, what they think they know, what they think they have a right to tell you to do, what they think they have an opportunity to do. And the truth is that I am frustrated personally that they don't even live by their own set of guidance honestly, let alone you as a consumer, you the buyer of the audit, kind of being able to understand what you get to do and decide and say and what they have to live by. And so you're going to break it down for us a little bit today, I think Sam.

Sam Oberholzer: (01:26)
Absolutely.

Justin Beals: (01:27)
Yeah. So our title of today is, know your rights, stopping auditor bullies. What is the first thing that auditors seem to really bully their customers about?

Sam Oberholzer: (01:40)
Yeah, I mean, I think speaking from being on the inside of the CPA world, especially when it comes to AICPA standards such as SOC 2, I think we are starting to notice that more and more, if not all of these audit firms are basically telling organizations what their internal controls should look like. I think that is the number one thing that is what they shouldn't be doing. That's what they should be one, getting the controls from the organizations and then two, kind of having those conversations instead of forcing the design immediately without even knowing anything about their company.

Justin Beals: (02:36)
Yeah. Let's back up here a minute, right?

Sam Oberholzer: (02:38)
Absolutely.

Justin Beals: (02:38)
First of all, an auditor is not an expert in security technology or governance practices necessarily in any organization, right?

Sam Oberholzer: (02:49)
That's correct.

Justin Beals: (02:50)
They are an expert in my mind of testing and quality assurance. And you go read the textbook, it says assurance. It doesn't say anything about, let me help you design a security practice. So I, as a chief technology officer, I'm flummoxed by the idea that a certified public accountant auditor for SOC 2 is going to tell me what level of encryption is appropriate for my database at rest. I mean, that's wrong.

Sam Oberholzer: (03:22)
And that's exactly why they don't. So they want to open up and give you controls, however, then they don't even go down the pathway of necessarily thinking about someone's controls as a whole in a certain category. So I think that's kind of where we're getting at is that auditors should not necessarily be seen as your security officers or even analysts. And that's why you hire them so that you are supposed to provide those controls, just like in Sarbanes-Oxley for public companies. I worked for a public firm there and you never saw that auditors are giving controls. You expect that they already have a program that they know, that they already have the transparency and then they're ready for audit. So it's almost like why can't we transfer that into the SOC 2 world? I don't want to...

Justin Beals: (04:30)
Well, it should be. Right. It's the same exact assurance practice. I mean, I have harped on this a ton, right? The certified public accountant that does a SOC 2 audit is not there because they're an expert in cyber security and the AICPA states that in their guidance. They're there because they are an expert in assurance practices, testing the control matrix against a standard and ensuring that. It's just like they do a financial audit, right? Same thing.

Sam Oberholzer: (04:54)
Mm-hmm (affirmative). Absolutely. Yeah.

Justin Beals: (04:55)
That's why the AICPA has set up a construct for certified public accountants to provide this service is because they do have an expertise, they just have to understand what it is. So net-net, who owns the design of your security practice?

Sam Oberholzer: (05:15)
Well, I think that's a little bit of a trick question because ding, ding it's that organization.

Justin Beals: (05:19)
It's that organization. No tricks about it, right?

Sam Oberholzer: (05:24)
No tricks, because I mean-

Justin Beals: (05:27)
It's you, it's your company, it's your security controls, it's what you want to do, right?

Sam Oberholzer: (05:33)
Absolutely.

Justin Beals: (05:34)
I look at the auditor to tell me, does it meet the standard that's different than helping me design what my security practice should be.

Sam Oberholzer: (05:43)
Absolutely.

Justin Beals: (05:45)
Let's say that you did need some expert advice though. I think that more along the lines of a managed security services provider is the type of group that could give you expertise on security practices, right?

Sam Oberholzer: (05:58)
Mm-hmm (affirmative). Yeah, absolutely. And they're not breaking any sort of independence because they're not going to be helping and assisting you with guidance or any of your questions, but they're not going to be the ones going to be also attesting to an opinion that your controls are actually operating effectively. And so it's kind of-

Justin Beals: (06:28)
If there's no independence, the whole SOC 2 audit is called into question at the end of the day, isn't it?

Sam Oberholzer: (06:37)
Exactly. Yeah. Absolutely. Because it's like this, if I'm going to take a test, I'm not going to be the student and the teacher.

Justin Beals: (06:45)
No. Right.

