Passing your audit is incredibly important to building trust with customers and providing competitive advantage in your market. But, preparing for them is often an exercise in manual evidence collection, working across multiple teams and separate systems, and collecting all requirements in a form that satisfies your auditor.
With Aptible Comply, the work that happens on a daily basis is easily transformed into the packet you provide an auditor. With a single source of truth for your compliance program and automation to make implementing controls easier, audits happen faster with less stress.
Fill out your name and email, and watch our on demand video to see how Aptible helps along the entire audit lifecycle:
Jeff Lesser (00:01):
Awesome. Thanks for joining us. We'll take a couple of minutes and do some quick introductions and then we'll get into the content. My name is Jeff Lesser. I'm product marketing lead here at Aptible. And today I'm joined by my colleague, Joe, I'll give him a second to introduce himself and then get into some housekeeping.
Joe Veroneau (00:16):
Hey everyone. This is Joe from the data protection team at Aptible. So I work closely with our clients who are using the compliant GRC platform to support their day-to-day compliance and security processes. I also work closely with our internal compliance program at Aptible. As we maintain our ISO 27001 certification, our SOC 2 Type II certification, and our HITRUST certification and excited to walk through simple, smooth, and effective audit with you all today.
Jeff Lesser (00:41):
Awesome. Thanks, Joe. A couple of things. We're going to have some polls that we're going to do today, so really encourage you all to interact and engage with the polls that we'll be asking. We'll also have some time at the end for questions. So if you have any questions as we're going along, I encourage you to enter those into the Q & A tool, and we will also be sending this out as a recording afterwards, in case you're curious or find something really interesting that you want to reference back to.
Jeff Lesser (01:10):
A couple of things today, we're going to go through some of the challenges that exist with audits today, and some of the features within Aptible that make audits super simple and effective. Simple, smooth, and effective, excuse me. We're also going to get into a demo of the tool and we'll show you some of the actual features and functionality that are unique to comply. And then we'll get into that Q & A. So let's go ahead and get this started with a poll. How many hours does it take you to prepare for an audit? This is a question to, I think, Rebecca, are you able to [crosstalk 00:01:49]
Yes, I just launched the poll.
Jeff Lesser (01:50):
Awesome. Thanks. This was a question that we recently asked in a survey recently, and we have actually created a new survey that we'll be sending out in a email along with the recap of the webinar. And we encourage everyone to fill out that survey. You'll get the report early, and you'll also get exclusive results in data from that report from everyone who had filled it out. And so we'll send that link and we encourage you to complete that survey with this question. How many hours does it take you to prepare for an audit? Some things to consider is like how long do you spend with clients, collaborators compliance collaborators? How long do you spend doing back and forth with your auditor? Do you continuously prepare things throughout the year or when an audit is coming up do you to spend a month of time collecting everything that you need? So we'll let people answer for a couple more seconds and then we can close out the poll.
Looks likely that almost everyone has filled it out. So, make sure to get your answer in there.
Jeff Lesser (03:06):
Is there a way to show it?
Yep. I can do that right now. So you should all be able to see.
Jeff Lesser (03:18):
I am unfortunately using a tool that doesn't let me see it. Could you summarize it for me?
Yeah, sure. So we had about 44% of the attendees said it actually takes them more than 100 hours to... I should probably turn my video back on. More than a hundred hours to prepare for an audit. And then we had an even split between the rest. So about 22% said between 50 to 100 hours. And then other folks said between 11 to 25. So it seems like most of the audience is kind of like 50 hours plus that they're spending on preparing for audits.
Jeff Lesser (03:54):
Awesome. Thanks. Interesting. Let's share the screen and get back into the presentation. When we did the survey previously, we got relatively similar results. About a quarter of people were 50 to 100 hours and a quarter of people were like 26 to 50 hour range. So, about half of people are 26 hours or more in order to prepare for an audit. I'll turn it over to Joe. And Joe can talk about the challenges that people are facing in those hours that they're preparing for an audit as well as some of the ways that Comply can help make that easier.
