Spend Advantage Podcast

How to Automatically Save Time & Money For Compliance & Audit

Varisource Season 1 Episode 53

Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage----https://www.varisource.com

Welcome to the did you know podcast by Varisource where we interview founders and executives at amazing technology companies that can help your business save time and money and grow, especially bringing awareness to smarter, better, faster solutions that can transform your business. 

1.6s Hello, everyone. This is Victor with Varisource. Welcome to another episode of the digital podcast. Today. I'm excited to have a thoropass with us today, Sam Lee, who is the CEO and co-founder of ThoroPass with Us. They are essentially a compliance and audit solution and we're super excited to chat with you, Sam. 1.3s

U1

Good to be here. Nice to meet you, Victor. 1.4s

U2

Yeah. So, you know, obviously compliance is a huge topic for a lot of startups, especially tech startups, but just in the last few years has really taken off, right? Things like Soc2, HIPAA, ISO, GDPR and just so many different compliances. And traditionally companies have been doing that, you know, manually spending hundreds of hours and, you know, hitting their head against the wall with all the the work that needs to be done. That's right. And you have a pretty amazing solution. So why don't we kick off with your founder story and background on why you started this. Yeah, 1.3s great to to talk about that. And you know, as you said, right, this is a big pain point that we we discovered in my prior life before starting therapy. And it turns out to be a big problem for many companies. So I come from a software engineering background. I was a software engineer at Goldman Sachs and at Google, different technical roles then went to business school at HBS and started a fintech company with a classmate. It's in the tech space. So and then we raised a seed round. We start building the product. But what we realized is as soon as we start talking to any 1.4s real customers or partners of consequences, they start asking about our compliance program, our information security and privacy compliance program. They do this for all of their vendors. And that that was a surprise for us, right? We are a 12 person company in New York, right? We don't have medals. We don't host our own servers. And we have very, very basic rules around compliance. So I was but I want to close this deal. So I was kind of rushing to figure out what to do. You know, we learned about this concept of a Soc2 report. And then we. I literally Googled around and get a the best auditor. The cheapest auditor. Right. If I'm honest and I can find to to complete the process. I thought this would be a six weeks process top. Six months later, I still don't have to report. I had to pull my software engineers off from writing revenue generating code to write information security policy. I have to upload hundreds of screenshots to our auditors, SharePoint, Excel Tracker, email back and forth. So overall, a very manual and inefficient process and I don't think my company became more secure or more compliant after after this whole exercise. So, you know, after I wind down that company, I spent a year at Bain Capital Ventures. There are awesome VC firm here in New York. I was there EIR Entrepreneur in residence for about a year. Basically, you know, I like to tell this joke. I went to their office, I drank their coffee and think about startup idea. So I did that for about a year. And, 1.1s you know, I had a I had a 

U1

full spreadsheet of different ideas that are pain points that I faced as a consumer, but also as a startup operator over the past two years. And this compliance bit just keep coming back to me. It's like, what if there is a solution that behaves like a Cada or TurboTax that help technology companies to get everything they need set up and ready in a coherent experience to set up their compliance program, maintain and scale that program, as well as demonstrating your compliance posture to your customers partners, as well as auditors. So that was the pain point that triggered me to think through this whole problem space. And I met my two awesome co-founders, Austin Eva Austin, very similar background with me 1.1s coming from a tech, was a technology company founder before and had this problem as well in his case with HIPAA. Right. So that is a the health care law around privacy and information security that any health care organizations have to follow. He was working with a large health care provider and before they signed a contract. Oh, I assume you guys are HIPAA compliant, right? Okay. Yes, of course. And, you know, he he called out his lawyer who gave him like, hey, you can pay us $20,000. We're going to give you a spreadsheet that has everything you need to do about HIPAA. Right. Clearly, that spreadsheet is not very actionable for his 15 person technology company and that that's not a very good way to to be become Hipa compliant. So coming from the pain points that we experienced as as founders in our prior companies, we desire a solution like Cada, like pilot like just works 1.2s to turn this otherwise very manual, you know, once once a year consulting or consultant driven, human driven process into a subscriber goal software business. And that's what we did. The company was called like until April this year when we rebranded to therapists. We have raised four rounds of funding now about 180, 190 folks around the globe serving technology companies, big and small, helping them set up, maintain and demonstrate their compliance posture. 1.4s

