Many organizations make the mistake of letting cost be the primary driver of choosing an audit firm. As with most products and services, there is usually a reason they were the cheapest, and that choice often becomes a costly mistake.
While most audit firms you will run across are licensed to perform audits and produce a report, you likely want to look for a firm that can provide value, not just a report. Audits can be expensive, and you need to see a return on that investment.
We often suggest looking for a few characteristics when evaluating if an audit firm is of a quality that you will see a positive return on your investment and ultimately have a better audit experience. To help simplify your audit firm search, I’ve provided these characteristics below:
1. Expertise of the Audit Team
Your auditor should have sufficient and relevant industry experience. This seems obvious, but many firms may staff an inexperienced auditor on an initial or extremely complex project as it improves their profitability.
Security is complicated; therefore, an experienced auditor should always be involved in a first-time examination in a complex or high-risk environment. The last thing you want is to buy an audit report with inaccuracies that can ultimately impact your credibility.
While prospecting audit firms, ensure you understand who your team will be and your auditor’s experience level – both as an auditor and in your industry. Verify the certifications your auditor possesses and their accomplishments and note-worthy completed projects.
If it is your organization’s first time going through the process, you should request a highly experienced expert on your engagement.
2. Quality of Examination Procedures and Reporting
A good auditor should ask detailed and appropriate questions throughout the audit process. These questions should be penetrative and knowledgeable so that your report accurately reflects your organization’s operational and technical processes and governance structure. An auditor cannot provide operational insights without diving into your operations.
Many audit firms have prefabricated templates that they expect you to mold your processes to match. In these situations, your report will look exactly like every one of their clients’ reports. You gain value by differentiating; a quality auditor must understand and report upon your differentiators.
So, how do you determine quality when evaluating auditors? We recommend organizations ask to understand the firm’s process for establishing an initial report and if the firm is willing to provide example reports for reference. Check to see:
- If the scope seems consistent throughout the report.
- If the report is overly vague and you can’t gain an understanding of the entity’s processes.
- If the auditor’s tests in the report are aligned with the control activity? Did their tests seem to evaluate the controls sufficiently?
- Are any control testing exceptions or findings discovered during the audit included in the report? Can they produce a report that consists of any testing exceptions?
3. Operational Insights
If your audit is conducted by tenured professionals with experience in your industry and your technology infrastructure, then that auditor should be able to convey operational insights to your organization regarding industry best practices and the continual maturity of your security program.
If an audit firm is checking boxes without exercising professional skepticism, it will not be able to deliver this data to your company. Audit data can be of incredible value to executive management to give them insights into operational consistency and organizational maturity and for making decisions about resources to deploy for security and compliance.
Without clearly conveyed data, management has to make their best guess. Ask how/if your prospective audit firm can deliver this data to your company and support your growth.
A key driver to the success of an audit and a positive experience is thorough, articulate, and organized communication. A good auditor should be your subject matter expert (SME) in all things security and compliance, but they should be able to break complex topics down into digestible terms.
A quality auditor will excel in providing feedback on your preparedness and ongoing insights into the maturity of your operation. Using modern communication protocols such as project management tools and collaboration software and experience with your security automation platform, if you use one, is vital.
During the audit process, they should be transparent and prompt with potential findings, roadblocks, and action items to help ensure your success. Answering your questions promptly should be expected. You should not be surprised by anything throughout your project or your report.
When evaluating audit firms, you should ask how they manage the process end to end and what are the communication mechanisms for collaborating on your project. Be wary of firms who outsource most of their audits to third parties or offshore facilitators, as quality control is often hard to manage within these organizations, and communication issues are generally prevalent.
5. Your Auditor’s Likeability
A mentor’s question from my early audit career still resonates with me today: “Are you likable enough for your clients to actually want to sit in a room with you for eight hours a day, five days a week?”
Years later, I understand the importance of this question.
There’s already a stigma around the word “audit;” however, your relationship with your auditor can (and should) facilitate trust. This isn’t to say that your auditor is your new best friend, but they should build a good rapport with you and your organization. In doing so, your auditor can better understand your business objectives, deliver value to your organization, and create a positive experience throughout the process.
6. Firm Culture
To this point, we’ve focused on the values of a good auditor. Ultimately, you are hiring this auditor’s firm, so it is just as critical to consider the firm culture and reputation.
An accredited firm will typically belong to a professional organization(s) and have a positive online and/or industry presence. You may even be able to inquire with other organizations to determine the quality of the audit work performed, the quality and accuracy of the report, and the overall interaction with the audit firm. Ask for references and ask those references if they felt the audit firm added value to their company.
Your organization should be able to trust your auditor to do the right thing in every situation. Your auditor should portray honesty, diligence, and responsibility in their actions while performing and reporting on the audit results.
Your auditor should also be objective and respectful of your organization’s culture, business processes, objectives, policies, and procedures. Lastly, your auditor should adhere to all relevant laws, standards, and requirements of the audit profession and not have the willingness to engage in illegal activities, fraud, or bribery.
You should always ask for any prospective audit firm’s latest peer review report. If they don’t have one, they are likely operating illegally. If they have one with a significant weakness identified, this could also be a red flag.
Fees are often the number one thing prospective clients look for when evaluating auditors. While costs are essential because you most likely have a budget, fees shouldn’t be considered one-dimensionally.
For example, Auditor X might be 1 thousand dollars cheaper than Auditor Y, and on the surface, that may seem like an easy decision to go with Auditor X. But if Auditor Y is providing 8 thousand dollars more in value as a component of their audit, then auditor X may be a big mistake.
There is a vast difference in the level of quality between audit firms, and as with other products and services, you generally get what you pay for. We typically advise clients not to go with the cheapest audit firm as they are likely unreliable.
However, at the top end of the spectrum, you are likely paying a huge premium just for the firm’s brand name. Typically, somewhere in the middle is an excellent sweet spot, but you should understand the value you will get compared to any firm’s fees.
If you’d like to learn more about how AssurancePoint delivers value to our clients, please Contact Us, and we will be happy to have a tenured expert reach out to explain how we provide value through quality compliance assessments.