Joe Veroneau (04:41):
Awesome. Thanks, Jeff. Yeah. So the goal here is to walk through some of the strategies we've found or some ways to think about preparing for an audit that will hopefully chip away at that large block of time required to get ready. Some of this will probably seem self-evident that you need to give policies to your auditor as a part of the audit, but I think some of the ways that we've started to think about organizing and classifying information for your security programs should help with preparing for audits. So the initial visual we have here is thinking about policies, controls, and procedures, and really giving all of that information to an auditor prior to an audit. Sometimes it's challenging to even track down where all the documentation is. The policies are in a Google Drive. The controls are in a spreadsheet that you had pulled together to give to the auditor the previous time around. And then a lot of the procedure level information is living in confluence or an internal Wiki of what people are actually doing on a day-to-day basis to implement those controls.
Joe Veroneau (05:36):
And the visual here is how we start to see those three pools of information coming together for a more structured set of data. And so I've seen this also be represented as more of a pyramid, but what I like about the concentric circles here is on the outside, we have policies which we view as really those documents saying, why are we doing these activities in the first place? What is our human resources, security policy? And what are objectives and the risks we're addressing as a business? And then within that policy, we would see a set of really concrete control statements, trimmer, what you're looking to do or accomplish. So employees are going through background checks before they're onboarded as to control statements.
Joe Veroneau (06:13):
And then ultimately every control should have some type of procedure. You can clearly see how are we actually completing that background check and who is responsible and accountable for it. And so we like to try to organize this information into three separate sets each that can have their own owners, but ultimately can get pulled together at the end of the day into a comprehensive manual or policy. A policy manual, all of that information that can be easily shared and delivered to an auditor to evaluate that. So tying policies, controls, and procedures into one central inventory or document can be a really easy way to get the right information into the auditor's hand, really thinking through, why are we doing this in the first place? What are we looking to accomplish through our controls? And then ultimately, how are we going to accomplish that on a day-to-day basis? So this model hopefully is helpful in terms of thinking through the things that will definitely need to be pulled together, leading up to an audit, in particular, the connection between them.
Joe Veroneau (07:15):
The next one, that's always a challenge leading up to the audit is the asset inventories. And I think one challenge with the asset inventories is they're updated, leading up to an audit or tried to be updated throughout the year. But they quickly become out of date as business processes change, as new technologies are implemented and as new people join and leave the organization. And so at the visual here outlines is, one, trying to think through how can you best automate keeping those asset inventories up-to-date throughout the audit period and not scrambling to slap a new coat of paint on the asset inventories, leading up to the audit? But also, thinking through how do we really create this and make sure there's ownership and accountability for new records or new technologies that are being onboard and making sure they get represented into that asset inventory? One thing that's really, I think important to think about with the asset inventory is particularly leading up to an audit, is the concept of scope and making sure that what is included in the asset inventories and deliver it to the auditor is ultimately what's in scope for your program.
Joe Veroneau (08:19):
This is where I think there can always end up being a lot of back and forth of maybe the asset inventory had too much information in it. And the auditors drawing samples from assets that are out of scope. And that's where we can see a lot of that friction of there's this initial wave of pulling together the policy manual and the asset inventory to give to the auditor. But then there's follow-up questions and sampling and making sure that the underlying inventories, that information have been up-to-date. So time spent with sampling or digging into individual records in the asset inventories is a fruitful exercise.
Joe Veroneau (08:50):
And then on the right side of this visual, we're really seeing the natural relationship between a lot of these asset inventories, which is harder to see when managed in a spreadsheet or in like customized systems for asset inventories. Is really knowing that every vendor is supplying a SaaS system and understanding the relationship between a vendor and the SaaS system they're providing and organizing and classifying the relevant artifacts and attributes into those separate, but connected inventories. So spending some time thinking through, not just your current asset inventory, but how you're going to make sure that, that asset inventory is a living and breathing document that doesn't require dropping everything to spend 20 hours updating it a couple of weeks prior to the audit.