U2

Yeah. It's no mean that's a that was an amazing founder story and love to start these conversations with that because a lot of times they don't see that on your LinkedIn profile, you know, And I just feel like all the entrepreneurs, there's always a story, there's always a problem that maybe they face themselves that they they wanted to solve. So, so that's great to kind of set things up. So as the next question for you is really now talking talking about, you know, why why has this become a problem? Right? Why has compliance and audit become more of a focus for companies in the last few years, especially Soc2 Like right now, if you're a software company or any startup, Soc2 is like pretty much a given if you're pretty much doing B2B, right? But why has that been more of a focus in the last few years? Is it government driven? Is it customer driven? What do you think? 

U1

Yeah, totally. And definitely that that is a trend that, you know, accelerated over the past few years after a past has started. If you ask me, five years ago, people get asked about Soc2 once. They are like series B or a little bit bigger right now. This is a must have from, you know, almost day one, right? You get your business incorporated in Delaware. You get your get your general liability and cyber insurance and you get your software and compliance program, etc.. So it has gone very early stage, which which we witnessed over the past few years. I think the reasons is multifaceted. On one hand, you know, just overall, the digital transformation transformation has continued to to accelerate. And, you know, all the big companies are all on the cloud, which are pushing all of their vendors on the cloud. Right. And that also gives 1.1s you know, the unfortunate consequence of that is there are more 

U2

high profile data breaches and different cybersecurity incidents. That happens with real people's data that have very bad consequences. And that has pushed both the large enterprise who are buyers of a lot of those software as well as the regulators to be stricter and more cautious on how they manage third party risks. And that third party risks trickles down to all of the vendors, including the smallest, coolest company that, you know, your business people may want to use, but they have to go through procurement and which means we see more questionnaires, we see more diligence happening even at the super early stage of companies lifecycle. We also see more requests for Soc2 ISO 27001. Right? These are not like legal standards like HIPAA, but these are 1.2s frameworks where the industry creates a mix of best practice and things that can be audited. Those requirements are becoming more important and, you know, required for for a longer tail of companies. And lastly, I think 

U1

therapists as well as our our peer companies promoted the idea of being compliant early over the past few years, which I think is overall making the industry a little bit safer and make folks become more compliant so that, you know, tech has a bad reputation of playing fast and loose in a lot of cases. Hopefully we can do our part to make everybody a little bit more secure. 1.4s

U2

Yeah, it's no, that's an amazing background and we definitely see that, which is great for your space. And again, you know, you and I worked on several customers together and you're talking about, you know, close to 1000 employees or even from a few hundred to thousands of employees. And they're doing these things manually. I mean, it is sometimes just, you know, kind of shocking because it's a lot of work, right? If we really understand for people that go through it, understand how much work it is to gather the data, forget the cost of spending on auditing, but even just gathering the data, how much time that that takes so that the actually the follow up question is how do companies manage the data collection and process today without an automation, maybe platform like yours, how do they typically do it? You think 

U1

that it's a very messy, right? And because there are many, many people and different systems involved, you know, without a automation solution like ours, if you think about what are the type of evidence that are required in a information security audit. Right? A lot of it is about your systems. Do you have the correct setup in your cloud security provider? Sorry, cloud service providers? Do you have the right setup for your, you know, 1.6s code integration and pipelines, your Cicd side of things? You know, there are series of technology tools, SaaS products that you're already using are leaving the what we call the digital exhaust, right? The audit trail of things that has taken place. These are the processes and pieces of evidence that the auditors need. So those informations are traditionally very hard to collect because, you know, you have to take screenshots, you have to take exports, you have to take Excel spreadsheets generated from those systems. But that's just the technical side. There are also a lot of things related to people and administrative things in your company. Every employee needs to have gone through a background check. They need to have take. They need to have taken security trains. Right. These information also live in dispersed systems that some humans have to go through. The the process of collecting them, putting them together in a specific format for your soc2 audit. But next month you are going to do ISO certification. Right? These are they're looking at those things in slightly different lenses. And lastly, the efficiency comes from the communication and alignment with your auditor, right? Just like a financial audit, the audit, you know, the the organization that sets the standard sometimes leaves room for subjectivity. And that means like a lot of times the requirements is being decided by the it depends on which auditor you work with. That introduces a lot of variability in how this evidence collection works because you don't exactly know what was said, what level of completeness, what level of timeliness, for example, would satisfy the audit requirement. Right. So solutions like therapists also eliminate that pain point because a lot of back and forth in terms of communication actually comes from the different interpretation of the evidence requirements. 1.7s

