Straightforward, non-salesy advice on how to choose auditors for security certifications like SOC 2 is lacking. Sure, you could spend hours searching for bits and pieces of info and or talk to different auditors, but you won’t find all of the info in one place (and by then, you probably want to inject yourself with bleach).
That's why the Tugboat Labs team (former auditors from PwC and the largest bank in Nigeria!) wanted to make sure the right info was shared with you. You won't get this quality and candidness of info from other vendors (yep, not even our competitor who's going to copy this guide like they've done with almost of all of our blog posts and guides).
Here are the six criteria for choosing auditors to work with according to the Tugboat Labs team:
It's a straightforward criterion so we won't belabor the point. One thing we do want to point out: the "Big Four" (PwC, Deloitte, Ernst & Young, and KPMG) always come to mind when people think of accounting / CPA / security audits. But, they're expensive for smaller companies if you're price-sensitive. However, you can't go wrong in getting certified by any of them since they know their stuff backwards and forwards.Now, that's not to say all other accounting firms are inferior to the "Big Four" – far from it. You can get "Big Four" quality at a fraction of the cost with smaller CPA firms like Armanino and Marcum (full disclosure: they're two of our auditor partners and we're proud to be working with them). The key to vetting their reputation is to do both formal customer and back-channel reference checks. You want to make sure you ask these questions during your exploratory calls with reference customers :
Experience goes hand in glove with reputation, and this is where digging into CPA firms' marketing and sales claims comes in handy. For example, many audit firms tout "We've completed hundreds / thousands / insert your favorite number exaggeration of audits!" as a proxy for their experience. The legit firms can back up their claims, but there are a few firms (one large national firm in particular) that are nothing more than cert mills churning out specious certification reports for their customers.
And by "specious cert reports", we mean reports that look like a company passed at face value, but with significant caveats indicating that the didn't implement controls correctly. Nothing's worse than sharing a SOC 2 report with prospects and customers that makes you look incompetent 🤦♂️So, always, always, always vet any auditor (and vendors, more broadly) you're going to work with by asking these two questions as a starting point, and then digging into their responses:
What's key for all great relationships is indubitably key for your relationship with your auditor: personality fit and communication style. We'd argue that this the most important factor in deciding on an auditor because there are a lot of great CPA firms out there who do great work and charge reasonable prices, but all that goes out the window if you have conflicting ways of doing things and don't see eye to eye.
The adage "You pay for what you get" holds especially true for CPA firms.
Now, that's not to say that you can't find affordable and quality audit firms out there. But, don't let a low price quote be a major factor in your decision because you'll pay for it later with wasted time and money: several of our customers had buyer's remorse with large, well-known auditors whose prices were too good to be true, and ended up paying for another auditor to help them get to where they needed to get to.
Yes, getting a SOC 2 can be expensive. Yes, it takes time to evaluate different auditors. Yes, it's a lot of work to get a security audit.
But, you won't have suffer the agony of buyer's remorse (and the wrath of your CEO for going over budget and not meeting deadlines you set) so long as you carve out plenty of time for yourself to go through all of this and you have the right budget set aside for this investment. Here's one question you should ask as part of the eval:
It seems like a "gotcha!" question, but it will help you listen closely to how the auditor presents themselves and makes the case for why they are indeed the best choice for you.
It's always easy to forget that the person you're speaking with (especially if they're in sales) as part of the evaluation process most likely won't be the one working with you and your company after you join as a customer. All their promises and careless whispers of sweet nothings might very well be all for naught once the contract is signed and they've officially taken your money.To avoid getting a bill of goods, make sure you ask these questions and listen carefully to what and how things are said . And, trust your gut: if an answer sounds too vague or too good to be true, then the wool is slowly being pulled over your eyes.
There are two things to keep in mind when evaluating the last criterion:
Given that some certifications (e.g. SOC 2) are more nebulous in their guidelines and prescription of controls to implement, you'll find that no two auditors will interpret all of a cert's guidelines the same way. For instance, some auditors for SOC 2 will define and interpret controls very narrowly and request that evidence be collected in a specific way to meet their narrow definition. Whereas others will be more loose in their interpretation and will accept what you've presented.
This exact scenario happened with one of our teammates who worked with two different auditors on SOC 2 at his last two start-ups: for the control on antivirus (AV) being installed on work-issued computers, each auditor requested different ways of collecting evidence. One auditor was fine with a screenshot of the AV program and the user license key associated with it, while the other auditor wanted him to first download the log file from the AV proving when he first installed the program, and then go into his MacBook's Console to pull out the logs from a random date post-AV install to prove that AV was installed and running on his computer.
Cautionary tale aside, it's key that you ask each auditor you're evaluating to show you how they would go about collecting evidence from you to gauge the level of effort needed from you and your teammates (hell, you can even use the story above as the example scenario when grilling auditors).