Joe Veroneau (09:37):
And then the other piece is when we think about any of the asset inventories. Within every asset inventory, there's a set of procedures that are ideally happening throughout the audit period. As new employees are onboarded, onboarding procedures are being triggered. As new SaaS systems are onboarded, they're being evaluated in terms of what the ideal authentication mechanism for those SaaS systems will be. And one that we've drilled in on here is really the vendor review process. So we're seeing how procedures for vendor management can be attractor implemented as it relates to that vendor inventory and seeing really the first two boxes there of like screening and vendor onboarding. We're typically seeing combined into almost one step of, if the screening of the potential vendor is good to go, then you move forward with the onboarding. Potentially canceling the onboarding of a requested vendor doesn't meet the minimum requirements of the organization. And then having a very concrete monitoring or review of at least once a year, trying to potentially schedule that throughout the year.
Joe Veroneau (10:39):
So it's not two weeks or a month before the audit needing to run around and get all the SOC 2 reports or do the vendor reviews. So trying to have some type of cyclicality related to the vendor reviews and spreading them out throughout the year, whether that's based on the period of the SOC 2 report or the contract with the vendor. So the vendor monitoring and review can, I think be another area where it takes a lot of time getting ready for the audit, if you haven't revisited that particular topic since the last audit.
Joe Veroneau (11:05):
And then the last one we call it here is the termination of vendors, which I think a lot of the audit process focuses on the policies and procedures for new vendors and doing the reviews of vendors, but starting to really think through what vendors are we not working with anymore, what vendors have we off boarded and ensuring that any of the relevant artifacts or documentation that needs to be collected for off-boarding are also getting logged into those asset inventories. So really, as you refresh those asset inventories, thinking through the procedures that are relevant to those different types of assets and confirming that all off the right documentation is in place.
Jeff Lesser (11:41):
Yeah, Joe, one thing I would love to add in here is that like, it's sort of, I don't know, like use or lose it mentality, where you need to be doing these onboarding reviews before you onboard a vendor. And when you're doing vendor onboarding, you need to go through the checklist of all the right things to do. If you don't do it in that moment, when it comes time to do an audit and you're trying to go back and scramble and prove that you were doing these things that you ultimately may have not have done. If you don't have a system that makes it easy to have the procedures in place that get kicked off automatically when a new vendor is identified in the system, then you'll be ticking yourself come audit time because you won't have done the thing that you were supposed to do, and it won't have happened automatically for you.
Joe Veroneau (12:28):
Exactly. Thanks, Jeff. And then just to dig in a little bit more to that vendor maintenance piece. Ideally, there's some type of automation that's supporting with this. If any time a new vendor or new SaaS system is identified in an external system like Okta, at least triggering of some type of automated reminder or notice. So you can review, does this require an onboarding, a more rigorous onboarding process based on the type of vendor or the type of SaaS system? And erring on the side of creating an alert that can be canceled out, or you can indicate that this is exempt from the onboarding process. And making, ensuring that your onboarding processes for new people and technologies is not reliant on someone having a manual trigger or remembering to complete it. So having smart triggers and alerts that allow you to see, here's a cue of what at least in theory should be happening for all of our vendors, but potentially scaling that back to a subset of critical vendors or high risk vendors that you really go through with a fine-tooth comb.
Joe Veroneau (13:28):
So I think the big takeaway from this pretty clear slide is thinking about automation and what are the smart alerts that you can insert earlier on into the process. Maybe it's when finance gets a requests to allocate budget for a new vendor, that security is notified and really moving the security review earlier on in the process and having a sure-fire way to be notified when a new potential candidate for our security review is entering into one of the asset inventories, particularly as organizations grow and business objectives change, starting to rely on more and more SaaS vendors. This is one that can inspire a lot of control very quickly of not even knowing what should be in the asset inventory in the first place. And without a smart alerts or a repeatable process for how new SaaS systems and vendors are onboarded, it can be very hard to maintain that underlying asset inventory let alone the set of procedures that should be happening as it relates to newly onboarded critical or in-scope vendors and SaaS systems.