U2

Yeah it's no mean you can see right automation. Whether it's AI, whether RPA like automation can truly be amazing and save a lot of time. And honestly, you know, as I've seen how you guys work, it makes it so much easier. It's just saves so much time and headaches while accomplishing, you know, things five times, ten times faster and better and cheaper. It's just a you know, it's just a solution that completely makes sense. Think it's just that a lot of companies aren't aware that this is even available and that's why they do it manually. It's not because they love doing it manually. They just didn't know a solution like this exists. But one one of the one of the many things that I think that sets you guys apart and the reason why we're so excited to partner with you guys is that you guys have one of the most complete set of frameworks in the market. You know, when you talk about high trust, when you have a lot of compliant frameworks that other companies don't. So why was that important to you? Was that customer driven? Was that a vision you had that, hey, you just need to have all the compliance? Because what I've seen too is customer, maybe use a solution for one compliance, but when they need for another, oh, they don't have it. Oh well now gotta go back to the manual way of doing it right for that one. So what was that vision or thought there. Yeah, it's a great question. And, you know, from the beginning, we know that although Soc2 seems to be the most acute pain point for US based companies, the compliance requirements are by definition multifaceted. And there are many, many compliance frameworks out there in the world. Some of them are more driven by regulations. Some of them are industry best practices. There has been numerous attempts to create the framework that rules all of them, but that usually never works because every seaso, every compliance professionals have their own opinions. And also the technology is changing very fast, right? So you need to keep keep it up to date. So when we build the software from from day one, we have the infrastructure to support multiple frameworks, which makes adding new compliance frameworks very easy. Now three years later, but we also want to pair it with the right amount of expertise and as well as the offering on the audit side. So, you know, Soc2 and ISO 27001 are the most popular. But for the health tech segment, which is a very important area that we have been investing in, solutions for HIPAA and high trust are very important. High trust is very interesting. This is a standard. This is the organization that creates the standard. And earlier this year, they launched two versions of their standards E one and I1, which are a little bit lighter than the traditional high trust. That opens up an opportunity to really increase the popularity of high trust among the health tech companies, the biotech companies, the smaller companies that are not the traditional sort of insurance payer and provider landscape, but are very much part of the ecosystem. So high trust is evolving and we want to be part of that wave. You know, we're one of the only certified high trust assessors in the country and we do it in the way that is. That is similar to how we do SOC to a lot of integrations, a lot of data being automatically collected. Last thing I say about the multi framework is as we start to see some of our kind of more sophisticated customers, there are pain points shifted from I don't know what to do. I'm doing this for for the first time to I've done this before, but I need to do five audits in a year, right? And then I find myself in audit all the 

U1

time. I'm chasing for the pieces of evidence. Every every audit is a little bit different. You're dealing with a different audit partner. And that by itself creates a lot of inefficiency. What we did, because everything is built on the past technology platform and we have this sort of unified audit solution. You can actually do one audit and have multiple certifications or reports or assessment coming out of it. So you will just do one order with us. If you purchase high trust stock two and ISO 27001. That can all be done in one audit instead of three audits if you do it the traditional way. 1.4s Well, that is again, it's you know, we definitely seen other solutions in the market. But your approach, the vision, maybe it took a couple of years to really for people to because I think in the first couple of years people are even trying to figure out what 

