Sept. 8th, 2020 - All about Audits – Boring Startup Stuff

Sept. 8th, 2020 - All about Audits

Can you afford to do enterprise sales?

If you focus on enterprise sales, you will at some point need to show proof that your company has some operational integrity. SOC2 is the most common auditing procedure expected among early stage software startups. The SOC2 audit comes in two flavors: 
 
  • Type 1: An initial 'in place' audit that verifies security and operations practice at a specific "point in time." This is done once and will run between $10,000 and $50,000.
  • Type 2: An annual audit that reviews a paper trail over the preceding 12 months to ensure your company meets the audit standards. Can cost $15,000 - $50,000 annually.

I encourage using an advisory firm to walk you through your first set of audits. Depending on the type of work they do this can tack on an extra $10 to 50k per audit.
 

All in, a SOC2 Type 1 and 2 audit will cost a small company $25,000 to $100,000.

 
Each year of Type 2 audits will add $20,000+ in expenses. Keep in mind none of these costs account for the internal labor cost of managing these audits.


 

How to avoid getting on the hook for $179,000,000

(We are not lawyers and below is not legal advice)
 
Indemnification clauses will pop up in every contract you negotiate.
 
Any lawyer worth their salt will zero in on these clauses like a fly to poop.
 
What do these clauses do?
Indemnity is a risk transfer from the one party to another (from buyer to seller in a purchase or service contract).
 
Why should you care?
If you get sued, and your corporate docs are not in order, there are scenarios where you can personally be on the hook. 
 
Or, in the event you decide to sell your business, customer contracts containing uncapped or excessive indemnity clauses can create acquisition hurdles.
 
Just ask Uber about how much their indemnification of Anthony Levandowski might cost (hint: $179,000,000).
 
What to watch out for
If you are the purchaser/licensee/employer you usually want some form of indemnification in the event of loss or liability that results from the use of the provided good.
 
If you are on the other side of the table (seller/licensor/employee) you are looking for indemnification from breach of the contract terms. As an example, if the purchaser modifies software in a way to infringe on IP of another company (breaching your agreement), you the seller do not want to be on the hook for the infringement liability.
 
A few things to keep an eye out for:
  • Watch out for requests for uncapped indemnity or vague language.
  • Any clauses holding officers or employees directly responsible
  • It is usually better to have explicit language on the type of losses that would be covered. It is common to cover attorney fees.
  • Know what circumstances would be covered.
  • Keep an eye out for broadly scoped clauses. Phrasing such as "any services performed under this agreement" could be a red flag.
 
There are dozens of things to keep an eye on depending on the type of contract. I encourage consulting an attorney on a case by case basis.
 
Some final thoughts
Verify that your business's corporate docs are in order so the corporate veil cannot be pierced, get good E&O coverage, and continue on with life.

If you liked this article, please share!

Subscribe to the newsletter

Get Boring Startup Stuff straight to your inbox each and every week.

Uptime