Joe Veroneau (14:31):
The one that we'll touch on just very briefly, which I think would be remiss not to mention as a part of preparing for an audit is thinking about the risk assessment. I think this is typically similar to the asset inventories, where organizations view, now once a year, let's really dig into the risk assessment and do a refresh and determine our risk treatment plans for the year. But really relying, updating, or refreshing that risk assessment throughout the year as new vendors are onboarded considering, does this new outsourced service we're bringing in elevate to the point of needing to really log a risk that will be treated within our risk inventory or based on changes to policies and controls that are happening as a part of the annual policy and control refresh? Are there risks that are either better treated or based on their performance of controls over time?
Joe Veroneau (15:16):
Do we need to really elevate a risk that we may not be having as much control or coverage surrounding? So really having the risk assessment be foundational to the preparation for the audit, being able to discuss your controls and policies in the context of the underlying risks that they're addressing, can be another way to also facilitate getting the right people in the room prior to the audit. And considering are we in agreement that these are the risks we're facing as a business and tuning up the risk assessment does also another type of asset inventory, the inventory of risks and getting that updated and approved. And so that's another piece that I think oftentimes becomes a snag in the road leading up to the audit that, it's time to refresh the risk assessment. We're running out of time. Pulling everyone together at the last minute. So really having that be a more standalone or repeatable process, that's not directly correlated to the audit cycle.
Joe Veroneau (16:10):
And then from my experience, what I've always found is, a lot of the time consuming aspects of the audit processes, just getting the information pulled together and then throwing it over the fence to the auditor and managing that audit requests list. Particularly when it's a time-bound exercise. You've got one week with the auditor and you're scheduled and you've got to get them everything and go through the process. Oftentimes you see people building trackers or progress trackers and assigning out ownership and trying to almost build a system in and of itself for managing the audit requests list. And I've seen quite a few auditors as well that have been spinning up systems that are helping to facilitate with progress tracking and sharing the documentation. And so that's a piece that I'm ultimately trying to avoid reinventing the wheel when it comes to project management and tracking your progress.
Joe Veroneau (16:57):
Ideally, having an easy way to demonstrate all of the evidence and documentation that you've collected throughout the audit period and not having the document exchange and pulling the documents together, be this time-consuming process in and of itself. The other thing to take away here I guess, is, so the documentation that's being shared ultimately is sensitive as well. The risks that your organization is facing, if you've documented detailed risk statement or results of vulnerability scans that are being evaluated by the auditor, trying to keep these requests lists from spiraling out of control in terms of where those documents are stored and shared. It can be another piece of the process of really thinking through keeping like confidentiality and protection around sensitive pieces of evidence that need to be collected and shared with the auditor is another thing that's kind of top of mind with preparing for those audits as well.
Joe Veroneau (17:52):
This is where we did want to highlight some of the partnerships and relationships that Aptible has started to build with auditors, who are auditing a number of our clients. And really trying to streamline that relationship where, and that don't want to throw the scrambled egg over the fence at the auditor where they need to piece together. Where are the policies? Where are the controls? When was the last time the asset inventory was updated? And trying to streamline the process so the auditor can really focus on evaluating the design effectiveness of the controls as well as evaluating the operating effectiveness over time and removing some of that friction there. So one group that we've worked with briefly from a HITRUST perspective is being able to set our clients up with NCC Group to really understand the data structure within Aptible and where the clients would be storing their policies and procedures, as well as the evidence that's collected throughout the period.
Joe Veroneau (18:42):
And then another group that we've worked with closely is Linford & Co. Particularly from a SOC 2 perspective of having a request list and a process where they're comfortable with being able to facilitate the collection and organization of all of those relevant audit artifacts directly within Aptible Comply. And really skipping the step of needing to go into an external system, download all of the pull requests from GitHub, save them into a CSV, share it with the auditor. The auditor then needs to evaluate that spreadsheet, pick a sample from it. So really trying to streamline that document exchange and back and forth. Because I think in the ideal world, you're focused on managing your program over time and keeping your information up to date and operationalizing your controls. And the auditor is spending their time evaluating the design and operating effectiveness and not facilitating this painful document exchange and a game of Go Fish of them asking for documentation. And then you running to try to track down where it might exist.
