15+ Tips for Choosing an Auditor, According to Secureframe Audit Partners
Preparing for a security audit comes with a heavy mental load. There’s so much to think about: Did you establish the proper scope? Implement controls correctly? Are your policies compliant?
Selecting an auditing firm can feel like just one more decision to make. It can be tempting to find the least expensive auditing firm in your area or the firm with the shortest waitlist. But finding a firm that understands your industry’s threat landscape, privacy obligations, and information security needs is an investment that pays dividends during the audit itself and beyond.
Selecting an auditing firm for your compliance effort is an important choice that will have a major impact on your audit experience and your final report or certification. To help you find the right auditor for your needs, we’ve collected more than 15 tips for evaluating auditing firms from our trusted audit partners.
What does an auditor do?
Many security and privacy compliance efforts like SOC 2 and ISO 27001 require an external audit conducted by an information security auditor. These are compliance experts who can evaluate how effective your security program is and determine whether it meets your chosen framework’s specific standards and requirements.
After the assessment, the auditor creates a detailed report that summarizes their findings, including a description of the system they assessed, a summary of any issues they uncovered during the audit, and their recommendations for improvements.
How to choose an auditor
The best auditors are your partners in the compliance process. Here are our tips to help you select an auditor that’s right for your organization’s needs.
1. Verify accreditation
Whichever security certification you’ve chosen to pursue, it’s important to verify that your auditor has the proper credentials to assess your organization’s security posture and controls.
For example, SOC 2 audits can only be conducted by a qualified CPA or CPA firm that’s accredited by the American Institute of Certified Public Accountants (AICPA). An ISO 27001 Stage 2 audit can only be conducted by a certified auditor, and a certification can only be issued by an accredited certification body.
In some instances, you may decide to work with a firm that’s not yet accredited in one of the frameworks you’re interested in. The key is to analyze whether the experience of the audit firm aligns with your organization's goals, says Steve Ryan, an attest services manager at Barr Advisory. “For example, if your organization is interested in an ISO 27001 certification and the audit firm is just starting an ISO practice and is not yet accredited, determine whether you’re comfortable with going through a new process with them or if you’d prefer a more experienced firm,” he says.
Hiring an ISO 27001 Consultant: A Fast-Track to Compliance?
2. Evaluate experience
Next, you want to evaluate the experience of the audit firms you’re considering in terms of industry, customer size, tools, training, and other factors.
Audit firms that have experience working with organizations similar to yours will have a deeper understanding of industry best practices and requirements, which typically means a faster audit process and more meaningful insights into your overall security posture.
The depth of industry experience a firm has can make them more equipped to understand the complexity of your environment, according to Chris Roe, a manager at Sensiba San Filippo. “It is essential to ensure your auditor has experience with an array of different environments to determine you are getting the controls that best fit your in-scope systems and are not causing unnecessary complications,” he says.
Ryan says that you should also consider the size of an audit firm’s past clients. “When evaluating an auditor’s experience, you want to figure out what their bread and butter is. For example, if they only have experience with startups and you’re looking for an auditor for your enterprise organization, they may not have the experience you’re looking for.”
It is also important to make sure the auditors have experience with the compliance automation tool you use — if you use one — so they can best utilize its potential, Roe says.
When starting to evaluate the experience of different auditing firms, look at their websites and review auditor profiles to gauge the average years of experience and the information security certifications their auditors have.
“It can also be useful to see if they have experience at a Big 4 public accounting firm (PwC, Deloitte, EY, KPMG) since that is widely accepted as the best environment to train in as an auditor,” says Matthew A. Drewyor, managing principal at Sentry Assurance.
Then during interviews, you can ask about their experience with your industry, different environments, and compliance automation tools.
3. Confirm who will be performing the assessment
When evaluating audit firms, Richard Rieben, partner at Linford & Company, LLP also recommends asking about their staffing approach.
“Individuals evaluating audit firms should understand how much experience their assigned resource has delivering the specific type of audit or assessment being conducted,” he says. “It is not unusual for senior personnel to sell engagements and then assign junior-level resources to perform the actual delivery of the engagement. This can create a gap between expectations and reality in the experience a client faces.”
To avoid any surprises, it’s important to engage in a conversation with the actual personnel that will be conducting your audit, Rieben says.
Nirav Shah, principal of IT Risk Assurance & Advisory Services at Hancock Askew & Co, LLP, also recommends asking who will actually be performing the assessment and whether the firm’s partners or managers will be part of the engagement. It’s also important to understand if the firm has a sales or service team and what their role is in the process, he says.
Asking these questions will help you understand who will be part of the entire audit process and whether there will be any handoffs to other teams or practitioners.
4. Check for multiple certification frameworks
Most organizations will need more than one security compliance framework to appease customers, including SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, CCPA, NIST 800-53, CMMC, or some combination of these. Working with the same firm for multiple certifications makes the overall audit process more efficient and often saves both time and money.
