866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

 
Douglas Barbin

By: Douglas Barbin

Print/Save as PDF

The Risks of a Low-Cost Audit Partner

We get it: You didn't budget for a compliance assessment.

You were trying to sell a deal to a customer who came back to you and said you needed a SOC 2 audit or an ISO certification. But when you're making a choice, what are the implications if you go with one firm versus another in particular if you go with a low-cost provider?

I'm Doug Barbin, managing principal and chief growth officer at Schellman. We've been performing assessments for over 20 years of companies of all sizes, from start-up companies to the Fortune 50. You're a start-up company. You're active in the marketplace and you're selling to customers. And you get to that deal where this customer says, this looks great, it looks like a fit for me, but I need to see proof of your security program. I need a SOC 2 report.

From there, what do you do? You go out, you research different types of firms. There are certainly firms that are larger at the higher end, such as the big four firms that have the brand names and the prestige and are very, very expensive. There are often smaller firms, too, that can do this at a much lower cost. What are the things that you need to think about, though, when you're going in the direction of a low-cost provider? In particular, we get that this was not budgeted. We get that this was something that you weren't planning to do. And from a certain degree, it's a checkbox that you need to achieve in order to sell to that customer. However, what does it really mean after that?

A SOC 2 report is really a statement that your security program and your commitments to your customers are being met. And those commitments have been vetted by an independent third-party assessor like Schellman. And that's what we do.

In-Depth Understanding

It's really important that any firm that you partner with takes good care in doing that. And that means from the beginning, starting off with:

  • A deep understanding of what those commitments are
  • What your requirements are
  • What are the different compliance standards and domains that may factor into this are.

The understanding piece is critical because it sets you up for success in performing the assessment and getting to a successful outcome.

All of this comes into a deep understanding phase, which from our perspective is critical. And what we've seen in other instances is sometimes lower-cost providers can skip those. The understanding piece is critical because it sets you up for success in performing the assessment and getting to a successful outcome.

Trust - What is the Firm's Credibility?

When it comes to the actual deliverable, trust is key. What that means is when you're looking at a report from an independent provider, you need to know that the independent provider is:

  • Credible in the marketplace
  • Has experienced people that are performing the work
  • Are doing the testing and the evaluation and writing the report,
  • And that you've got qualified individuals qualified to handle the subject matter, in this case, security oftentimes of that particular report.

In addition, it's not just important to know who are the companies that the firm has worked with to perform these assessments. In Schellman's case, we work with over 900 companies on an annual basis, but what's more important are the customers of our clients that actually rely on these reports, that trust these reports as they're going through their vendor reviews, as they're going through their security reviews. So you need to ask those types of questions because it all leads back to quality because if you have someone that comes in and does a report in two weeks and uses what are obviously templates and are not going into the depth of testing, things can be missed.

The Final Report

It comes back to credibility and it comes back to experience and qualifications, and whether or not that company gets their reports challenged. We've seen that. We've seen reports that have quality issues that are challenged not by the clients who get those reports, but by the client's customers - banks, regulatory agencies, and other types of parties that look at these reports and they go through something and they say, well, that doesn't seem right or that doesn't seem credible. That's where experience comes into play, and that's where the experience of working with quality individuals and experienced people that, for better or for worse, you have to pay more for.

So from our perspective, we want you to look at all the options. We want you to go in eyes wide open. We're happy to have a conversation of what our capabilities are, which differentiates us from companies that are bigger than us. And I'll even clarify that just because a company, a firm is smaller than Schellman does not insinuate that there's a lower level of quality. It's about having good people. It's about having a good process for performing the work, understanding the environment, issuing the reports, and having a process that allows our client's customers to trust and rely on those reports for an extended period of time. We just want you to go in with your eyes open to the risks that could occur if you try to cut corners and potentially go with a firm that is less qualified and has less focus on quality and trust.

Contact us today to speak to one of our professionals and you'll be able to see from that first conversation the types of individuals that we have that would be performing those assessments for you. 

About Douglas Barbin

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.