How to choose an auditor for SOC 2

TrustCloud teamed up with Dan Andrea, a partner at KLR, to discuss:

• Preparing for a successful SOC 2 audit
• Evaluation criteria when choosing an auditor
• Factors that influence the cost of an audit 

Read more of Dan’s suggestions below, or check out the conversation on YouTube.

Preparing for a successful audit

Before selecting an auditor, there are a few important steps a company can take:

1. It’s critical to have a plan and realistic roadmap in place for any audit. Most organizations have undergone various technology assessments like pen tests or vulnerability scans, but preparing for an audit may involve more time and resources than these assessments. 
2. Like any project, you need commitment from the top. Preparing for an audit serves as a means to instill a control-oriented mindset across the organization, showing clients and company leaders – owners, senior executives, and the board – that the systems in place are not just compliant, but also functioning effectively. 
3. You’ll need a project leader to liaise with the auditor, as well as manage DevOps, change management, HR, and coordinating efforts across teams. It’s essential for team members from different departments to respect and collaborate effectively with this key person, ensuring smooth processes. 

How do you pick the right auditor? 

When selecting the right auditor for your organization, consider the following evaluation criteria:

Suitability:

If you’re a startup, you want to choose an auditor who understands the nuances of a startup environment. If you get an auditor accustomed to working with multi-billion-dollar clients, they may provide you with a generic request list without offering tailored guidance suitable for smaller organizations. Similarly, if you’re a larger organization, it’s important to find an auditor with relevant experience.

You’re not only seeking an audit, but also advice, so it’s important that they understand your priorities. Review their track record with similar-sized companies, request references, and invest time in understanding their approach.

Ability to answer questions:

An auditor should be able to explain how audits work, and how your company should get ready for one. Some questions to ask include:

• What’s a typical timeline? 
• How will we track our progress?
• What Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality and/or Privacy) are we auditing against?
• What’s the difference between confidentiality and privacy?

Reliability:

When evaluating any CPA firm, make sure that their own practices have been audited by another firm. The CPA industry has a peer review process, subjecting a firm’s operations to audit by other firms every two years. That’s the auditor being audited, which ensures they’re delivering high-quality services. 

Responsiveness:

Send the potential auditor an email and observe how long it takes to get a response. This initial interaction offers insight into how they manage client engagement. You want someone who is available to answer your questions and provide updates.

How much will an audit cost?

Here are some factors that may have an impact on the pricing process:

1. 1. Geography: The location of the company being audited and its customers may impact pricing, as some regions have specific regulatory requirements that can increase costs. Also, some markets are more expensive than others, so a firm’s location may also influence pricing. 
   2. Division of Tasks: Sometimes CPA firms just give their opinion, and a smaller non-CPA firm will actually do the testing, affecting both pricing and service quality.
   3. Offshoring: Sometimes firms offshore the work, which can save money. If clients are sensitive to privacy and security, then they might become sensitive to where their data is going. There’s a tradeoff here, and you want to be aware of who has access to your data. 
   4. Audit Duration: The time required to complete the audit process can affect pricing. Some clients prefer faster processes and may negotiate costs accordingly.
   5. Trust Service Criteria: The criteria in scope will impact the price; remember, you DO NOT need to do all five.  Start small if you can and expand as necessary.
   6. Audit type: Will this be a Type 1 (design of controls) or a Type 2 (design of controls AND operating effectiveness)? The choice will often be driven by your business partners. Generally speaking, you will need to have a Type 2 that covers a specified period of time, such as 6 months.

And always remember that you can negotiate!

Quality comes with a certain cost. The audit process should provide genuine assurance and not just fulfill a checklist.

About Dan Andrea: Dan has over 40 years of public accounting experience, in the performance of forensic accounting and litigation support procedures, SOC 1, 2 and 3 examinations, internal accounting controls assessments for ISO 27001, HIPAA, and NIST, financial statement audits and information technology consulting services. Dan specializes in cybersecurity, social engineering, and data privacy audits in a variety of industries including manufacturing and distribution, financial services (financial institutions, Trust Companies, Family Offices), and tax exempt industries.

About KLR: KLR is one of the largest public accounting firms headquartered in New England, with practice areas including Accounting and Assurance, Tax Services, Transaction Advisory Services, Cyber Security, and more. Learn more at https://kahnlitwin.com/