Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience.

Auditing is an extremely tough profession, and we auditors often get a bad rep – many times undeservingly. But why is there consistently such negativity around the process?

At AssurancePoint, we send out client surveys after every project. We have never had a bad review. We actually maintain a 100% net promoter score throughout our firm’s history. And rarely receive any feedback less than five stars across the board. We have a firm philosophy of doing whatever it takes to deliver a better compliance experience.

There are a few factors that I believe are fundamental to delivering that experience:

 

Quality and Accuracy of Reporting

The quality and accuracy of an audit report should be a given, as that is why audit firms exist. However, there is a race toward efficiency over quality in the modern audit climate. Call me old-fashioned, but I believe if a company purchases an audit, they should receive an audit.

A thorough audit, such as a SOC 2 examination, will result in a detailed report that accurately conveys pertinent information to your stakeholders. I hear all the time from CISOs and security consultants how they received a templated audit report that was too vague for them to gain any relevant details. They subsequently need to ask additional questions or send questionnaires because the audit report isn’t giving them the information or assurance they need.

A quality report should be customized to your operations.

Such a report instills internal and external confidence and provides your organization credibility in the marketplace. When you understand the content of your report and how your auditor came to their conclusions, you generally feel better about the process in general.

 

Engaging in Discussions with Experienced Professionals

Ultimately, you are working with an auditor. The lack of relevant and engaging conversations is a significant stigma against security auditors. Most firms choose to increase their profitability by leveraging the cheapest labor they can find to conduct their audits. This ultimately means very inexperienced auditors or outsourced off-shore teams. Both generally lead to unnecessary back and forth, frustration on both sides over minor issues, and unnecessary delays and inefficiencies.

We find our clients are typically open to engaging in inciteful conversations. They actually feel they gain value from such discussions. However, it takes experienced professionals and skilled communicators to deliver that experience in such a technical field.

 

Organized and Streamlined Project Management

I’ve seen uncountable complaints from auditees about not receiving their audit report for months after the audit concluded; they consistently felt in the dark throughout their audits or never knew what action items they had.

Effective project management with clearly defined and communicated methodologies, timelines, and action items alleviates the apprehension of auditees around the audit process. We hold a formal kickoff meeting at the on-site of each engagement where we work with the client to outline project timelines, next steps, and what to expect. This allows us to create an effective project plan to reduce the likelihood of roadblocks and black holes while holding both sides accountable for project tasks.

Surprises in an audit aren’t usually a good thing. When everyone understands the project expectations’ nature, extent, and timing and is up-to-date on milestones, you generally reduce the potential for heartburn.

 

Timeliness and Effectiveness of Communications

This goes hand in hand with the project management factor above, but I felt it warranted its own category.

Communication is paramount to the success of any project. Articulate auditors, capable of clearly and succinctly conveying tasks, make all the difference in a project. And not just the ability to convey project tasks but the ability to illustrate why the asks are being made. This gives auditees a view of the big picture; when individuals understand why, they are less likely to perceive the request negatively.

The timeliness of communication is also crucial. Audit communication should take place with enough runway for auditees to take action. I would also be upset if I were asked to hunt down a document from six months ago owned by a different department when I expect my audit report tomorrow.

Auditees should also expect timely responses to any questions, whether or not they are actively in an audit fieldwork. Your auditor should be a partner in your journey and provide value-added communication and guidance along the way.

 

Likeability of Your Audit Team

Did you enjoy collaborating with the people you worked with during your audit? This is obviously going to have an impact on whether you had a positive experience or not.

Auditing is a tricky business, and as mentioned before, most firms leverage inexperienced or off-shore auditors to make a profit. In my experience, I have generally found the best client experiences occur when they have interactions with experienced professionals who have the skills to hold deep intellectual conversations and serve in an advisory capacity.

Effective collaboration in working through complex issues ultimately builds relationships. Those relationships directly impact the positivity or negativity of the audit experience.

Likeability is a factor of experience and effective communication with an X-factor of personality mesh in a professional setting. When recruiting candidates to deliver that positive client experience, we look for these factors.

