Straightforward, non-salesy advice on how to choose auditors for security certifications like SOC 2 is lacking. Sure, you could spend hours searching for bits and pieces of info and or talk to different auditors, but you won’t find all of the info in one place (and by then, you probably want to inject yourself with bleach).
That’s why the Tugboat Labs team (former auditors from PwC and the largest bank in Nigeria!) wanted to make sure the right info was shared with you. You won’t get this quality and candidness of info from other vendors (yep, not even our competitor who’s going to copy this guide like they’ve done with almost of all of our blog posts and guides).
Here are the six criteria for choosing auditors to work with according to the Tugboat Labs team:
It’s a straightforward criterion so we won’t belabor the point. One thing we do want to point out: the “Big Four” (PwC, Deloitte, Ernst & Young, and KPMG) always come to mind when people think of accounting / CPA / security audits. But, they’re expensive for smaller companies if you’re price-sensitive. However, you can’t go wrong in getting certified by any of them since they know their stuff backward and forwards.
Now, that’s not to say all other accounting firms are inferior to the “Big Four” – far from it. You can get “Big Four” quality at a fraction of the cost with smaller CPA firms like Armanino and Marcum (full disclosure: they’re two of our auditor partners and we’re proud to be working with them). The key to vetting their reputation is to do both formal customer and back-channel reference checks. You want to make sure you ask these questions during your exploratory calls with reference customers:
- How’s your audit team’s quality of service and responsiveness (i.e. post-sale support)?
- How flexible have they been in working with you? Is it a “My way or the highway” or “Hey, you do you boo, and we’ll be here to guide you in the right direction” approach?
- Have there been any instances where they over-promised and under-delivered? Why?
- How hands-on are they?
- How would you rate them compared to other auditors you’ve spoken with?
Experience goes hand in glove with reputation, and this is where digging into CPA firms’ marketing and sales claims comes in handy. For example, many audit firms tout “We’ve completed hundreds / thousands / insert your favorite number exaggeration of audits!” as a proxy for their experience. The legit firms can back up their claims, but there are a few firms (one large national firm in particular) that are nothing more than cert mills churning out specious certification reports for their customers.
And by “specious cert reports”, we mean reports that look like a company passed at face value, but with significant caveats indicating that the didn’t implement controls correctly. Nothing’s worse than sharing a SOC 2 report with prospects and customers that makes you look incompetent ?
So, always, always, always vet any auditor (and vendors, more broadly) you’re going to work with by asking these two questions as a starting point, and then digging into their responses:
- What other assessments or certifications do you perform? You want to ask this in case you need to get another certification and not switch auditors (and then go through the evaluation process all over again)
- For those who got SOC 2 (or whatever cert you’re looking to get), which industry (e.g. HR) and company type (e.g. SaaS, eCommerce) do your customers predominantly come from? Now, your auditor doesn’t need to be a domain expert about your company and its industry, but it certainly helps to work with one that knows your industry and its nuances.
3) Personality and Communication
What’s key for all great relationships is indubitably key for your relationship with your auditor: personality fit and communication style. We’d argue that this the most important factor in deciding on an auditor because there are a lot of great CPA firms out there who do great work and charge reasonable prices, but all that goes out the window if you have conflicting ways of doing things and don’t see eye to eye.
The adage “You pay for what you get” holds especially true for CPA firms.
Now, that’s not to say that you can’t find affordable and quality audit firms out there. But, don’t let a low price quote be a major factor in your decision because you’ll pay for it later with wasted time and money: several of our customers had buyer’s remorse with large, well-known auditors whose prices were too good to be true, and ended up paying for another auditor to help them get to where they needed to get to.
Yes, getting a SOC 2 can be expensive. Yes, it takes time to evaluate different auditors. Yes, it’s a lot of work to get a security audit.
But, you won’t have suffer the agony of buyer’s remorse (and the wrath of your CEO for going over budget and not meeting deadlines you set) so long as you carve out plenty of time for yourself to go through all of this and you have the right budget set aside for this investment. Here’s one question you should ask as part of the eval:
- Aside from price, what actually sets you apart from the other audit firms I’m considering?
It seems like a “gotcha!” question, but it will help you listen closely to how the auditor presents themselves and makes the case for why they are indeed the best choice for you.
5) Team Availability and Escalation SLA
It’s always easy to forget that the person you’re speaking with (especially if they’re in sales) as part of the evaluation process most likely won’t be the one working with you and your company after you join as a customer. All their promises and careless whispers of sweet nothings might very well be all for naught once the contract is signed and they’ve officially taken your money.
To avoid getting a bill of goods, make sure you ask these questions and listen carefully to what and how things are said. And, trust your gut: if an answer sounds too vague or too good to be true, then the wool is slowly being pulled over your eyes.
- What’s your SLA on response times?
- What’s the escalation process like? Will we have a dedicated senior auditor on our account and how responsive is s/he?
- Who will be our dedicated account team and how much experience do they have working on SOC 2 / ISO 27001 / name of cert you need?
- May we speak with the dedicated account team members before we join as customers?
There are two things to keep in mind when evaluating the last criterion:
- 1) How the auditor will execute the audit
- 2) How the auditor will interpret the policies and controls
How the Auditor Will Execute the Audit
Audits seem straightforward at first glance, but like the answer to everything in life, (no, it’s not “42”), it depends on how each auditor works with their clients when it comes to managing audit progress, submitting requests for evidence, and collecting evidence. Some auditors prefer to use nothing but spreadsheets and emails to manage the entire audit process, while others use automated tools like Tugboat Logic as their repo and source of truth. And, you’ll see some auditors have built their own homegrown solution to do everything for clients.
How the Auditor Will Interpret the Policies and Controls
Given that some certifications (e.g. SOC 2) are more nebulous in their guidelines and prescription of controls to implement, you’ll find that no two auditors will interpret all of a cert’s guidelines the same way. For instance, some auditors for SOC 2 will define and interpret controls very narrowly and request that evidence be collected in a specific way to meet their narrow definition. Whereas others will be more loose in their interpretation and will accept what you’ve presented.
This exact scenario happened with one of our teammates who worked with two different auditors on SOC 2 at his last two start-ups: for the control on antivirus (AV) being installed on work-issued computers, each auditor requested different ways of collecting evidence. One auditor was fine with a screenshot of the AV program and the user license key associated with it, while the other auditor wanted him to first download the log file from the AV proving when he first installed the program, and then go into his MacBook’s Console to pull out the logs from a random date post-AV install to prove that AV was installed and running on his computer.
Cautionary tale aside, it’s key that you ask each auditor you’re evaluating to show you how they would go about collecting evidence from you to gauge the level of effort needed from you and your teammates (hell, you can even use the story above as the example scenario when grilling auditors).
TL;DR / TL;WR
- Evaluate your auditors on the basis of reputation, experience, personality and communication, price, team availability and escalation SLA, and approach
- Talk to at least three of them to get a good idea of who best fits your needs
- Use the questions our Labs team suggested
- Obligatory marketing shill plug: give us a shout if you have any questions