In 2016, Wrike engaged Schellman to perform annually recurring Type 2 SOC 2 examinations for their Wrike Project Management Platform and included the Security and Confidentiality trust services categories. In 2020, Wrike added the Availability and Privacy trust services categories to the scope of the SOC 2, as well as a SOC 3 examination.
Also in 2020, COVID-19 swept across the globe, creating a pandemic that shut down domestic and international travel and made close, in-person collaboration ill-advised. What did that mean for compliance assessments everywhere? The circumstances had to change, and for Wrike, things shifted internally as well.
In years past, when third-party assessors came on-site at Wrike (including Schellman professionals), the Wrike Security Team would welcome the Schellman team in its headquarters in San Jose, California to facilitate the assessment in person. A pandemic meant closing all of Wrike’s offices, sending all personnel to work from home. In one fortunate break, the Wrike platform was designed to facilitate remote work, and it was already being used internally across the board by team members, allowing Wrike to avoid any new and major infrastructure changes to support the facilitation of remote third-party assessments and internal security audits. “We were prepared and moved to the new reality quite smoothly,” said Julia Omelyanenko, Security Compliance Manager at Wrike. The Information Security Team thoroughly evaluated the new security risks that came with personnel working from home and instituted new training for employees to help mitigate them. Specific attention was paid to additional security controls for mobile device management to understand those risks, but other than that, Wrike was well-positioned for the new normal.
When it came time for Schellman to perform the annual assessments, this time with the expanded scope provisions, it was agreed by both parties that the assessment would take place entirely remotely for safety reasons. While there was still some apprehension going in thanks to the SOC 2 Availability and Privacy trust services category additions, Wrike remained confident in their preparation. It also helped that the previous 2019 audit with Schellman had also been conducted remotely, before COVID-19 had even emerged as a global threat.
Though the technical issues that forced remote work appeared to be a hurdle at the time, the fact is that the 2019 Schellman assessment for Wrike actually served as a lucky dress rehearsal for the 2020 assessments. Even though the team was used to working at somewhat of a distance and had built out a working process already, there were still some refinements made this last year that yielded what both sides say was their greatest collaboration yet.
While there was typically one week spent on-site working closely, face-to-face as the teams sat together and demonstrated the necessary artifacts, Wrike switched to video conference calls in 2019. These calls were held to conduct process walkthroughs and requested items were screenshotted and uploaded to for Schellman auditors to review.
To facilitate the collection and review of audit evidence with clients and upgrade the remote audit approach, Schellman also introduced and developed its own collaboration platform, AuditSource. Together, the use of AuditSource and Wrike platform drove audit processes and introduced a theme of continuous engagement, visibility, and accountability—all of which are critical when project teams are prevented from interacting in person, face-to-face.
"Working remotely never put a barrier between us even if it was vastly different to being on site. For me, the audit experience was almost the same. It felt like we were talking about the project, about questions, all the time."
Christy Shum | Schellman | Senior Manager
In 2020, taking those lessons learned from the fully remote audit in 2019, Schellman agreed continue fine-tuning and building upon the audit workflows, including leveraging the Wrike platform during this second iteration of a remote audit. A unique, separate project was created by the Wrike team, who invited Schellman personnel to collaborate in the special workflow that auto-assigned all the requests for evidence to the necessary responsible party. For this audit, all assessment activities, from evidence collection on the Wrike side to the review of the evidence on the Schellman side, happened in the same place within Wrike’s platform. This included all communications, as there was a single digital storage area for records. These new steps taken helped streamline the number of necessary audit-related meetings and allowed all parties involved in the process to keep an efficient schedule, despite globally reaching time zone differences between those involved.
Using the Wrike platform to conduct their work was a “big switch for the 2020 audit team, but one that went smoothly,” according to Brett Hayes of Schellman, who took part in the Wrike assessment for the first time in 2020. “The prep work that we did upfront, as far as conducting our walkthrough discussions and product demos, helped to ensure the Schellman team understood how the audit workflows were designed leading into the project. This was really helpful and put us in good position to execute when the scheduled assessment started.” Christy Shum, a senior manager at Schellman who has worked with Wrike for years, agreed. “Working remotely never put a barrier between us even if it was vastly different to being on site. For me, the audit experience was almost the same. It felt like we were talking about the project, about questions, all the time.”
