Strunk Announces Completion of 2024 SOC 2

Strunk, LLC is pleased to share the news that we have recently completed our System and Organization Controls (SOC) 2 (Type II) Audit.

The SOC 2 audit is one the highest recognized standards of information security compliance in the world. It was developed by the American Institute of CPAs (AICPA) to allow a third-party auditor to validate a service company’s internal controls with respect to information security and has been something Strunk is proud to provide our clients for the past 13 years.

We obtained our audited SOC 2 Report by partnering with Johanson Group who respectively review our internal controls including policies, procedures, and infrastructure regarding data security, firewall configurations, change management, logical access, backup management, business continuity and disaster recovery, security incident response, and other critical areas of our business.

Thanks to a team effort here at Strunk, and with the help of our trusted partner Johanson Group, we successfully achieved SOC 2 compliance and received an Auditor’s Report, which we are happy to share with all clients via our secure due diligence portal. Strunk’s infrastructure was found to meet or exceed the SOC 2 criteria. In fact, by partnering with Johanson Group, we can confidently say we go above and beyond the minimum requirements for SOC 2 by integrating our critical infrastructure to monitor compliance to the SOC 2 framework 24/7/365, not just during the audit window.

We believe the relationship with our clients must be built on trust. The successful completion of our SOC 2 Report is one of many ways that we have planned to earn and retain that trust. SOC 2 is just one aspect of our growing security program. We are committed to continually improving our information security program and retaining an annual SOC 2 audit to ensure we keep supporting our clients’ needs.

Is it time for your company’s next SOC 2 examination?

If your company is like Strunk, then a SOC 2 exam is an annual topic of conversation and the certification from your CPA firm is something you proudly provide your clients. At Strunk we have built a full-featured solution to help not only manage the policies your organization follows but to tie those policies back to the AICPA’s criteria and to your company’s own internal control procedures.

A SOC 2 audit can be time consuming, frustrating and burdensome. Strunk’s Policy Manager and Controls Manager modules can put much needed structure around this process. We keep on top of changes to the AICPA criteria so that you don’t have to. If changes need to be made to your existing policies as a result of any of these updates, you can easily address those within our software, and all modifications and approvals will be captured in our logs. The application will remind specific users within your organization when control activities need to be tested and the solution even supports breaking up this activity throughout the year so that your team is not focused on such a large task all at once.

The implementation with Strunk is extremely straightforward. Your company will submit your current policies for upload and creation within our system. If you are missing policies in any area we will provide you with a template document for you to customize but you will not need to start from scratch! We will work with your team to map these documents to the AICPA criteria in our solution.

Most companies are using Excel to track control activities. We ask that you simply provide this list of test procedures and we will set them up within the solution as well. Our Policy Map will provide a linked relationship from criteria to policies to controls. Once all of your company specific information has been uploaded and created we will host a training webinar for your team. It’s that simple.

Let Strunk help simplify and organize this process for you so that you can focus on what you do best – serving your clients.

Solve your SOC 2 Anxiety

Getting a SOC 2 report and examination is only part of the battle, keeping up with your stated obligations and consistent re-examination means your company has to live a SOC 2 life.  Throughout the year testing, reviewing, and revising controls can take up a substantial portion of time and attention.  Utilizing Excel spreadsheets, PDFs, and Word docs can lead to a nightmare for version control and compatibility issues.  Utilizing proven techniques to manage your SOC 2 can and will cut down on your time utilization and stress surrounding your consistent re-examination.
The average SOC 2 examination can take around a month of document negotiations with your auditors, followed by a week in house exam.  Utilizing a strong system that contains all of your pertinent information empowers your auditors with easy access to vital information while having a minimal impact on your daily routine.  This information flow, allows your auditors to see your control framework, and testing schedules, as well as the results and evidence for those tests, giving the auditors nearly a perfect picture of your company’s readiness.
While the perfect SOC 2 examination can be hard to attain, it shouldn’t be difficult to maintain. Strunk’s GRC is one of the few tools that help to walk your company from new SOC 2 to expert, our tools are able to help inform your process and reduce the time and effort you pay toward yearly SOC 2 obligations.  Our platform has a full set of template SOC 2 policies and controls, as well as one of the most thoughtfully crafted framework management systems on the market.

Cybersecurity Maturity Model Certification (CMMC) Audits Made Easy

Recently the US Federal Government announced plans to impose a cybersecurity audit and certificate program referred to as the Cybersecurity Maturity Model Certification (CMMC), which will be used as a standard requirement for all firms dealing with DoD data.  The CMMC closely follows established frameworks pulling heavily from the NIST CMF and 800-171 publications.  The obvious advantages of using a ubiquitous framework and assessment to ensure compliance with these new regulations helps to reinforce many of the best practices that firms in this space should have already been following.

Each firm must record their policies, procedures, and controls related to the NIST frameworks, showing a clearly delineated map of these relationships for auditors to follow, test, and critique.  The DoD recently announced that they plan to start the audit process in 2020 with more than 60% of firms expected to have completed their requirements by the end of the year.  This leaves firms with sparse time to evaluate and immortalize their processes, with a narrow window to fix non-compliant or lacking areas of their cybersecurity framework.

These moves by the Federal Government and the DoD are being widely celebrated by the cyber defense industry as a win against unintentional release of classified information, and as strong guidance for the industry to help ensure a curb in the currently vulnerable industry.  With a long history of leaks, and hacks, the government consulting and data analytics firms, that make up much of the cyber defense of the country, will be helping to ensure our enemies have one less tool to utilize.

With StrunkAccess Risk and Policy Manager consulting firms are finding a tool that can help navigate through the complicated process of becoming compliant with risk frameworks, helping to protect their companies and clients.  From SOC 2 to NIST to any risk framework, StrunkAccess is an elegant solution utilized to help hundreds of companies evaluate, record, and manage their risks.

SOC 2 for Companies vs CPA Firms

SOC 2 reports are becoming ubiquitous for businesses in the B2B market, creating a shared confidence that best business practices are followed and systems are developed with security and data privacy in mind.  StrunkAccess GRC provides a unique SOC 2 experience, and through our conversations with clients we have seen that predictably CPA firms have a much different view of the SOC 2 vs Companies required to have them.


To compete in today’s market a company must be able to satisfy their customers’ needs.  With many companies now requiring 3rd party verifications from their vendors, the go to responses are an assessment based on how integrated the vendor is within the operations of the requesting company and a SOC 2 report.  From a company’s perspective a SOC 2 is really just a means to lubricate the sales processes and removing barriers or objections to the perspective business.  While a SOC 2 audit can add value to a company by solidifying policies, procedures and controls, the overwhelming sense our clients have relayed to us is a SOC 2 is necessary to help increase their bottom line by doing business with more sophisticated entities.

CPA Firms

While the SOC 2 has been a big boom to the bottom line of CPA firms, many firms realize SOC 2 readiness is a time consuming and onerous process for their clients.  It also winds up delaying the SOC 2 process more than any other part of the audit, especially for first time SOC 2 participants.  Because of this CPA firms concentrate on giving companies tools and examples that can help them fill gaps in their organizational structure.  The issue arises that before a SOC 2 audit no company is fully ready, all companies need to add policies or modify existing policies to close gaps and follow the general outline of the SOC 2 trust principles.  The biggest divergence that we see here is that the CPA controls for SOC 2 vary from firm to firm and can create a maze that is hard for companies to follow, even though the process with the CPA firm may be well established.  The big difference here is that CPA firms are looking at a SOC 2 as an ends, where as companies view them as a means to an end.