Low-Cost Audit Firms: 5 Things to Consider
Compliance and Certification | Assurance / Service Audits | information security
Whether it’s shoes, real estate, or the latest smartphone, everyone’s always looking for a bargain. A central component of any decision you make to purchase or not purchase a good or service is the cost. It’s a little easier to determine that number when you’re buying (or not buying) a good because it’s generally the sticker price and, barring any lemony outliers, the thing does what you need it to.
But when it comes to services—mainly professional services—it’s not the same. The total costs can often be less obvious, making your decision to purchase riskier. More specifically, we mean it makes knowing who to buy from riskier. And with audit services, the stakes are high—these are firms you need to provide independent assurance to your customers or to help you comply with standards that will expand your business.
As a professional cybersecurity and assessment firm ourselves, we know that Schellman isn’t the cheapest option around, and the numbers may mean we’re not the best fit to perform your assessment at a given time. After all, you may want the best quality service, but your budget still exists, looming over your shoulder.
You should have all the information when selecting an audit service provider and what you might be risking. Because oftentimes, those numbers that look so good in the agreed-upon contract don’t truly reflect the “total cost” you’ll incur by the end of the engagement.
In this article, we’ll share five things to consider before selecting the lowest-cost provider for your audit services—things that will actually drive your final price up. That way, even with the constraints of budget and no matter what decision you make, as a prospective buyer of audit and compliance services, you’ll know better exactly what you’re getting into.
1. Lower Auditor Fees May Mean More Strain on Your Internal Resources.
The other issue besides paying for an audit is that you’re paying for an audit, otherwise known as…well… an audit. An audit adds more to everyone’s workload, and one of the biggest things you risk in selecting low-cost—or lowest-cost—vendors is their inability to execute the audit procedures without also requiring a lot of help from you and your resources.
Everyone is going to claim they’re efficient when they’re pitching you, but oftentimes, firms may propose and price their engagements with a perfect case scenario in mind. Really, they’re hoping to just audit the existing controls, leaving you with the responsibility of supplying expert knowledge of the compliance objectives, reporting requirements, authorship of the report, and what audit evidence exactly will be necessary.
Whether that’s due to their inexperience or otherwise, you’d likely prefer an auditor who knows how to ask the right questions of the right people as soon as they come through the door—a team that is so practiced that they don’t rely on inefficiently built audit programs that might have them coming around again and again to request everything they need.
Though it won’t be true of them all, it is typical for low-cost audit and compliance vendors to be inefficient. If you’re going to pay for someone to disrupt your workflow, then it’d be nice if they did it efficiently, asking the right questions of the right people before getting out of your way.
2. Lower Fees Might Be Masking Hourly Billing Arrangements.
These days, many audit and compliance vendors have moved toward fixed-fee arrangements, but such is not the case for many low-cost vendors—some will use very low pricing models to get in your door, but be wary. For some, their hourly billing model ends up may end up burdening you with additional costs for follow-up discussions, related document review, and customary post-audit correspondence.
You see the same thing when you try and book flights: there are certain airlines out there that feature very low ticket fares but will charge a premium for drinks, checked baggage, peanuts, and other “extras.” You may be able to skip buying a Coke on your next trip, but audit-related “extras” can make a big difference in the quality of assessment and how much better you and your customers sleep at night.
3. A Tailored Approach May Be Worth It.
Low-cost audit firms often use a templated or one-size-fits-all approach to auditing environments. A system like that is efficient for them because it means they don’t have to take the time to understand your unique control environment or adapt their audit methodology when determining compliance.
Understanding the client environment and the evolving compliance landscape requires both time and expertise—many micro-firms are reluctant to invest in those areas if they can simply commoditize the engagement for the lowest prices possible.
But not only might one-size-fits-all not suit your needs, but it might also mean further incurred costs when you find out you need to remediate audit findings or implement processes based on inaccurate or imprecise audit results.
4. What is Long-Term Audit Synergy Worth to You?
Now, you may only be searching for an auditor because a customer of yours told you they wanted a specific assessment done. That’s understandable—compliance demands from regulators, potential customers, vendor assessments, industry councils, and business partners are common.
But all these different parties may not want the same audit—the growing reality for many organizations is that they eventually need more than one type of compliance. You may just need a SOC report now, but in the future, you might also need to comply with requirements for ISO, PCI, HIPAA, or more.
That possibility might render engaging the lowest cost security assessor now a less-than-wise decision, because single-provider cybersecurity firms that are duly licensed and authorized to perform multiple compliance audits exist, and there are two big advantages to engaging one:
- They may be able to leverage a single audit effort toward multiple compliance objectives, or at the very least, streamline the processes; and
- There may be an opportunity to create a strategic multi-year program and/or package that will generate cost savings.
You don’t have to take our word on this—you can read about a client of ours and their experience aligning under one assessor.
Still, despite the potential savings—both financial and regarding resources—trusting a single firm with so much might seem intimidating, so here are three questions to ask the audit firms you vet to ensure you get the full picture of their expertise.
5. Beware the Cost of Switching Firms.
It’s unfortunate, but some organizations realize the mistake they’ve made in selecting the lowest-cost vendor once they’re in the middle of their audit. These folks inevitably need to find a new, experienced (and appropriately priced) vendor to rescue their current project or to perform future projects.
This, of course, renders the anticipated cost savings of the previous low-cost vendor as a near-total loss—in many cases, the audit deliverables are incomplete or insufficient, or the process was overly costly from an internal perspective (as mentioned above in point #1). But not only that, you’ve now got to pay the new firm to deliver an adequate audit, compounding your costs.
How to Find the Right Audit Firm for You
We completely understand the pull of low prices—everyone has to work within their budget constraints. But given that the stakes of audits are so high, these considerations will help you find a more perfect balance between low cost and good service.
If you’d like to understand whether Schellman can play a part in that balance, please feel free to reach out to us—we’ll set up a conversation with our experts to address any concerns you may have regarding audit costs or otherwise.
But as you continue searching for the right assessor for you, make sure you read our content that can help simplify your search, as well as your audit experience:
About RYAN BUCKNER
Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.