Though phone calls were still necessary to facilitate certain audit activities and provide clarification, both sides agree that the number was cut about in half, thanks to the thorough preparation and efficiency of the teams working together. Though the usage of the Wrike platform certainly helped strengthen the audit process overall, the company also commended Schellman for their preparation as well. “Schellman seems to have developed really mature guidelines for remote work,” remarked Omelyanenko. Despite the challenges of a remote audit and outside distractions of the COVID-19 pandemic, the team remained entirely transparent and very clear. “We really appreciated Schellman using our platform for the project, especially since they already have a similar system for evidence collection. But even aside from that, just taking into account everything from the kick-off meeting slide deck, the workflow description, and weekly project status updates conducted by Schellman; for Wrike, we feel like Schellman took a great step forward on the official project part of the audit. We had a great experience.” Wrike’s Director of Information Security, Dmitry Desyatkov, agrees. “Fantastic speed. Hard to believe that the audit took so little continuous involvement from Wrike’s side.”
"We really appreciated Schellman using our platform for the project, especially since they already have a similar system for evidence collection. But even aside from that, just taking into account everything from the kick-off meeting slide deck, the workflow description, and weekly project status updates conducted by Schellman; for Wrike, we feel like Schellman took a great step forward on the official project part of the audit. We had a great experience."
Julia Omelyanenko | Wrike | Security Compliance Manager
Previous years warranted many suggestions to the audit process between Wrike and Schellman, but this year everything was so clear that it’s hard to find anything to further improve, which is somewhat incredible given the strain 2020 has put on professional services everywhere. “Everything was in place and scheduled timely—not a lot of calls during working weeks, but the ones that were had discussed what was necessary with no fluff, and we covered even more than during previous assessments,” said Omelyanenko. Even the addition of Privacy, which can prove a chore to add for some organizations even when not fully remote, went better than expected. Kickoff for Wrike was a week before Schellman began fieldwork—the new major set of criteria was presented and then discussed internally at Wrike, who pulled together the necessary evidence and alerted relevant stakeholders as to their roles. With everyone on the same page by the time the audit started, “it went really smoothly because we were able to get in place upfront. When the SOC examinations officially kicked off, we were able to hit the ground running,” said Hayes.
Moving forward, the framework that has been gradually improved during the working relationship between Wrike and Schellman is in place to serve as a long-term strategy that both sides are extremely comfortable with, should remote audits become necessary even after the COVID-19 pandemic is brought under control. Though remote work is not considered perfect, and both sides admit to missing out on the informal chats and meals together that came with working together physically; when considering the process, “there is nothing to change at this point.” Dmitry Desyatkov, Director of Application and Information Security at Wrike stated, “we look forward to improvements on our end, thanks to our information security team that are really keen. We want to make internal audits more efficient and go deeper, and we want to become even better with prep for external audits. But with the remote audit process, we were grateful for the dedication of the Schellman team. There was very great communication throughout, a high level of engagement by them, and we were confident in the schedule.”
"We consider compliance a pleasant side effect in our security processes and culture. We want to make internal audits more efficient and go deeper, and we want to become even better with prep for external audits. But with the remote audit process, we were grateful for the dedication of the Schellman team. There was very great communication throughout, a high level of engagement by them, and we were confident in the schedule."
Dmitry Desyatkov | Wrike | Director of Application and Information Security
Though requiring physical interaction, on-site audits to remote assessments may still be preferable in many cases and not just for the human interaction element, both Schellman and Wrike believe that their 2020 remote assessment was their best work together yet, and there are steps that can be taken for those wanting to become just as comfortable with a remote audit.
According to Wrike, “any assessment goes pretty smoothly if the company has security in its skeleton, in its bones.” Omelyanenko explained that “if security is a priority of leadership—if those processes are established fully—any audit, remote or not, can be passed with a good result because the personnel understand what they are doing and what they are doing it for.”
That awareness is key. “If the teams understand the controls, they can implement processes that could help to demonstrate the effectiveness of the criteria.” At Wrike, security leader Dmitry Desyatkov established this passion for this methodology within the company. He says, “we consider compliance a pleasant side effect to our efforts in our security processes and culture.” Overall, this approach has caught on and made things even and efficient internally.
Such a high level of buy-in from client management is critical to the success of remote audits, according to Schellman. It allows for the necessary preplanning to take place with full commitment on both sides, and thus makes it easier for assessors to also manage client expectations throughout. “For successful execution of fieldwork, it works best if the Schellman team and the client-side project team are all on the same page, working as one cohesive project team together,” Hayes explained. “Even if not working side-by-side, it is still possible to maintain the constant communication necessary so that all stakeholders involved are regularly updated on the project’s progress against key milestones. That helps ensure any surprises and delays can be avoided or appropriately managed,” said Shum.
When both sides of an audit match each other thusly with a similar passion for security and privacy, the physical distance of a remote assessment becomes inconsequential overall. Between Wrike and Schellman, the shared dedication meant that circumstances warranted by a global pandemic did not hinder collaboration at all. Omelyanenko said, “Keeping our hands on our security processes helps us to provide feedback and achieve the speed we demonstrated this year with Schellman. All I can say to Schellman is, keep on going forward!”