Sam Oberholzer: (06:46)
Right. Or if I do work and I need second eyes, I'm not going to be the one reviewing my own work and then coming to a different conclusion.

Justin Beals: (06:55)
Yeah. That's not valid at all. And I mean, I am a big fan of the AICPA and the trust services criteria that they've written and expressed. I thought it was really great that they actually delineated in their documentation that the auditor has a certain amount of practice that they are good at and capable of and they need to be independent from the organization. And they stress independence everywhere, all the time. It's a huge topic that certified public accountants need to learn, am I right?

Sam Oberholzer: (07:31)
Absolutely.

Justin Beals: (07:32)
But we see a lot of auditors traipsing all over that. I mean, look, we're not going to name names on this podcast. We said we would not name names. And I can tell you the number of auditors that are like, oh, here's a list of controls you should adopt. I'm not even talking third-party tool systems recommendations for managed security services providers. I'm talking about the biggest audit firms in the world are doing this today. Right? Yeah.

Sam Oberholzer: (08:03)
Yeah. And so, here's the thing, I see no issue if you were to do that, fine. Okay. But then you cannot hold the organization accountable for implementing everything. So that's the issue, is sure audit firms can if they want to, but they should not be giving control failures if a certain area is operating or is actually having sufficient with controls. That's why I've seen is that sure an organization does that, but then I'm seeing that the auditors and either managers are just forcing control exceptions on either design or operating effectiveness when that should never even be the issue if you're not looking at the category as a whole.

Sam Oberholzer: (08:51)
Because that is the point of SOC 2, is that they have the criteria requirements to basically be a guideline, but they don't tell you that X, Y, Z needs to be in place. They tell you that for instance, the entity includes enough security controls to fit entity objectives. That does not mean I need to implement an intrusion detection. I need to implement also a prevention, I need to implement fiber. It means that you get to choose and it's up to you, your discretion and what you think is enough due diligence based on history and prevent in future forecasting for your customer's data, that's it.

Justin Beals: (09:36)
I can name two of these security controls that are actually anti-security when they get suggested and they get suggested all the time. And suggested is a kind word, usually it's like, we're expecting you to do.

Sam Oberholzer: (09:47)
Force.

Justin Beals: (09:47)
Yeah. The two are vulnerability scans, which are a ridiculous way of imagining that you have good security. There is no automated vulnerability scan across all your networks that is giving you the coverage you need. It is a poorly operated control and it's going to give you a sense of confidence that you don't actually have. And then the second one is antivirus, there have been more hacks of antivirus software onto desktop systems than antivirus has stopped viruses and so it's just crazy to me. But they want to be seen as the expert in the room in all things. And they're unwilling to kind of own just their part, which the AICPA has asked them to. Now, correct me if I'm wrong, but the AICPA is come out with guidance around this and told not only auditors, but any system that tells you here's a list of controls you should adopt, that should not be used in a SOC 2 audit, right?

Sam Oberholzer: (10:50)
A list of controls?

Justin Beals: (10:51)
Or just like here's the recipe to pass your SOC 2.

Sam Oberholzer: (10:56)
Yeah. So, oh my gosh. There's so many frequently asked questions for auditors, but then there's also a lot of guidelines. Either around ethics and professionalism for auditors, there's reporting and examinations. I can continue, there's so many of these documents and you'll see as when you're reading through these documents, again, that the AICPA goal is to really just make sure that one, that the reporting and examinations that they do testing according to appropriate stuff. But then again, that they're not breaching ethical, professional or independence between the organization, because again, they're not those experts. They're not going to be as good as the management in that organization. They're not going to tell you what would fit for your organization, but they are going to do reasonable assurance and that's the guidelines. So actually-

Justin Beals: (12:02)
I think there's a conversation there, but net-net it's your control. You're the owner of it. You decide what it should be. Yeah.

Sam Oberholzer: (12:10)
Absolutely. So now actually, let's start discussing auditor tools that they're using.

Justin Beals: (12:18)
Okay. Before we go on auditor tools, I want a clean, simple statement for everyone to know about this. It's your security posture, you design the controls. When an auditor tells you, these are the controls you need to adopt, it is well within your rights to say, no, those are your controls, these are my controls. You can tell me if they don't meet the criteria and we can talk about how to modify them, but you don't dictate controls to me. Absolutely. Yeah.