Joe Veroneau (19:41):
So we really view our relationships with auditors here, as a way to streamline the document exchange and really allowing the auditor to focus on the contents and ideally provide meaningful and actionable opportunities for improvements or providing recommendations or findings in terms of inevitably maturing your program over time and addressing the issues that come up along the way.
Joe Veroneau (20:09):
And then just to wrap up the discussion surrounding audits. I think the one piece that can be really helpful to think through, which is more, I guess, solving a problem for your future self is after the audit wraps up, taking time to really think through, how will we manage the results of this audit, particularly findings, recommendations, or opportunities for improvement? And getting those documented and centralized in a location where you can be managing your full program and not... Like at the end of the SOC 2 type II, I take a week of vacation. I need to reset everything before I enter back into day-to-day life.
Joe Veroneau (20:46):
So really thinking, taking some time after the audit wraps up to take findings and lessons learned from that audit process and centralized them in a location where you can track progress. And not losing sight of maybe the opportunity to have essentially a clean slate for your type II period of what do we want to implement early so we can avoid painful snags in the future. So taking some reflective time after the audit and in particular items you'll need to answer to in the future, getting those centralized alongside the rest of your procedure documentation.
Jeff Lesser (21:19):
Awesome. Thanks, Joe. I want to quickly highlight a customer of ours Data Republic, who was using Comply for a lot of that, like continuous monitoring of controls and continuous collection of evidence. That you are doing the things that you need to, that you're ultimately going to deliver in your audit. And so they said they're saving time by collecting evidence once to use towards these multiple audits that they're doing across certifications. And that Aptible Comply, helped them get the integrations that they need set up so that they could automate that populating of their inventory assets and the collecting of the evidence that they ultimately needed. And Data Republic gave us some stats where they were able to cut the time of their audit by, I think it was about a third, 33% by using Comply.
Jeff Lesser (22:08):
So let's get into the demo next and we can actually like show the tool and how it's going to make doing an audit super simple for you. So I'm just going to sneak over here to the optimal Comply tool. Right now, what we're looking at is a framework dashboard. So this one is particularly about ISO 27001. And you can see here that we have this listing of all of the requirements in the framework, and you can see over time the evidence that's being collected and the things that need attention or the things that are okay. You can also see everything exceptions, nonconformity is available as well.
Jeff Lesser (22:49):
And so this is sort of like that end state that you want to be able to get to where you're continuously monitoring your control throughout the year. So that ultimately when you do your audit, which we'll show at the end here, everything is super simple. The way that we get here is by starting with the policy manual. And this policy manual is going to include all of your controls, all of your policies, and all of your procedures. And so this is a super simple way to be able to see how everything works across all of your frameworks.
Jeff Lesser (23:26):
And if you want to go into like the procedures related to those policies, for example, here's a whole list of procedures that you're able to create. Some come out of the box, you're able to edit them or create new ones that you'd like. So that maintaining those policies executing policies through procedures is super simple. Here is your controls. And now you can see for all of your controls, the same dashboard style, like collection of evidence, things that you need to do throughout the year. So now that you've got a policy manual in place, you're going to do some sort of integrations, whatever's relevant to your business. So in this demo example, we've got integration set up for Okta and for GitHub and for Jamf. As well as API events that are coming in, integrations there. And what these integrations enable you to do is automate the population of your asset inventories.