 

Real-Time and Formalized Feedback

A quality audit can provide many tiers of value. One of those tiers is in the form of feedback; both operational feedback and feedback on industry best practices are essential.

I believe the value an audit delivers directly impacts the positivity of the experience. Auditors should give real-time and formalized feedback on operational inconsistencies, bottlenecks, procedural misalignments, configuration vulnerabilities, etc.

Experienced auditors have also seen hundreds of different environments and should be able to convey excellent practices they have seen in other organizations to you. This may not directly impact your audit report, but it is undoubtedly a value-added service that should go hand in hand with a quality audit.

When clients receive that level of service above and beyond just the issuance of the audit report, it leads to a better experience – because they see value in their invested capital.

 

Did You Feel Swindled?

I’ve heard countless times from organizations that they got a report, but they have no clue what happened to get it. This is a common story among companies leveraging governance, risk, and compliance (GRC) platforms to help manage their programs, also known as compliance automation platforms.

It is easy for auditors to over-leverage these platforms without performing proper examination planning, audit due diligence, or evaluating the client environment thoroughly because out-of-the-box controls are already there and presented for them.

I have no problem with GRC platforms, as they can, if appropriately utilized, provide real organizational benefits to companies. However, the tendency of many auditors to get the project done as cheaply and as quickly as possible leads to a trend of hyper-low quality audits, leaving auditees feeling like they received a scripted report or unsure if they even got the audit they paid for.

There is also a surprising uptrend of many report users (the companies requesting audit reports from vendors or potential vendors) rejecting reports that are clearly of low quality. In the good old days, you could give a prospective customer your audit report, and the fact that you had one was all they cared about.

In the current landscape, savvy security, compliance, and procurement professionals are actually reading these reports. To protect their companies and customers, they are calling out reports they feel cannot be relied upon. I think this is a significant trend.

If you paid for an attorney to help you in a legal dispute and found out he charged you an entire bill but leveraged a prefabricated case brief; you probably wouldn’t feel happy about it. You will probably also lose your dispute. When auditors do this, it also generally leads to negative sentiment around the audit process as well.

 

Were You Instilled with Confidence?

Ultimately, an auditee should feel confident about their audit and the resulting report. Your report should address most questions from a prospect or customer, and if they have questions about specific content, you should be confident in your ability to understand exactly what that content refers to in your company and address the inquiry.

A quality audit should instill confidence internally because you know you executed well and are comfortable with the results. It should also instill confidence externally with prospects, customers, investors, etc.

When a completed compliance initiative leads to uncertainty, ambiguity, or further insecurity, you aren’t going to have positive feelings about the experience. If you complete your project and you feel confident and accomplished – that is the positive experience you should be after.

Contact us today to get started.

Written By:

Dale Crump

Dale Crump is the Founder and Managing Partner of Assurance Point, LLC. Dale oversees a variety of attestation and advisory engagements within the information security, privacy, risk management, and compliance sectors.

He has broad experience across an array of internal control and risk management frameworks and specializes in SOC reporting, having contributed to the issuance of over a thousand high-quality reports in his career.

Dale is a licensed CPA, and holds additional certifications including the CISSP, CISA, CIPP/US, CCSK, ISO 27001 Lead Auditor, and the Advanced SOC for Service Organizations credential. Dale is an active member of the AICPA, Georgia Society of CPAS, ISACA, and the IAPP, among others. In his spare time Dale is an avid outdoors enthusiast, Atlanta sports fan, and enjoys spending time with his two kids.

Why SOC Examinations Matter for C-Suite Executives

In today’s rapidly evolving digital landscape, the stakes for securing sensitive data are higher than ever. For C-suite executives such as CISOs, CTOs, CIOs the need for efficient and verifiable security practices is essential. System and Organization Controls...

What Are SOC Reports – The Basics 2

SOC 1 vs SOC 2: Choosing the Right Examination

System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related tointernal controls within organizations, but they serve different purposes and audiences. Whichone is right for your organization? It will depend on the use case of the report and...

Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....