Sam Oberholzer: (12:47)
The state statement of 2022.

Justin Beals: (12:49)
Awesome. Okay. So, now we've gotten to the, I'm going to tell you how to run your security as an auditor is an issue. Now, let's talk about the tools that they use because a lot of auditors have tried to implement technology and it's getting weird.

Sam Oberholzer: (13:09)
It is. And this is a great topic because honestly, there's going to be articles that are what these governing buys are going to start coming out. Yeah. As you can see, AICPA came out for an article around audit prep and compliance, so solutions like ourselves. So I think it's only fair that this is an appropriate time to discuss those auditor tools and to kind of facilitate that conversation moving forward, especially for those organizations that may be thinking that this is the best approach.

Justin Beals: (13:49)
So let's say, I've seen a ton of flavors of it across a lot of auditors. Some are fairly innocuous, like I just, here's a place to upload the materials that we need, like a data room. That's fairly standard and having those financial audits too. Right.

Sam Oberholzer: (14:05)
Absolutely. That's fair because that tool is an internal tool for that auditor and the organization to organize the evidence. And as you can see, there's nothing else, it's just an evidence and document repository.

Justin Beals: (14:20)
Just a file system. That's it. Yeah.

Sam Oberholzer: (14:23)
That is it.

Justin Beals: (14:25)
And that seems normal and efficient and works with any type of customer generally that has network access. If you're going beyond network access, you're going to go do literal field work, right, like go into their office and look around. Okay. But then there's the other weird side where we see sometimes people are like, oh, it's an audit management tool. Right.

Sam Oberholzer: (14:48)
Or even that they're trying to extend to a security program as well over a period of time. Yeah. So those types of tools that are either sold independently or are used for audit or trying to use outside the audit, I just think that there is a couple of precautions that our listeners can think about.

Justin Beals: (15:16)
Yeah. So, and before we get to the precautions, it's a real gray area. Right. But the AICPA, as you said, recently released an FAQ. We covered it a bunch in our last episode where they're not only talking about us, Strike Graph, how we support people as preparers and we made sure that we fit in the guidance that was coming out so that our customers trust assets could be trusted, that's net-net what the challenge could be here. Right?

Sam Oberholzer: (15:44)
Absolutely.

Justin Beals: (15:45)
But also how auditors should think about tools. So the AICPA is pretty bothered by this as well, I get the feeling. Yeah. So in this gray area zone where it's hard to tell a little what's right or wrong, what can I do to protect myself from the auditor technology.

Sam Oberholzer: (16:07)
Yeah. So if we're just talking about protection and not the precautions quite yet if they purchase or whatnot. So I think some of the items is just making sure that you strictly if you do use a tool, use it strictly for audit, nothing more, nothing less. However, but I think what they can also realize is they absolutely do not have to use the tool. And we can kind of go in-

Justin Beals: (16:36)
Yeah. We don't have to use the tool for the auditor, right?

Sam Oberholzer: (16:38)
Exactly. That they do not, that this is something that auditor firms are pushing on their customers because it makes their jobs easier. But this is something that you absolutely do not have to, and well, one, you do not have to, but then there's a little bit more into the thinking about, okay, do we really want them to have any additional information outside the audit? And the answer is no.

Justin Beals: (17:08)
Yeah. So, okay. First, really good point of where you can tell your auditor no is if they put in their contract that you have to use some software, you can say no. And as a matter of fact, I would not pick any auditor to do my audit that required me to utilize their technology.

Sam Oberholzer: (17:27)
Agree.

Justin Beals: (17:29)
And I think that I've seen auditor prices do nothing but go up no matter how much more efficient they make their internal practices. So the truth is that they're not saving you money by asking you to use their tools at all. They're going to charge you the exact same amount regardless. And so you can say no to this, and you should look in your auditor contracts to say, no. I mean, the other to your point, right, my other problem with this being contractual is that the audit contract is a one time services business. The way a business would recognize that revenue is in the moment that the audit is performed.

Sam Oberholzer: (18:17)
Correct.

Justin Beals: (18:17)
Supporting the that technology is not something you're going to get from them and not something they're allowed to really contract in an audit contract. Yeah. Okay. So we can say no to their technology. Now, but there's other issues when you choose to do this just beyond like, oh, it's a hassle or auditors are not good product people. I'm sorry to say, it can be a real hassle. But what are the other things that you're going to get stuck with when you do this?