Jeff Lesser (24:27):
And so now we can see if we were to go into SaaS systems, for example, Okta has populated our entire list of vendors, SaaS systems. So we can do the vendor onboarding and maintenance that Joe was talking about. Once you've got these integrations that are automatically populating your assets, you can also use them to do automated evidence collection. And so if we go and look at the automations that exist for our integrations, here's one device enrolled Jamf is telling you whether a device is successfully enrolled or not. And in this case, if the data comes back a certain way, we're saying that it's mapping to the condition of, okay. And so that evidence is good to go. This automation ultimately populates your evidence inventory.
Jeff Lesser (25:22):
And you can see here on the evidence inventory for all of our SaaS systems, for all of the integrations and automations that we have set up, there's a unique piece of evidence. So here's one related to the pull requests that are happening from GitHub. And you can look at the payload and you can have the details automatically and put it into comply that like this piece of evidence is okay, this poll request that happened is good. So once it comes time to do your audit, you've got all of the evidence that you need in the system already to be able to fulfill the request list. And so coming into an audit, you could upload, you can create a new audit and you can give it a name.
Jeff Lesser (26:13):
You can give it a coverage period. And so the coverage period will make it so that it will pull the evidence based on what the system knows from that timeframe. And so we'll just do the beginning of the year to now, and then we can give it a ticket's due date. So anything that generates a ticket in the audit request list process, you can give it a day that you like, you need this by X date to be able to complete your audit. And so maybe this will just give it a date sometime in November, and then we can upload a request list to comply just by doing a simple CSV upload. Let me see if I can find it. Okay. So request list. Yeah, I think this one should do it.
Jeff Lesser (27:00):
So we're going to go ahead and create that audit. And you can see here that we've created this audit. When you jump into the audit, there was a couple of things that you can do. The first is that you can pull in evidence that's already been collected throughout the course of the year, either manually or automated based on the control that that evidence is matched to. And so here's a request for an SDLC policy. And so we can type in secure, and you can see here that we have the secure system development life cycle, policy control, and it pulls up a bunch of evidence that we can then use to say, oh yeah, we want to pull in, this request isn't actually about pull requests, but we can pull in these things that are about pull requests. We'll pretend that it is, and go ahead and complete that request.
Jeff Lesser (27:53):
Once that request is complete, you can see the progress has been reflected up here. And for other controls or other requests that you might not have evidence already in the system directly related to that control. You can either add in that evidence, right from the system, or you can request that evidence by clicking this button. And basically, that'll kick off a ticket that ticket can be synced to Jira and to Slack. It'll also send out the notification via email and the person receiving that notification can upload that evidence directly from email or Slack, and it will be inputted into Comply and attached to the request here.
Jeff Lesser (28:35):
And so if you don't have the evidence and you need to request it from compliance collaborators, you make it super simple for them to do that without ever having to log into Comply. Once you've fulfilled all of the requests like we all have more than six, but once you get them all done, you can click the export button. And Comply exports everything in a nicely organized folder. I think I can show that to you actually. Give me one second. I just need to figure out the screen share change.
Actually, Jeff, while you're doing that, I'm going to ask one of the questions that came in from the audience for you or Joe. Is, with GitHub PRs, do the auditors see the exceptions, or is it just to inform the internal team? For instance, would they be able to just release a list of the PR numbers and wait for the sample selections to release the details of that PR?
Joe Veroneau (29:35):
Correct. Yeah. So I've typically seen it be like a two-step process where you can first provide a list of pull requests. There are changes that have happened within the period, and then the auditor will select a sample new request. And then you can add a new request later. And that would allow for, and having like a, essentially a follow-up request where you're then sending maybe the contents of those pull requests, or even scheduling a walk through with the auditor where they're doing some more detailed evaluation. So typically starting with the populations and then facilitating samples as a follow on request.
Jeff Lesser (30:11):
Cool. Hope that answered the question. I'll go ahead and share my screen and I'll do this folder. And so you can see here that all of the different elements of the requests have their own folder. And then within the folder, there's the evidence that is needed to fulfill what the auditor was looking for. And so a lot of our other partnerships are based around. They know what to expect when compliers exporting their requests. And so it's much easier for the auditor to audit you and they can do it quicker and for cheaper.