Rieben also stresses the importance of asking an audit firm about its process for delivering multiple certifications. “If your organization plans to pursue multiple audits or certifications (i.e. SOC 2 as well as ISO 27001), then it should consider whether the firm they are evaluating has the ability to deliver those services as part of one engagement with one delivery team. Many firms will have different teams and different timelines for separate assessments, while some firms are able to deliver multiple reports as part of one audit engagement.”
Even if you’re only pursuing a single compliance framework to start, it’s very likely that you’ll find yourself in need of multiple certifications as your business grows into new markets, industries, and geographies. That’s why you need an audit partner that can grow with you, Drewyor says.
“The more you grow, the more likely that your compliance needs will evolve,” he says. “As those needs evolve, you want the knowledge and history with your audit partner — you don’t want the added burden of a new team and learning curve. So you need an audit partner that can scale with you.”
That doesn’t necessarily mean you should pick the audit firm that supports the most certification frameworks, however. Ryan Johanson, partner at Johanson Group, says, “The client needs to ask themselves what their own roadmap looks like. If the client is never going to do a CMMC or PCI audit, then a firm that offers those services doesn't add value to the client. Look for a firm that offers the services that you currently need or are on your short horizon.”
SOC 2 vs ISO 27001: What’s the Difference and Which Standard Do You Need?
5. Check for readiness assessment and/or gap analysis services
Unless you have an information security expert already on staff, it’s likely you’ll need to complete a gap analysis and/or readiness assessment as part of the audit preparation process. Many audit firms offer these services to give their clients a complete picture of any issues in their current environment that could keep them from meeting compliance requirements.
An experienced auditor will work with you to identify all potential issues with your systems, policies, processes, and controls so you can remediate any gaps and avoid wasting time with multiple audits.
According to Roe, the goal is to find a firm that aims to be a trusted adviser and not just an audit firm. “You want to confirm that your auditor will be there to provide you with guidance on security improvements and industry standard best practices to support the changing technology and security landscape,” he says.
6. Understand their audit process
It’s essential that you understand how the audit will be conducted. To get a clear sense of an auditor’s process, David English, the sales and marketing director at British Assessment Bureau, recommends reviewing the auditor's previous reports or asking for examples of how they analyze data and information during the audit. “Look for evidence of their ability to identify trends, patterns, and root causes of issues,” he says.
It’s also a good idea to get an idea of how the auditor prefers to communicate with clients. What tools will you use to securely share sensitive information? Will you need to upload audit evidence to a shared drive or can your auditor streamline the process by accessing your Secureframe Data Room? Will you discuss audit progress and additional evidence requests via email or phone?
“A big pain point we come across with clients that are unhappy with previous auditors is lack of communication and transparency,” says Drewyor. To avoid this, he says to ask about communication style during the evaluation process: “Ask them what their communication, reporting, and project management methods are, and how they are going to ensure you stay updated on the progress and status of your audit.”
Ryan says that asking about the audit process should also help you evaluate the firm’s values. “These questions should illuminate whether an auditor is just performing a check-the-box exercise or if they’re really going to take the time to understand your environment, identify process improvement opportunities, and help you meet your end goals to improve your overall security posture.”
Overall, make sure the process of how the audit will be conducted matches the expectations and goals of your organization.
7. Discuss timelines
It’s essential that an auditor is able to work with your expected timeline.
When interviewing potential auditors, ask what is the average turnaround time between the completion of an audit and delivery of the final report. Then, before moving forward with one, make sure you agree on the logistics of the audit, including the timeframe it will be completed and when to expect your auditor on-site.
“The number one priority for any organization evaluating audit firms should be establishing a level of comfort,” Rieben says. “Knowing who you'll be working with, what process you'll be following, what tools you'll be using, and what the timeline will be is very important — and should be clearly discussed and communicated as part of the evaluation process.”
8. Try to get a sense of their personality
You’re not only selecting an auditor based on their qualifications on paper — you’re also choosing a person that you’ll be working with for anywhere from a few weeks to a year or more. Make sure your personalities are compatible.
To do so, Ryan recommends speaking directly to the individual you’ll be working with throughout your engagement. “Spend some time talking to the person you’re going to be working with on a day-to-day basis to make sure you can stand to work with them,” he says. “This step can make the difference between a difficult engagement or an exciting engagement.”
Michael O. Bayere, principal officer at CAS Assurance, also recommends asking a potential auditor how they deal with difficult audit clients. This question will help elucidate the auditor’s personality and how they might work with you to solve challenges that arise during your engagement.
9. Evaluate their reputation
Prospective clients should also closely evaluate the reputation of auditors they are considering, according to Jeffrey Filler, partner at Boulay. “Factors to consider include how long the firm has been in business and results of AICPA peer reviews or other third-party assessments,” he says.
You can also ask an auditor for testimonials from previous clients or reach out to them directly to help understand their reputation.