Sam Oberholzer: (18:48)
Yeah. So I think now this a is kind of going into the realm of auditor firms that are trying to have audit prep or security, privacy and compliance program that is meant to be an internal solution for that specific organization. So this is where we're kind of getting into that murky waters of bridging the independence. But then also just to think about the precautions that may come with this.

Justin Beals: (19:20)
Yeah. I'll tell you one that I think of all the time recently, we wanted to change our auditors. And if I had had all of our security and governance practice in their technology, it would not have been possible, but because we use the Strike Graph platform and solution for our own compliance, design and implementation and practice, it was easy for me to say, oh yeah, we're working with this other auditor over here. We'd like to pick someone different. I had all my data ready to go. I just don't want to see lock in. Right. And that's what can happen I think with an auditor, you want to be able to pick a different tester.

Sam Oberholzer: (20:05)
Yeah, exactly. And so kind of going along the lines of more product type of precautions, is that okay, so say if the scenario that you decide to buy an auditor tool, one again, if that's just made for audit, then do you really have access to your data throughout the entire year?

Justin Beals: (20:30)
Yeah. They certainly don't give you access to their audit practice on that system. You're sending in all the data, but you don't really get to see what they do with it.

Sam Oberholzer: (20:41)
Exactly. And then on the other side, do you really want an auditor firm to have access to all of your data? And the answer is no, because then if you are giving more than what the auditor is asking for, then it's just going to open up more conversations, more unnecessary guests. But then also, then you're just opening up more risk to have the auditor have access to your data while you may not.

Justin Beals: (21:08)
I mean, that makes complete sense to me. When we do the really important work around a data room is that when we're in the midst of a financial audit, we set aside a data room because we don't want to give the auditor access to harvest. We don't want them to see every transaction on our books, we want to prepare the data room for them in a way to do the tests that they need to see. The auditor is not your friend. Maybe this is the big statement, the assessor, they provide an independent certification of the practice that you're doing, but they're supposed to find problems, not be your buddy. Right.

Sam Oberholzer: (21:48)
Yeah. And to be honest and just in my days, I do know that sometimes if they are your buddy, then is your program really that secure? Yeah. In a sense, if they're trying to find ways and you're not updating processes that might make things more secure that a security analyst has the expertise to provide you, then it's just like, is this really just trying to fit a criteria in the report or is it really helping you as an organization?

Justin Beals: (22:24)
Absolutely. What's even more terrifying for me is that what happens when I do go to that new auditor and all my data was in that other system and the new auditor wants to redesign my whole security practice. I mean, it's like a ground up thing. If I don't have a another environment, whether it's Excel spreadsheets that I'm managing or a really robust system, like Strike Graph, if I don't have that independent system away from the auditor where I'm designing my security practice, I know that it meets the standard. I'm able to make sure that the evidence collection activities are happening inappropriately, then I'm stuck with this audit group.

Justin Beals: (23:11)
This is one of the reasons I like ISO 27001 in some ways. And I hate to play the standards off of each other, but let's face it. I love the SOC 2 standard because it gives me the flexibility to design a security practice, but the CPAs of the world have run roughshod in my opinion, over the guidance from the AICPA. And again, I'll say kudos to the AICPA, they're doing a really good job of trying to give clearer guidance. I just don't think that CPAs are listening. Yeah.

Sam Oberholzer: (23:44)
Now, I kind of agree because I think a lot of firms that once you know the guidance and even if it updates, you kind of just still stick with, okay, let's not reassess this and let's just stick with our work papers and boom. Instead of kind of put that knowledge or just honestly just thinking about it kind of a situation.

Justin Beals: (24:13)
Any other... Yeah. Take us to the next part of this conversation.

Sam Oberholzer: (24:18)
So I think the other big thought points is around process too. So we talked about product and there's other reasons but I think the biggest take home too, is the fact that what if the organization did remove processes or had acquisitions. Then how are you going to use the auditor tool to help assess your posture? How? And so I think that's just something to think about that they're not. And again, that the auditors are going to want to hold your new process at the same standard as your other mature processes. While if you had it, if you thought about beforehand or used a different product and that you owned, then you get to put it up to standards and that you get to add different controls for that instead of having the auditor do the thinking for you.

