July 2017

Skin in the Game, Part 1: Audit

By Christian Nentwich, CEO

At Duco we have a set of five core values that underpin our approach and culture. One that’s particularly close to my heart at the moment is “Service, not Software”.

Perhaps one of the most easily overlooked aspects of Software as a Service (SaaS) is that we SaaS providers have significantly more skin in the game than a software company.

We get paid on a recurring basis, so we have to perform continuously. And being paid on a consumption basis means that we eat the risk by starting low and scaling up. No big upfront fees. We have to keep improving over time.

Accordingly, in this three-part series we will look at what it means to provide good service. Part one is about audit, part two will be about proactive issue monitoring and operational management, and part three will be about how we solved the upgrade problem for a critical function.

Audit challenges
Improvements are not always about product. Case in point: we have identified audits as one of the biggest topics for our clients. As a critical control function provided as an enterprise SaaS solution, how do we make this easier?

When people think about SaaS, the cloud and risk assessments, they often think of security reviews aimed at checking how thick the vault doors in a data centre are and teams full of white hat hackers. There is a bit of that, but…

The bigger issue is maintaining auditability to keep the control environment intact, a major task in a financial institution.

After looking into audit in great detail over the last couple of years, here are some challenges we identified:

  • A cultural gap and differences of approach between Operations, Compliance and IT
  • Differences in the interpretation of rules, especially Sarbanes Oxley (SOX)
  • Regional and organisational differences in the implementation of SOC1 and SOC2, and in particular around what it means for a control to be “balance sheet impacting”
  • In general, a much bigger focus on systems security and change control than financial integrity, due to the “outsourcing” nature of SaaS and recent cyber incidents

What we are doing
At Duco, we want to be an integral part of making our clients’ audits easier. We have a stake in this, and it is a great value add. Audit can be a very time consuming activity that does not make our clients money.

So, at this point:

  • We have entered our first SOC2 audit period and expect our first report in January
  • We are preparing guidance material around Sarbanes Oxley
  • As a result of our deployments across the industry, we have been able to establish best practices in governance and operational processes
  • We are continuously rolling out platform automation features focused on control and data gathering, to reduce stress on audit days

We have always helped our clients build governance frameworks at no extra cost. The next step of this will be much broader in scope, smoothing the internal and external audit process and easing communication between Operations, IT and Compliance.

We want our clients to pass audit with flying colours – their success reflects on us.


Next up in this series: proactive monitoring; or solving issues before our clients have to concern themselves with them.