U2

is this automation compliance thing? They're even 

U1

just happy they have something 

U2

versus a manual spreadsheet. But then once they understood the value of it, now they want more, they need more and think that's where you have that vision, like you said, starting from the beginning. But one of the I would say the biggest differentiator that I truly was just mind blown, to be honest, is that in this space, usually, you know, you have companies that provide the software, the automation tools, right? And there's several different companies that do that, good or bad. But, you know, they focus on obviously automation, the frameworks and evidence collecting that we just talked about. And then they have you as a customer or company, you have that data collection, you know, that helps you, but then you have to go hire an auditor which is additional, you know, cost and sometimes a huge cost to find the right auditor for the right price, depending on the size of your company and the complexity to also come in. But sometimes those two things, even if they, you know, work together or partner together, it doesn't work perfectly right, because they're not synchronized. They are not one business. Right. And so that I think I want you to spend a couple of minutes on that because I think truly, you guys also have an auditing service, which is very rare. Um, and we have some concerns about that later on with some follow up questions to him. But again, why did you, you know, create both of these services in one and what's the benefit or value from having that? 

U1

Yeah, I think it is precisely as as what you just said, right? Like about two years into our journey, we realized, okay, great, we can we can have the best integration, we can have the best sort of TurboTax like solution. But imagine you did TurboTax and then you cannot file your tax at the end. You have to, you know, print everything out and talk to a human, a different human. You know, that is not a optimal experience. Right? I like I personally like to call that a messy hand-off. And, you know, we hear that from a lot of our customers back in the day as well as customers that came to us from our competitors. So we went out of our way to figure out the the way to create the optimal customer experience so that they can complete their end to end, you know, setting it up as well as going through the audit in one platform, which is several paths. So, you know, in terms of the setup is not too dissimilar to the Big four or you are kind of consulting audit practice. There is consulting practice and there's audit practice. These two teams are separate, like, you know, the person who is, you know, coming who is helping you to. 1.4s The person who is giving you advice cannot be the person who is grading your exam. So we have that separation. But what's important is the customer's has have a consistent experience and a unified user experience in terms of the software that they use on on on the front end. And that also eliminates any kind of discrepancies in terms of how to interpret the standards, how to interpret the evidence that is taken away. Because if you go through several paths, you connect with your AWS and you get a green checkmark on a specific test for your, you know, encryption, for example, That test, that check means a lot because the auditor has examined the process of how we collect the data, the logic of how we 2.3s result in that green check or a Red Cross, which means that check carries weight into the audit and the auditor does not need to do additional work or ask additional questions to test that control. The control is already tested automatically in the platform. So the fact that we have this technology and structured integration with the audit experience enable us to have that confidence to do this, you know, on the front end for the customers. That saves many, many hours in this whole process because otherwise, you know what you have, what you get the the positive test results in your compliance automation platform may not carry through in the audit, which defeats the entire purpose of purchasing a compliance automation platform in the first place. 2.7s

U2

Yeah. So as a follow up, as we kind of wrap up with last couple questions, again, you know, love chatting with you. You know, you're such a visionary. I would say in this space. Everything just makes a lot of sense. You know, the follow up question to that is, can you help the again, you mentioned already, you know, obviously the company who consults shouldn't be auditing. That's kind of just a, you know, something that companies would be concerned about. But obviously, every company right now is looking for ROI, right? So can you kind of kind of give more specific 1 or 2 examples of, you know, how you make sure the authenticity of, you know, obviously the auditing separating the, the, the consulting, right, the data collection versus the auditing. And what is 1 or 2 true, you know, financial ROI that companies can see? Is it by the time that you're saving equals, you would have to charge less on, you know, auditing, for example, right. What was the true ROI financially that companies can expect by using you guys for both of these things? 

