How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision.

Many organizations make the mistake of letting cost be the primary driver of choosing an audit firm. As with most products and services, there is usually a reason they were the cheapest, and that choice often becomes a costly mistake.

While most audit firms you will run across are licensed to perform audits and produce a report, you likely want to look for a firm that can provide value, not just a report. Audits can be expensive, and you need to see a return on that investment.

We often suggest looking for a few characteristics when evaluating if an audit firm is of a quality that you will see a positive return on your investment and ultimately have a better audit experience. To help simplify your audit firm search, I’ve provided these characteristics below:

 

1. Expertise of the Audit Team

Your auditor should have sufficient and relevant industry experience. This seems obvious, but many firms may staff an inexperienced auditor on an initial or extremely complex project as it improves their profitability.

Security is complicated; therefore, an experienced auditor should always be involved in a first-time examination in a complex or high-risk environment. The last thing you want is to buy an audit report with inaccuracies that can ultimately impact your credibility.

While prospecting audit firms, ensure you understand who your team will be and your auditor’s experience level – both as an auditor and in your industry. Verify the certifications your auditor possesses and their accomplishments and note-worthy completed projects.

If it is your organization’s first time going through the process, you should request a highly experienced expert on your engagement.

 

2. Quality of Examination Procedures and Reporting

A good auditor should ask detailed and appropriate questions throughout the audit process. These questions should be penetrative and knowledgeable so that your report accurately reflects your organization’s operational and technical processes and governance structure. An auditor cannot provide operational insights without diving into your operations.

Many audit firms have prefabricated templates that they expect you to mold your processes to match. In these situations, your report will look exactly like every one of their clients’ reports. You gain value by differentiating; a quality auditor must understand and report upon your differentiators.

So, how do you determine quality when evaluating auditors? We recommend organizations ask to understand the firm’s process for establishing an initial report and if the firm is willing to provide example reports for reference. Check to see:

  • If the scope seems consistent throughout the report.
  • If the report is overly vague and you can’t gain an understanding of the entity’s processes.
  • If the auditor’s tests in the report are aligned with the control activity? Did their tests seem to evaluate the controls sufficiently?
  • Are any control testing exceptions or findings discovered during the audit included in the report? Can they produce a report that consists of any testing exceptions?

 

3. Operational Insights

If your audit is conducted by tenured professionals with experience in your industry and your technology infrastructure, then that auditor should be able to convey operational insights to your organization regarding industry best practices and the continual maturity of your security program.

If an audit firm is checking boxes without exercising professional skepticism, it will not be able to deliver this data to your company. Audit data can be of incredible value to executive management to give them insights into operational consistency and organizational maturity and for making decisions about resources to deploy for security and compliance.

Without clearly conveyed data, management has to make their best guess. Ask how/if your prospective audit firm can deliver this data to your company and support your growth.

 

4. Communication

A key driver to the success of an audit and a positive experience is thorough, articulate, and organized communication. A good auditor should be your subject matter expert (SME) in all things security and compliance, but they should be able to break complex topics down into digestible terms.

A quality auditor will excel in providing feedback on your preparedness and ongoing insights into the maturity of your operation. Using modern communication protocols such as project management tools and collaboration software and experience with your security automation platform, if you use one, is vital.

During the audit process, they should be transparent and prompt with potential findings, roadblocks, and action items to help ensure your success. Answering your questions promptly should be expected. You should not be surprised by anything throughout your project or your report.

When evaluating audit firms, you should ask how they manage the process end to end and what are the communication mechanisms for collaborating on your project. Be wary of firms who outsource most of their audits to third parties or offshore facilitators, as quality control is often hard to manage within these organizations, and communication issues are generally prevalent.

 

5. Your Auditor’s Likeability

A mentor’s question from my early audit career still resonates with me today: “Are you likable enough for your clients to actually want to sit in a room with you for eight hours a day, five days a week?”

Years later, I understand the importance of this question.

There’s already a stigma around the word “audit;” however, your relationship with your auditor can (and should) facilitate trust. This isn’t to say that your auditor is your new best friend, but they should build a good rapport with you and your organization. In doing so, your auditor can better understand your business objectives, deliver value to your organization, and create a positive experience throughout the process.

 

6. Firm Culture

To this point, we’ve focused on the values of a good auditor. Ultimately, you are hiring this auditor’s firm, so it is just as critical to consider the firm culture and reputation.

An accredited firm will typically belong to a professional organization(s) and have a positive online and/or industry presence. You may even be able to inquire with other organizations to determine the quality of the audit work performed, the quality and accuracy of the report, and the overall interaction with the audit firm. Ask for references and ask those references if they felt the audit firm added value to their company.

 

7. Integrity

Your organization should be able to trust your auditor to do the right thing in every situation. Your auditor should portray honesty, diligence, and responsibility in their actions while performing and reporting on the audit results.

Your auditor should also be objective and respectful of your organization’s culture, business processes, objectives, policies, and procedures. Lastly, your auditor should adhere to all relevant laws, standards, and requirements of the audit profession and not have the willingness to engage in illegal activities, fraud, or bribery.

You should always ask for any prospective audit firm’s latest peer review report. If they don’t have one, they are likely operating illegally. If they have one with a significant weakness identified, this could also be a red flag.

 

8. Fees

Fees are often the number one thing prospective clients look for when evaluating auditors. While costs are essential because you most likely have a budget, fees shouldn’t be considered one-dimensionally.

For example, Auditor X might be 1 thousand dollars cheaper than Auditor Y, and on the surface, that may seem like an easy decision to go with Auditor X. But if Auditor Y is providing 8 thousand dollars more in value as a component of their audit, then auditor X may be a big mistake.

There is a vast difference in the level of quality between audit firms, and as with other products and services, you generally get what you pay for. We typically advise clients not to go with the cheapest audit firm as they are likely unreliable.

However, at the top end of the spectrum, you are likely paying a huge premium just for the firm’s brand name. Typically, somewhere in the middle is an excellent sweet spot, but you should understand the value you will get compared to any firm’s fees.

If you’d like to learn more about how AssurancePoint delivers value to our clients, please Contact Us, and we will be happy to have a tenured expert reach out to explain how we provide value through quality compliance assessments.

Written By:

Ryan Whitehead

Ryan Whitehead is a Manager with AssurancePoint based out of San Diego, California. He is responsible for managing SOC examination engagements and is AssurancePoint’s healthcare practice lead. Ryan is focused on building exceptional client relationships and maximizing the value of his clients’ compliance initiatives. Prior to AssurancePoint Ryan’s experience includes security auditing across various industries and firms including the Big 4. Ryan earned a Bachelor of Information Science and Technology from the University of Wisconsin, Milwaukee and a Master’s in Information Systems from Auburn University. Ryan has also achieved the Certified Information System Audit (CISA), Certified in Cloud Knowledge (CCSK), and the Advanced SOC certifications.

Why SOC Examinations Matter for C-Suite Executives

In today’s rapidly evolving digital landscape, the stakes for securing sensitive data are higher than ever. For C-suite executives such as CISOs, CTOs, CIOs the need for efficient and verifiable security practices is essential. System and Organization Controls...

What Are SOC Reports – The Basics 2

SOC 1 vs SOC 2: Choosing the Right Examination

System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related tointernal controls within organizations, but they serve different purposes and audiences. Whichone is right for your organization? It will depend on the use case of the report and...

Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....