Justin Beals: (25:15)
Yeah. They always design these systems to benefit their audit, not you as a customer managing a security practice. They're horrible at that. I mean, they'll slab something on there like vulnerability scans. But look, I can point you to a dozen free tools that do that daily if you wanted to, there's no reason to pay someone. It's kind of like pay me for my policy templates and it's like a Google search will suffice.

Sam Oberholzer: (25:44)
And so it's funny a little bit of a tangent with the vulnerability it's adding, this when you said slap on a control and make you feel better, I honestly laugh because I think that all the time, because you have these point in time, let's just call it systems or tools. Right. But then what are you doing with it? And plus it's a machine too, so how did you set it up? So it's only as good as how you designed it to look at thresholds. And so there's a lot other things that you should think about and this kind of ties everything still together that in general, you can't just get forced to a control and you have to think about the landscape as a whole in that category or requirement.

Justin Beals: (26:29)
Absolutely. Yeah. And so here's our buyer beware moment I think, Sam. It's like, okay, we understand that the goal here is to get that trust asset so that you can go and close deals, right? We want to get the SOC 2 audit accomplished. We want an ISO 27001 certification. We need some asset that we need to get to, so that's the driving motivation. Consumers of that audit or certificate imagine in their head that maybe there's a shortcut by just telling me what I need to do to get this auditor to agree that I'm audited. My problem having been a chief technology officer is that inevitably it takes longer to get the audit done because the auditor will ask you to do security practice that are not germane to your business. And that means that you have an unwieldy security practice that is harder to implement, harder to convince people to do, less efficient for your system.

Justin Beals: (27:31)
I realize that design is kind of scary, but you will design a better security practice that is easier and faster to operate if you do it yourself. And so that's why we build so much of our tooling around scoping, right? In Strike Graph you scope your security practice according to your needs. And that's wildly different than any auditor tool let alone most of the preparation tools that are in the marketplace. We're not going to dictate to you things to do that don't make a difference for your business, but allow you to identify the things that will, and then close the gap on the certification part.

Sam Oberholzer: (28:07)
Absolutely. And I think putting the ownership in that specific organization's hands and their bucket, it helps control your rights in auditor organization engagement. So knowing the fact that you do not have to... Yeah. I mean, they're your auditor, so obviously have a professional engagement, but you do not have to just take everything they tell you and just start, go to town because you think that because they're the gate keeper to basically what you need to achieve. But you still have rights and you could still push back. And in fact, if you do just take everything, then to your point, it's going to be a very drawn out process. And how do I know that? Because I manage 150 clients in one year. And every single one of them, well, I would say a good majority of them probably had, or pushed out timelines because they were not ready. They did not even know what controls they had. And then when they took our list of controls, then they tried to implement everything.

Justin Beals: (29:25)
And it didn't even fit. Right. They're like, and we got to do this thing, but I don't know that it matters, but just get it done so we can get the audit accomplished. Right. We're late as it is, oh, I hate that. Right. I know our customers get their audits done just as fast with less pain and suffering because they design a scope that fits their business. Yeah.

Sam Oberholzer: (29:47)
Honestly, I would even say quicker.

Justin Beals: (29:49)
Quicker, yeah.

Sam Oberholzer: (29:49)
Because when I look at our entire customer pool, I seriously cannot believe, like for instance, we base our program off of risk assess and that's the appropriate route because that's how you scope. Right? Risk assessment was the biggest bottleneck, the number one bottleneck on audit side, because they didn't even have it done.

Justin Beals: (30:13)
So I'm curious, in your experience being an auditor, did you ever put the risk assessment front and center, especially recently where you guys do a risk assessment and we'll decide what controls, but it seems to me more often that the auditors are like, just go do all these things.

Sam Oberholzer: (30:27)
Yeah. We would discuss the risk assessment and honestly no one had the expertise. They didn't want to think about it. The number one question to me as an audit manager would be, is this appropriate enough? I'm like, I don't know, you tell me, where are your gaps?

Justin Beals: (30:51)
That sounds scary. Yeah.

Sam Oberholzer: (30:54)
And they were serious and I'm not kidding you, Justin. That would always hold back every report to the point where I would probably say, I can't really put percentage because honestly, that's just a big blur, but it would be such an outstanding where I had to qualify those certain areas and I think they forget the main purpose of any of these reports and it's really for insights into your risk in your business.

