This is the third iteration in our blog series. In our first blog, we introduced Okta’s Security Customer Trust team, highlighting our commitment to transparency and our mission to strengthen security outcomes for Okta and the communities we serve. In the second blog, we took a closer look at the tools and solutions that power our Customer Trust efforts.

In this blog, we’ll explore how the Okta Security Customer Audit further enhances the Customer Trust function, driving even greater transparency and confidence in our security practices to meet our customers' regulatory and compliance requirements.

The many benefits of Cloud computing come with the challenge of having reduced visibility into the day-to-day operations of the growing number of applications in today’s tech stacks. The adoption of the identity is the cornerstone of a security program and the new perimeter of technology itself.

For most customers, reviewing Okta’s generally available documentation meets their requirements. For highly regulated customers, a more detailed audit and more robust documentation may be necessary.

Introducing the program

As organizations increasingly rely on identity platforms, the need for comprehensive security measures has never been greater. The growing dependence on external vendors, suppliers, and service providers means businesses face a diverse set of supply chain risks that must be carefully managed to maintain a strong security posture.

The Okta Security Customer Audit program enables highly regulated customers to view the policies, procedures, and evidence that Okta provides to its auditors and meet regulatory requirements for observing control implementation evidence. Our program is carefully designed to enable audits to occur in a way that ensures equality and that does not expose customers to undue risk.

Working with us

Through structured assessments, our program provides deep visibility into Okta’s enterprise operations, covering critical areas such as quality control, regulatory compliance, security measures, and performance metrics. These audits are designed to give customers the confidence that Okta’s security practices not only meet, but often exceed, industry standards, empowering them to meet their own regulatory and compliance requirements.

During an Okta Security Customer Audit, you can expect:

Before an Audit

Our team will execute a thorough review of the Okta processes, documentation, and controls. This may include interviews with key personnel, examination of various records, and observation of operational practices. Our audit team possesses expertise in relevant areas such as quality assurance, compliance, and information security across various industries and regions.

During an Audit, Pooled edition

Following the methodical mapping of regulatory controls, we introduced our program's capabilities to a pooled audit function. 

Last December, we piloted our Okta Security Pooled Audit program (more on this in a future blog), which addressed the control requirements defined by the Digital Operational Resiliency Act (DORA). Our pooled audit resulted in equipping dozens of our EMEA/UK financial services customers with an open-door look into our security program, much like we would share with our own third-party audit functions. Ultimately, we demonstrated the Okta controls meeting customer and regulator requirements, in addition to fostering community. Our attendees had peer-to-peer opportunities to discuss similar industry-related challenges they face in their respective organizations regarding compliance regulations.

After the Audit

Post-audit closing activities are crucial for the program's effectiveness. These activities involve following up on the implementation of corrective actions and verifying that Okta has made the necessary improvements to keep both Okta and our customers secure. 

More on our Audit programs

While we’re not subjected to every global regulation, we will work closely with our customers to understand their requirements, support them in their efforts to achieve and maintain compliance, and reinforce trust in Okta.

Later this month, we’re expanding our pooled audit program to help Okta’s Australian customers address new regulations under Australian Prudential Regulatory Authority (APRA) CPS 230, and the existing CSP 234 requirements, which will follow the same program structure. To learn more about our audit programs and how to get involved, contact your account team.