U1

Right. So I think first of all, just to clarify, we don't do consulting, right? We provide we have the customer success team. We have our software platform, which people can integrate, just like any SaaS tools, like there is some level of service that is provided, but we don't do consulting per se for our customers. We do do the audit piece. You know, as I said, the on one side, we have the most innovative auditors in the country. If you can't say right, like because this industry has been around for a while, people live with screenshots and SharePoint and Excel trackers for a very long time. But there are people who are thinking about doing this differently, right? Those folks joined us with decades of experience at the Big Four or specialized information security audit firms, bringing those expertise so that the quality of their audit is very high. But they are doing this with the help of our technology In terms of ROI, I think twofold, right? One is really on the fact that you save a lot of time from the evidence collection piece. You save a lot of time from your team. 1.8s In what we call the loops, which the auditors write. You submit a piece of evidence. It was rejected for this and that reason you have to resubmit it again like that back and forth. It's very time consuming. So between those two things, collecting evidence, remember this, the whole thing I just described, you have to do it every year collecting evidence as well as the back and forth from the auditor. That's it's a lot of savings in terms of opportunity cost. The third piece comes from the fact that, as I mentioned earlier, you can do one audit and satisfy multiple requirements, right? So you may, you know, some of our team customers, they may otherwise need one full time person just to handle audits for the whole year. Right? That person is not thinking about compliance strategy. That person is not thinking about other more important security issues that truly require domain knowledge and expertise. That person is just paying everybody in the team to collect evidence for compliance. That process has been largely seamless, streamlined, and you only have to do it once a year. Like that is the value prop that we provide to our customers. Obviously we're also price competitive. You know, on the front end like that changes on a fairly frequent you know, the just market is a fast evolving one and we have, you know, awesome competitors that we're running to. But overall those value prop are very strong so that the customers will pick us versus doing it. They're doing it in the old way. 2.7s

U2

Yeah. So maybe just clarify one last thing. There is companies can buy the, the software, you know, automation software platform on its own and maybe have another auditor already have an auditor in place. Obviously they can also auditor, you know, service from you if they already maybe have another solution in-house, meaning they can buy these things separate. Obviously there is a true magic and power when you combine these things together right off, you guys, but they can't buy a separate. Correct. They do have that flexibility. 2.8s Yeah. Okay. No, that's fantastic. So this question for Sam as we wrap up here, obviously, I is on the mind of everybody today with ChatGPT OpenAI. There's so many ways to, you know, implement AI. Um. Has that been something you guys looked into? Is that something in your roadmap or how do you feel like I can help your space and your industry, uh, you know, in the future you think. 6.9s

U1

Yeah, 100%. And we start looking into this way before ChatGPT came out, right? The GPT has a long history over the past few years and we're fairly plugged in. If you think about the use cases in compliance, a lot of it comes from the workflows related to the auditors, right? What they are doing a lot of times is looking for specific keywords or configurations in a policy or in a export that comes from a software tools. 1.1s Those jobs are completely 1.1s streamlined and drastically accelerated with the help of large language models. Right. Effectively, for some of our customers that have long policies that they need to accommodate, the first pass is completely done by the AI tool, right? Eventually, humans is involved to making sure for for some of the control testing and making sure things are in place. But this first pass is drastically accelerated by 1.1s and this is really just one of the first use cases that we are exploring. Right? And as I said, because we are more integrated in this audit side of world, there is more use cases. A lot of them are efficiency play that we can tap in. Yeah. 

U2

No, super excited. Think you had the vision years ago where things are and it's coming true. So I'm sure your vision for the AI is going to be amazing as well. I mean, we're super excited to partner with you guys. You know, the last question we always ask every guest is you. You've seen a lot. You've done a lot. If you have to give maybe one advice, whether it's personal advice or business advice that you're passionate about, what do you think that would be, Sam? 8.6s

U1

Um, yeah. Well, I think it depends on the audience. For entrepreneurs, which I love. I often speak to and be friends with was it's like be intellectually honest, right? Starting a company is very hard, and doing something innovative is very hard. You need to be intellectually honest when things are working and when things are not working. The worst you can do as a startup founder is to pretend things are working or convince yourself that things are working while what is not. That is true when you're validating a new idea. That is true when you are evaluating folks on your team. That is true when you are making strategic decisions. Well, actually, no, 

U2

that's a great advice. Um, you know, a lot, a lot can learn from you. We're excited about the partnership. And yeah, thanks for being on the show today. 9.7s

U1

Yeah. Thank you, Victor. Great conversation. 1.4s

U2

That was an amazing episode of the did you know podcast with Varisource. Hope you enjoyed it and got some great insights from it. Make sure you follow us on social media for the next episode and if you want to get the best deals from the guest today, make sure to send us a message at sales@varisource. 1.3s