Justin Beals: (31:21)
Absolutely. Yeah. And then Strike Graph always considers a part of our solution, our team being an advocate for you with the auditor. Right. I don't go in and do the financial audit as the CEO, I have a chief financial officer that is an expert in accounting that sat alongside people that became CPAs that do audits know how to deal with the auditor. Yeah.

Sam Oberholzer: (31:53)
And he was kind of a kicker too around controls and the fact that he brought financial. So I truly think the reason why so many auditors try fitting organizations and buckets when it comes to IT controls is because we have all this technology that they just assume can be put into buckets. And the fact that it is configurations, because when you look at financial audits, a lot of it is manual on the financial side and it's up to what they choose. And so that's why those audits are so much more different for every organization. But it's like, why can't we put that towards other aspects of audits as well?

Justin Beals: (32:43)
Well, it's certainly a vastly more dynamic and vibrant issue than a financial audit, right. We're dealing with dollars that's in some and banks and centuries of best practices in the financial audit world. I get that from an auditor perspective, AWS might look like a cloud computing system, like any other. The truth of the matter is that it's even more dangerous from someone that used to rack hardware and deploy software on that hardware in a colo facility, AWS is more dangerous from a configuration perspective, from a security perspective than any of the hardware I used to rack. Yeah. And so you imagining that, telling people that, hey, just turn on this thing and you'll be good with vulnerability scans, is not the way it works. Yeah.

Sam Oberholzer: (33:32)
And here's the kicker, the default settings in which a live organization decide to go for only is not secure.

Justin Beals: (33:40)
It's not secure.

Sam Oberholzer: (33:43)
I mean, we can go down a rabbit hole with this, but that's pretty much what I'm trying to get at too. You assume that you could fit every single organization that uses the same technology in the same bucket, but you can't.

Justin Beals: (34:03)
Okay. Your rights as a consumer of audits are designing your own security posture. It's your right to decide what your security posture should be. Your auditor can't dictate it to you. They can tell you that it doesn't meet the standard, in which case you will need to figure out how it could, but it's your security practice. Second, you have a right to refuse technology that your auditor forces on you. You do not want to store all of your security data in your relationship with your auditor, you want to put it in a place where you have control over it.

Justin Beals: (34:42)
And then I think the final thing is recognizing that you have a right to essentially negotiate with the auditor the moment of the audit and let it go. They're not living in your security practice all year. You are going to change it. You are going to modify it as you release a new feature, as you have a new database, as there are new types of data classifications happening for you. You don't have to engage your auditor around that, you can own it, manage it and design security to help support it, right?

Sam Oberholzer: (35:19)
Yes, absolutely. Yeah. Exactly, because again, your security and compliance program is for your organization. And for you to have transparency, to be ready to prove that your customers can trust what you're doing internally. And so when you do engagement in an audit firm, it is essential that you pretty much only give the information to them that is required for that audit. Because again, audit is reasonable assurance, but if you have a good security and compliance program, it is everything outside the scope of audit is just for you to make sure that you are performing appropriately to meet your own business objectives and to meet your customers I guess, objectives.

Justin Beals: (36:17)
Objectives.

Sam Oberholzer: (36:17)
Yeah. Because they rely on your services.

Justin Beals: (36:20)
They need that trust. Right?

Sam Oberholzer: (36:21)
Absolutely.

Justin Beals: (36:21)
That's why it's there. Anytime auditors behave badly, they're removing trust from the equation. They're reducing the value of the SOC 2 report that they produce at the end of the day.

Sam Oberholzer: (36:34)
Absolutely.

Justin Beals: (36:35)
Sam, okay. We got heated on this one. It was a lot of fun. I loved it.

Sam Oberholzer: (36:40)
I love being heated because it's funny, because it's not heated, it's just passionate. I seem like I'm probably angry, but I have the best in both worlds. I was on the inside before multiple organizations and I have friends that are in other organizations and you'll see that the vast majority is very similar for audit firms. And I think as we're growing, as the standards are growing, you're going to see changes and guidelines and guidance. And we just want to make sure that the auditors are performing to the best of their ability both ethically, professionally and independently. And to make sure that the organization knows their rights and so they don't feel like they're getting taken advantage of or that they have to listen to the audit firm.

Justin Beals: (37:35)
Yeah, absolutely. Okay. Sam, can't wait till next week.

Sam Oberholzer: (37:39)
Yay. All right, Justin.

Justin Beals: (37:42)
Have great weekend, have a great day.