When you begin planning for a SOC 2 audit, one of the first big decisions is choosing an external audit firm. You want a firm who can help you navigate the process properly and efficiently the first time, and also be capable of serving as a partner through several annual audit cycles.
This can seem like a daunting task. But we’ve seen a variety of audit firms help hundreds of our customers achieve and document their compliance, so we’ve learned quite a bit along the way. To help you get started, here are my 6 key points to consider when choosing an audit firm to help you complete a SOC 2 audit.
1. Are they AICPA affiliated?
This one is pretty straight-forward. SOC 2 audits can only be completed by AICPA-affiliated firms so the audit firm must be AICPA affiliated if it is to do the work. If a firm says this isn’t important, then quickly take them out of consideration.
2. What is their experience in your field?
The audit firm should know your market and business area well. Can they provide references in your industry, and of companies of a similar size and stage to yours? Think about future assessments that you might have, beyond SOC 2, and make sure they have the expertise to grow with your business so this can be a partnership over several years.
3. Have they been peer reviewed in the last 3 years?
This is an essential requirement for any AICPA audit firm. You can ask to see peer reviews and consider those results as part of your selection process.
4. Can you meet in-person and interview the team who will conduct your audit?
Meet the people who will be assigned to your audit team. Make sure they have direct experience in your field and are easy to communicate with. Remember, you are building a long term partnership so you are looking for a good fit. Look for someone with at least 5 years of experience in the industry. If someone junior is assigned to your company, make sure they have guidance from a more experienced auditor. Consider a new audit firm after approximately 3 years to ensure a fresh perspective on your security processes.
5. Does the size of the auditor company matter? What about the reputation of the auditing firm?
In my experience the size or brand name of an audit company is not so important. As an organization you need to determine if you want name recognition from your auditor or not. Just know that you will pay an additional fee for a brand. Excellent middle tier firms, at more reasonable rates, will provide the same services at the same standards. Big firms tend to work with big teams and bigger clients. It is helpful to consider what size of audit company and level of specialization best suits your needs.
6. What is the process for taking you through an audit?
Ask the auditor to walk you through their general process. Do they have an online tool to upload artifacts? Or is it just a Dropbox or Shared Google Drive somewhere? Do they use a system where you can communicate regularly so you can check on assessments in real-time? It can be frustrating to upload materials and not know if it meets criteria until you go through an assessment itself. Having a good method for communicating between auditor and your company makes the whole process go more smoothly.
Ostendio works closely with its customers and several auditor firms. Many of our partner audit firms specialize in SOC 2 assessments and use MyVCM to save their clients time and money. Some of our customers have suggested that they completed a SOC 2 in half the time expected because their audit firms were better prepared by using MyVCM.
If you are preparing for a SOC 2 audit, we can help you select a good audit partner. Just drop us a line at info@ostendio.com. And if you are an audit firm, we would love to talk to you about partnering with us.