It All Starts with Defining Scope and Customer Commitment
So your customer (or sales rep) told you that you need to conduct an external audit in order to win the business...
Whether it is an ISO 27001 certification, SOC 2 examination or a FedRAMP assessment, companies are often challenged by the need to address customer requirements while ensuring a return on compliance investment.
Part 1: Scoping
In part one of this post, we address the key factors companies should consider when undertaking a compliance effort and how properly scoping the effort and fully understanding your customers’ request will impact the success and timely completion of your audit.
The most important factor in scoping a potential assessment is understanding what deliverable the recipient (i.e. your customer or partner) is expecting. Customer commitments take different forms from compliance with a set of compliance requirements (like PCI) to specific security control requirements for security awareness, passwords, encryption, or multifactor authentication. Often times, we find that even the customer making the request of you may not fully understand the difference between some of the assessments available, so best to clarify their needs and expectations before heading down a particular path.
Scope, Scope, Scope
Our first step is always to complete a scoping exercise. This exercise can be achieved by completing a questionnaire or through a conversation with one of our subject matter experts. In some instances, we require a questionnaire be completed in addition to that call – this is required by the ANSI National Accreditation Board (ANAB) for ISO 27001 certification, for example. Key factors in scoping include:
- Nature and number of lines of businesses covered by the assessment
- Number of applications covered
- Technology footprint in terms of approximate number of system components
- Number of locations that require an on-site visit (e.g. just the physical office or remote employees when the application is hosted by a cloud provider)
- Number of persons covered by the scope of the audit or (required for ISO)
- Approximate number of persons to be interacted with during the assessment
If you are a service provider, your report should support your customers’ compliance efforts. When your customers look at an ISO 27001 certificate, PCI attestation or compliance or SOC 2 report, the expectation is that the scope matches the service components and commitments to your customers.
Finally, it is important for us to understand timing constraints. In many cases, your time to market and/or a revenue generating deal depends on the timely completion of an assessment. It may also impact your choice in initial audits (e.g. a Type 1 SOC 2 can typically be executed faster). Additionally, Schellman can also provide a letter of engagement to show the customer you have taken the necessary steps.
Part 2: How Does Schellman Price?
Now that we have scoped your environment and needs, what factors contribute to Schellman’s pricing?
Project Experience and Consistent Execution
Schellman uses an outcome-based fixed-fee pricing model that is based on our extensive experience performing thousands of assessments annually. In the past year, we have conducted more than:
- 1,000 SOC examinations
- 300 ISO certification projects
- 150 PCI assessment projects
- 150 penetration tests
- 75 FedRAMP assessments
Based on this experience, we can approximate the level of effort associated with a wide range of scoping scenarios. For instance, we generally know how many auditor weeks is required for a SOC 2 with Security for a single application, supported by approximately 20 engineers that is hosted at a cloud hosting provider like AWS that has its own SOC 2. Combining our historical project statistics with the data gathered in our initial scoping discussion allows us to provide fix-fee arrangements with confidence of consistency. We usually get it right, but when we do not – we learn and adjust appropriately.
Beware of Low Pricing and Amendment Creep...
We often hear stories of prospective clients going with low-cost providers who use low fees to get in the door, only to issue multiple amendments to the original contract down the road - eliminating the cost savings that was pitched in the first place. Additionally, we have seen choosing an inexperienced firm ultimately result in redoing a lot of your original work.
At Schellman, the number of amendments we execute on our agreements after engaging a client is less than 5% and most of these changes are due to scope expansion.
How Does Schellman Compare to its Competitors?
While it may seem easy to say, “we’re more than some, less than others” the answer is it depends. Schellman neither has the overhead of a Big 4 firm nor the financial debt or overhead of a funded company. This allows us a flexible financial structure.
That said, we hire only experienced people and we compensate well. So, while often less than Big 4 (despite being alumni), we are commonly more expensive than a smaller firm that hire less experienced people and comparable with other leading cybersecurity companies.
You have read through this entire blog post we probably haven’t answered that burning question you wanted to know:
How much will my audit cost?
Well, if you are asking, we probably haven’t completed that scoping exercise and without fully understanding your needs and key drivers we don’t know if it is a thirty-something basic SOC 2 examination or a two-hundred plus FedRAMP assessment. With a quick and thoughtful scoping exercise we are happy to get that answer back to you in a day or two.
We work to make that process as quick and simple as possible. Get started by contacting our team.
We also believe that the process of understanding your requirements should demonstrate the level of care and diligence you will expect from us as auditors.
About Douglas Barbin
Doug Barbin is managing principal (and co-owner) responsible for firmwide growth and service delivery including new services, sales, global expansion, technology partnerships, business development, marketing, and key client relationships. During his more than 11 years at Schellman, he has been privileged to work with many of the world's leading cloud computing, federal, FinTech, healthcare, AI, and security provider clients. Doug has more than 24 years’ experience, starting with a then Big 6 firm followed by a decade working in the cybersecurity and financial services industries. He maintains multiple CPA licenses, along with CISSP, CIPP, ISO 27001 Lead Auditor, and QSA certifications. He is very active in industry organizations and regularly speaks on commercial and government compliance and its application to cloud and other advanced technologies.