“I also recommend performing a quick web search to ensure the audit firm isn’t tied to anything that may cause concern, such as fraud or serious data breaches,” Ryan says.
Interview questions for auditors
To help guide your interviews with prospective auditors and firms, download our list of questions recommended by real auditors. Many of these questions are ones they hear on calls with their own prospects and will help you get a better sense of an auditor’s experience, personality, reputation, and more.
Trusted Audit Firms
To help you get started on your search for an auditor that’s right for your business, we’ve compiled some of the pre-vetted audit partners within the Secureframe Trusted Partner Network.
360 Advanced provides guidance, consulting services, and integrated solutions customized to meet your business’s security and compliance needs, whether you’re implementing a privacy and security program for the first time or need a third-party evaluation of existing controls.
Aprio is a premier, full-service CPA and business advisory firm that advises clients and associates on how to navigate compliance requirements, grow the value of their organization, and achieve what’s next.
Barr Advisory helps technology and cloud service providers simplify the path to compliance for multiple frameworks, including SOC 2, ISO 27001, HIPAA, HITRUST, PCI, FedRAMP, and NIST 800-53.
Boulay is a top 100 CPA and advisory firm based in Minneapolis, Minnesota that provides SOC 2 services to clients across the United States and globally.
British Assessment Bureau offers a range of UKAS-accredited and industry associated certifications plus ISO software solutions to enable businesses to demonstrate their commitment to excellence.
Auditors at CAS Assurance have an average of 15+ years relevant experience. The team leverages experience, technology, and proven process to deliver audit engagements, including SOC 2 and SOC 2 + CCM audits in a stress-free and value-adding way.
Consilium Labs partners with organizations to streamline the ISO 27001 audit process and provide the most up-to-date and innovative approaches to security compliance.
Since 2008, the team at Control Logic has performed security assessments for over 200 companies around the world, with services tailored for each client’s needs.
Daszkal Bolton is a leading accounting and advisory services firm that has worked with organizations in health care, technology, biotech, construction, real estate, manufacturing, distribution, and international business for more than 20 years.
GRSee Consulting is a private international consulting firm that provides PCI audits, preparation services for SOC 2 and ISO 27001, and other technical services including penetration testing.
The highly-trained auditors at Hancock Askew each have 15+ years of experience. They offer customers high-quality SOC reports delivered within 45 days of the end of the examination period.
Auditors at Insight Assurance have an average of 10+ years of experience. With over 200 SOC 2 engagements completed, their experts are ready to assist with SOC 2 compliance.
Specializing in SOC 1, SOC 2, SOC 3, HIPAA, and ISO/IEC 27001, Johanson Group deploys multidisciplinary teams comprised of licensed CPAs and information technology and security specialists to complete a comprehensive and thorough evaluation of controls related to the services you provide.
KLR is a top public accounting firm that provides assurance, tax, and business advisory services to private and publicly-held companies throughout the United States and abroad.
The experienced, responsive team at Linford & Co can help clients decide which type of audit they need, meet all reporting deadlines, and provide advice and recommendations to improve internal controls.
MJD Advisors is a boutique, tech-forward CPA firm that specializes in providing SOC 2 examinations for technology companies around the world.
Moss Adams is a fully integrated professional services firm that helps hundreds of companies manage their compliance risk and complete SOC 1, SOC 2, SOC 3, and PCI DSS audits as well as HIPAA and HITRUST assessments.
Oread Risks works with clients to achieve multiple compliance objectives, including SOC audits, HIPAA assessments, network vulnerability assessments, penetration testing, PCI consulting, ISO 27002 consulting, and more.
Prescient Assurance is a multi-framework audit and pen testing firm that specializes in B2B SaaS companies and enterprise clients. They provide audit and security services to over 3000 companies globally for SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27701, ISO 9001, PCI, HITRUST, CSA STAR, HIPAA, GDPR, NIST, Google CASA, FEDRAMP, and many other frameworks.
Sensiba San Filippo (SSF) provides comprehensive tax, audit, and consulting services and combines a national footprint with deep expertise and relationships throughout Silicon Valley to serve clients in software, SaaS, Big Data, fintech, networking, hardware, energy, health care, and life sciences worldwide.
Sentry Assurance is a licensed CPA firm that provides custom-tailored auditing services for SOC 1 and SOC 2. Its team of audit professionals has decades of combined experience across multiple Big 4 firms.
Zeroday provides a streamlined process for IT and compliance attestation services across a wide range of frameworks, including SOC, ISO, HIPAA, GDPR, and CCPA.
Find a trusted firm for your security audit
Secureframe works with a network of trusted audit partners to ensure our customers have direct access to highly respected auditing firms. We’ll help pair you with an experienced auditor that’s the perfect fit for your business. Request a demo to learn more about the many ways Secureframe streamlines the compliance process, from audit readiness to final report.