Jeff Lesser (30:49):
So that's basically a demo of how the tool can manage audits so that you can do them more easily and smoothly and effectively. I know that there's one question that we often get asked, and that is basically like how much of the data is available to the auditor? And so, like we showed in the tool, you can basically select what is included in the response, the export for the audit request. But ultimately, your auditor is going to want to, if they see an issue or they don't like the sample and they want to see the full population, they're going to send a request back to you. So the auditor only sees what you export to them, but that doesn't mean that you're able to cherry pick your results necessarily.
Great. We also had a question around what integrations do we have? So I just dropped a link in the chat. Hopefully everyone can see that. There's actually a page on our website that takes you through all of the integrations that we have. So like we recently just announced Slack. We also have integrations with like Okta, Jamf, get GitHub, et cetera. And then that same person asked, can they build, can a user build custom integrations? Which I believe we do have a solution for.
Jeff Lesser (32:10):
We do. Yeah. So we have an API platform that enables you to do custom integrations, particularly around evidence, and then putting evidence from an API. We also have some other end points that we're working on and making available through limited availability. And so if there are requests that you have around API functionality that you'd like, definitely we want to hear that. We might have a solution in the works for you. And if not, we want to make sure that we add it to our roadmap.
Joe Veroneau (32:39):
I know two integrations that I've really valued just from our own internal work at Aptible, is the integration with GitHub and the integration with AWS. Systems that are predictably more tightly controlled by the engineering team and not needing to bug them, to get a list of pull requests or needing to navigate through GitHub, to find the information. Has been really helpful just to see like the real-time information streaming in for our system that probably shouldn't have access to on a day-to-day basis. Our integrations typically are read only user that's set up to be just pulling back relevant pockets of information. So really excited from our own internal perspective, as we continue to build out these sets of integrations. In that events API is great to also be able to work with team members to just pass relevant data directly at that end point and have some automation second occur to evaluate what's coming in through that events API, and potentially triggering a procedure based on the characteristics of that event, which is another really powerful use case. We're seeing a few different really cool implementations coming out of the customer base as well.
Awesome. We also have a question around kind of size of the team, I guess not just the organizations that we're usually seeing using Aptible. So are we typically seeing around like one to three individuals, four to 10, 11 to 1000? Really big ranger.
Jeff Lesser (34:10):
Yeah. It's a great question. It's funny. Some of our most adept customers are teams of one and they're just using Comply to scale their compliance program without needing to scale their headcount. We're also seeing some customers who had like previously large compliance teams that have onboarded to Comply and they're using it pretty seamlessly, collaboratively across their team. I would say the average is on the lower side two to three, and these teams will have 30 plus different client compliance collaborators that are collecting evidence throughout the year. But generally, we're seeing smaller teams who are able to leverage the tool to scale their compliance operations.
And then one more question. At a high level, how does pricing work? Is it per audit, per user? What's the pricing?
Jeff Lesser (35:09):
Yeah, that's a great question. We generally create custom pricing based on your company and what your needs are, but in, it usually encompasses some elements of what compliance frameworks do you care about and how many audits do you need as well as how big is your team? We have some functionality around automating user access reviews. That's super valuable. And so if you are 100-person company versus a 500% company, the difficulty and the challenges around user access reviews are different. And so we price differently based on the team size. But like I said, it's sort of specific to each customer and what their needs and challenges are. So if you're interested in learning more about pricing, you should definitely contact us and we can set you up with someone who can help you figure out what that would be for you specifically.
Fantastic. We've gotten a lot of nice feedback. People have been saying it was a great demo, great presentation and perfect answers to the questions. So gold stars all around. Joe and Jeff wanted to thank you both for taking the time to walk us through the presentation and through the demo today. Like I said, I'll be sending out a link to the recording. So you can all view again on demand and feel free to share with your coworkers, your friends and family, for their viewing pleasure. And with that, I guess we'll just close out and say, thanks to everyone, have a great rest of your week. And we look forward to seeing you on upcoming events.