Service Providers

Streamline the SOC2 process

SERVICE providers are often required to demonstrate they can be trusted to provide their services with a high degree of security, privacy, availability, integrity, and confidentiality, typically by providing the results of a System and Organization Controls (SOC2) report prepared by an independent CPA firm.

Dramatically Streamline Your SOC2 Audits

A SOC2 review can be disruptive as your organization scrambles to provide the auditors the detailed information they require collected from the typical patchwork of spreadsheets, word documents and PDFs that comprise many organizations control systems. Strunk Risk Manager can dramatically streamline this exercise by organizing and automating your compliance process.

Strunk Risk Manager will transform your annual SOC2 review from ordeal to ordinary. Your executive team, board—and you—will sleep better at night knowing your organization has a well-organized, streamlined, and thoroughly-documented compliance management program in place.

Automating Your Compliance Process

  1. Know Your Risks: For most service providers, the standard SOC2 framework identifies the risks your organization must address.
  2. Ensure Policies Mitigate Key Risks: Policy Manager lets you manage your policies in a cloud-hosted database, providing a single source of truth available to everyone who needs access. Policy Manager tracks changes to policies, with redline comparisons and controls over approval. Importantly, Policy Manager enables you to link individual policies and policy provisions back to specific SOC2 criteria, so you are sure you have them covered.
  3. Trust But Verify: Use Controls Manager to document your control procedures for testing policy compliance and recording test results. You can map your control procedures to your policies to make sure you have everything covered. You can map individual controls to multiple policies, since often one control addresses several policies.
  4. Prove It: Strunk Risk Manager makes documenting your compliance process a snap because it organizes all your policies into a database; maps them to the SOC2 criteria or other frameworks; and also maps them to your control procedures and tests of those procedures. It becomes easy to document how your policies cover your risks and your controls ensure your organization is following its policies.


When I was Chief Risk Officer at a $750M bank, we implemented Strunk’s ERM Solution. It brought together all areas of the risk assessment process into one easy to use format and we eliminated the Excel spreadsheets. I highly recommend it for any size bank.

We adopted Strunk’s Policy Manager to centralize all policies and the related policy management functions into one system.  Everything is in one standard format, policy ownership and access is assigned and policy edits, approvals, employee and board review schedules are managed from one location.  Strunk was easy to work with throughout the project and was very open to adding enhancements to their program, adding value to our policy process.

Strunk’s Risk Manager program is a great product that makes the risk assessment process easy to manage and is proving to be very helpful to us.

Our policy and control structure is very complex, having both a broker/dealer and an investment advisory firm. Policy Manager allows us to easily organize a large volume of policies and maintain our control testing documentation all in one convenient place—a significant improvement over our previous process!

Strunk’s implementation of Risk Manager was excellent. Impressive software you all have developed.

Our implementation process was well organized and efficient. Our initial risk assessment template and policy upload were complete in only 8 weeks. The Strunk team was great and we look forward to using these tools!

Compliance Commandments

  1. Know your risks
  2. Ensure policies mitigate key risks
  3. Trust, but verify
  4. Prove it

Our Software