Top 10 Tips for Choosing a SOC 2 Auditor
By Dr. Rey LeClerc Sveinsson, ERMProtect
A SOC 2 certification is an independent and rigorous audit of an organization’s technology-related security practices. Companies that pass a SOC 2 audit are demonstrating to potential and existing customers that they have top-notch cybersecurity and organizational governance practices in place to protect their data.
This assurance to customers and the marketplace is why the SOC 2 certification is one of the most desired – and increasingly required – certifications in the marketplace today. The certification is granted only after an outside auditor with deep cybersecurity and compliance expertise attests that an organization’s security controls meet established criteria for the security, availability, confidentiality, and processing integrity of data.
Look For These Characteristics in Your SOC 2 Auditor
Selecting a SOC 2 auditor or SOC 2 assessor is an important endeavor for organizations.
Here are some of the factor’s organizations should consider:
- Certified Public Accountant (CPA) firms – SOC audits can only be performed by an independent Certified Public Accountant (CPA) or affiliated firms. The audit firm must be affiliated with the American Institute of Certified Public Accountants (AICPA) to conduct SOC 2 audits and release official SOC 2 reports.
- Experience – No two SOC 2 compliance reports are alike. Organizations should look at an audit firm’s previous experience to determine whether it has performed SOC 2 audits similar in nature and scope to the contemplated assessment. Additionally, the organization should evaluate whether the SOC 2 team has worked with comparable size companies and organizations in the same industry.
- Time Period of Assessment – SOC 2 Type II reports require that organization’s internal controls be evaluated over a set period of time. Organizations planning to go through a SOC 2, Type 2 audit should determine the audit firm’s general timeframe and period of assessment for evaluating security controls, to ensure expectations are aligned.
- Process and Scope – Organizations should assess how an audit firm manages the SOC 2 audit process. Audit firms should conduct audits based on the latest AICPA guidelines. SOC 2 assessors should also have a defined process and scope for how audits are conducted and be able to spell out these steps clearly in advance.
- Flexibility - There is no right way to apply the SOC 2 framework to your business, and you want to work with a SOC 2 auditor who knows how to leverage your unique strengths. Some auditors have a one-size-fits-all process they expect you to follow, while others will work with you collaboratively. Flexibility and mutual respect are big predictors of success. More important than any contractual obligation is an open and collaborative approach to the audit process. Ask the auditor questions about the process and gauge how the conversation makes you feel. Do they understand you? Do they think creatively when suggesting solutions? Or do they adhere to a rigid formula?
- Accountability - Make sure the auditor is committed to making themselves accountable to you in terms of turnaround times and responsiveness.
- Team - Choose the team, not the brand. Do not fall into the trap of choosing your SOC 2 auditor based on how well-known the brand is. A brand is made up of different teams performing many distinct functions, but the only team that matters is the one collaborating with you on the audit. Internally, determine who needs to interface with the auditor. BE sure your internal lead meets on a periodic basis with the auditor. Talk to the delivery team, not the salesperson. The delivery team will impact the audit experience and your ultimate success more than any other factor.
- References - Always ask for references, and make sure they come from organizations in a comparable size, industry, and situation as yours. Try to get references from the person who collaborated most closely with the auditor. While the audit may have looked seamless and effortless to the management, the internal audit lead who was in the trenches may have a quite different story about their experience.
Ask These Questions to Ensure a Successful Audit Experience
Choosing a SOC 2 auditor can seem like a complicated process, but keep in mind that the most important factor is picking someone who will be a valuable partner. Plan to chat with at least three potential audit firms. All of them will come close in price, but not all of them will be the right SOC 2 auditor for your team. So, the key so the key drivers on your decision will be how they answer the following:
- What is your experience with a company of our size and industry?
Look for a firm that has experience auditing companies that are as close in size, industry and level of security maturity as you. For example, if you are a startup and still growing, it doesn’t make sense to pick a SOC2 auditor who expects a world-class security program to be in place. That doesn’t align with where you are in your journey.
- How long will the SOC 2 assessment take?
Some auditors offer reasonable rates because they rely on rigid processes and a cookie-cutter approach to increase audit volumes. Make sure you choose an auditor who will adapt to your unique situation. Ask about the quality review process and the layers of review that they have. This will impact the time it takes for the auditor to deliver the SOC 2 compliance report. You are looking for an auditor who is committed to quality, but who is also as efficient. Make sure you are comfortable with their deliverable date.
- Do you use a template to guide the process?
This can gauge how flexible a potential auditor will be. Look for auditors who scope each project individually based on your unique organizational profile.
- Who will conduct the audit?
Make sure you know who you will be working with and that they have the expertise that you need for the SOC 2 audit process.
- Who do you need from us to conduct the audit?
Some firms require at least one control per point of focus, while others are fine with adequate coverage for each principle. There is no requirement in the guidance that each point of focus must be mapped to at least one control. For the more operational controls, we find that this one-to-one approach leads to unnecessary, busy-work controls that do not provide any extra layer or security.
- Who is the ultimate CPA on the audit team?
Find out who will sign the SOC 2 compliance report. Ensure that he/she is a CPA and determine what region and time zone they are in and the process for reaching them. You want to know that this person is reachable and responsive to minimize delays, frustration, and miscommunication.
- What does your SLA cover?
Service level agreements (SLAs) keep the auditor honest and motivated, but they also impose expectations on you and your team. Be sure you review those SLAs before making your choice. In some cases, the auditor will apply penalties for delays and changes for extra requirements, which can add up quickly if you or your team are not ready to hit the ground running.
- Will your firm provide recommendations to mature the security environment?
This is especially important if you are a young company. An excellent auditor will meet with you after the audit to suggest areas for improvement or processes and technologies to consider as your security program matures.
ERMProtect Can Help
ERMProtect performs SOC 2 audits and SOC 2 readiness assessments. ERMProtect´s approach is hands-on and focused on helping your organization meet requirements in a cost-effective manner, by:
- Understanding our clients’ regulatory and compliance needs and helping them develop a strategy for meeting them.
- Determining the scope of the audit.
- Assisting to draft the IT system description.
- Developing the control objectives for your processes.
- Planning an appropriate approach to the risk assessment and identifying the basis for your management assertion.
- Helping your personnel to identify controls and map them to control objectives.
- Benchmarking your control objectives and controls against leading practices.
- Assessing the operational effectiveness of your controls.
- Reporting on the results of our testing.
We leverage 25 years of experience in cybersecurity to secure your data, protect your business, and manage costs and risk. Click here to learn more about our SOC 2 practice or contact us at 305-447-6750 or at [email protected].
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights