Build or Buy - Photo 1

Build or Buy: when do you hire a Compliance Manager?

Do you pull the trigger on a consultant to manage your compliance program, hire a pro, or run it yourself?

First Time SOC 2

If this is the first time you’ve done a SOC 2, you are pinching pennies, and you’re really motivated to research how to execute the program, then Build is the right decision for you. It is very feasible to do this on your own – there are plenty of resources out there coaching you along every step of the way, and it’s not rocket science.

If you’ve not gone through this before, and you’re not able to carve out 50% of your time for a solid month to manage the process, in addition to all the hours spent learning the process, we recommend hiring a contractor.

Second Time SOC 2

If, however, you have been the Point-of-Contact on a compliance project, and you have a day job that occupies your full work week already, you know that is a really poor position to be in. Something has to give, between family, regular work, and this new extra project.

How do you avoid getting into that spot with your first, or second, or third SOC exam?

First answer the question – how bad was it last year?

If you’re happy with how it went, or if you do have that extra capacity, perhaps the ‘Build’ option is right for you.

If it was super painful last year, and your circumstances have not meaningfully changed, DO NOT tell yourself it’s going to be better this year. That’s a losing strategy.

The ‘Buy’ Option

Instead, hire a contractor (NOT your auditor) to support your company 10 hours per week leading up to and following the SOC exam. If it turns out you don’t need them, great – the cost of a contractor is FAR less than a painful SOC exam for you and your control owners. 

Let’s say (just for illustration) that having the right person at the wheel of this ship reduces the back-and-forth on each evidence request by 50%. And let’s say there are 115 evidence requests, and each one takes 1 hour to provide (accounting for all the back and forth with the auditor, getting the hot potato assigned to the right person, etc). 

That’s saved your company 57 hours of work.

That’s not even accounting for the cost of extraneous meetings that can be avoided with proper organization, or the value added to the final product. 

All of this requires someone at the helm who A) knows what they are doing, and B) has the time to do what they are doing.

Functions these contractors can perform include:

  • Designing controls
  • Performing quarterly control validations with Control Owners
  • Scheduling walkthroughs with the auditor
  • Providing evidence to auditor

Finding a Consultant

How do you go about finding such a consultant? 

Unfortunately, it seems there is not a trustworthy platform such as Yelp for finding a coffee shop or Amazon for product reviews where you can find a consultant that you can count on from just a quick search. 

So, start by asking other companies you know and trust that have gone through a SOC 2 exam – did they work with someone? Who? What services did they provide? What was their process? What were the challenges?

You can also ask your auditor, who will often have a recommendation handy.


Looking for an auditor who can help guide you through the SOC 2 process? –  Contact Render

Share this post


Keep reading...

What is a SOC 2 Gap Assessment?

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.

Let's Work Together