What to Look for When Choosing an Auditing Firm
Think of your auditing firm like you would a long-term business partner. They are someone you will work with year after year, and they will be an integral part of setting the stage for your organization’s success. As such, the act of selecting the appropriate assessor shouldn’t be taken lightly. Here are several key qualities your organization should look for when choosing an auditing firm:
The Right Qualifications
Naturally, make sure the auditing firm you’re scouting looks good on paper. Ask for proof of their training and qualifications that certify them to perform the assessments your organization requires. They should have an external auditor certification and certified public accountant (CPA) licensure. It is rare to find a firm that is a globally licensed PCI Qualified Security Assessor, an ISO Certification Body and a FedRAMP 3PAO, in addition to a CPA and external auditor. If you find one—don’t let them get away!
One Auditing Firm That Does it All
Find an auditing firm that specializes in several assessments, including:
- SSAE 16 (SOC 1)
- SOC 2 / SOC 3
- HIPAA / HITECH /HITRUST
- ISO Certification
- PCI Annual Validation
- FedRAMP Assessment
- CSA STAR Assessment
Using one firm for all assessments will cut out the time and money otherwise spent hunting down, negotiating and familiarizing a new auditor with your business model and needs every time you require assessment or certification. Another single assessor advantage is that they can perform multiple assessments at the same time.
A Solid Reputation
When it comes to auditing firms, their value proposition should be clear and readily apparent to you. If you partner with a new firm or select a firm that’s in a state of rapid growth, there is no guarantee your auditing process will run smoothly or worse—your audit report might be viewed with a degree of skepticism. Choosing a firm with a well-recognized name and demonstrated expertise means you’ll be partnering with a firm that will likely have helped establish the standards for auditing and assessment practices.
Room for Negotiations
Partnering with an auditing firm is a business transaction and like most other business-related power plays, you’ll want to negotiate to get the best possible value for your organization. If the fees you pay your auditor are not fixed, then shop around and choose an auditing firm that offers competitive pricing, exceptional value, and transparency of the total price of the assessment; preferably fixed.
The ideal partnership is with an auditing firm that has experience in your particular area of business. The entire auditing process will be more straightforward if the assessor is already familiar with your industry’s goals and pain points, and your organization will save time, money and effort otherwise spent on boarding.
During negotiations with your potential new auditing firm, ask to speak with senior partners and get to know the firm from top to bottom. You should also be introduced to the staff member(s) who will be handling your account on a regular basis. Make sure these individuals are people you will be comfortable working with long-term. Note whether firm representatives are responsive, friendly and helpful. Common sense: Do not choose an audit firm that does not make your time a priority or is not available when you need them.
Form an audit committee to help vet auditing firms. This committee should understand what audits may be required and generally, how the audits should be performed. They should also create an evaluation standard that can be used to compare firms. Don’t forget: While price is important, it’s not the only factor you should be concerned about. Qualifications, service offerings, experience, reputation and client support are equally important and will add value to the partnership.
Audits and certifications don’t have to be burdensome. Effectively choosing an experienced and reputable firm that provides multiple assessments and understands your industry, your organization can depend on the same firm for certifications and assessments each year, with a high degree of quality and value.
About RYAN BUCKNER
Ryan Buckner is a Principal at Schellman & Company, Inc. Ryan currently leads Schellman’s SOC 1 practice and has been a leading advocate for the adoption of SOC 1 and SOC 2 solutions by cloud service providers. Ryan also is an AICPA-approved and nationally listed SOC Peer Review Specialist for SOC 1 and SOC 2 examinations. Having completed over 800 service audits. Ryan is one of the most experienced service auditors in the United States.