External Audits to Software Company | Barrier to Entry for Financial Services

By Dr.Patrick Desbrow, CIO and VP of Engineering, CrownPeak.

As a Software as a Service (SaaS) company gains new levels of success they will be forced to grow. You can see this from the outside as new employees come on board and the office space fills beyond capacity. Highly motivated technology professionals sit side by side all very excited about the leadership and the mission of the company. There is often are real “measurable” level of energy in the office and the staff truly believes in what they are working towards. Soon comes new office space and many other rewards of such a success endeavor.

It is also true that these highly successful companies must mature as part of this growth cycle. This means the people, process, and technology must evolve in every department especially the engineering team. This maturity can take on many forms depending on the next set of challenges that the organization must face. This could include preparing for an external audit or a due diligence evaluation.

External Audits

An external audit can be very challenging for a small technology team. However, SaaS companies are expected to undergo audits such as a SSAE 16 Service Organization Control (SOC) 2, Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), or other industry specific certifications. These certifications illustrate the company’s commitment to protecting customer’s privacy. It is often required for any software company targeting larger customers and can become a barrier to entry for many regulated industries such as healthcare, financial services, etc.

These audits are designed to test the processes currently in place. The processes are expected to be repeatable and highly automated. Most engineering teams accomplish this using an agile software developer lifecycle (SDLC) and leverage tools that allow for continuous integration and perhaps continuous delivery. However, the auditors want to see that this process is well documented. They want to see a complete list (a.k.a. population) of all the major events that occur in the SDLC as they relate to the creation and deployment of the software to a production environment. This usually means all of the stories, epics, and software releases completed in the last year.

Auditors will randomly select a percentage of these events and perform a detailed review to determine if the team is following the process correctly. Special attention is given to ensure an internal review and approval workflow process is adhered to were code reviews and quality assurance testing takes place. Teams that use agile tracking tools such as Jira Agile will find little issue here. A simple filtered query is all that is needed to create the populations and samples needed for the audit. In addition, the default Jira workflow can be easily modified to add the code review and quality assurance steps. Auditors are looking for other controls that should be in place such as:

  • Routine reviews of staff member access rights to the key production systems
  • Separation of environments where developers do not directly access to the production systems
  • External vulnerability scans of the software code with evidence of remediation
  • Routine maintenance on the keys production systems including backups and patching
  • IT operation procedures are documented and validated through change control tickets

These represent a few of the 100 plus controls that auditors use to certify an organization. This level of mature is a major milestone once reached and lays the foundation for the next steps.

“An external audit can be very challenging for a small technology team … It is also often required for any software company targeting larger customers and can become a barrier to entry for many regulated industries such as healthcare, financial services, etc.”

Due Diligence

The due diligence process is a bit different. This occurs when the company is considered for further investment or purchase by another business entity. It is an investigation that spans the entire company with special attention to the engineering team. The senior product and technology leaders: CTO, CIO, VPs of Engineering and Product Management must provide a unified set of presentations and other materials to demonstrate the teams has a technology roadmap to fuel a clear path to the company’s continued growth. This test of maturity can make or break its chances of grow since the new influx of cash maybe required to finance the next round of critical staffing, marketing expenses, etc.

The team must focus their efforts to create and present materials that tell a compelling story filled with sufficient detail to impress the outside due diligence evaluators. They want to see how the company’s strategy breaks down into a set of sales, marketing, and technology objectives that not overly complicated and that the key managers are capable to perform the tasks. This can be accomplished with a well-crafted presentation with just a few important slides.

Start with an illustration of the technology roadmap. Include the top three to five major areas where the software platform can be improved to enable the grow. Presenting more than five major areas can suggest that there is too much technical debt built up cause the level of risk to increase in the minds of the investors. Next, described how customers will benefits form the new roadmap features and how this will ensure the expanded adoption across the platform. Then, present the expected delivery timelines. These are important productivity metrics that the team must be prepared to commit to in order to receive the investment.

Both of these topics represent an important step to a company’s maturity. Starting either of these tasks can appear terrifying to the uninitiated. Once accomplished the management team will be more than ready for their break out success.

Send your email to