Skip to main content

Audit Firms

You will need to select an audit firm to perform an audit for your desired compliance framework. Depending on the scope of your needs, you'll want to consider various criteria when choosing an audit partner.

Choosing the Auditing Firm

It's important for organizations when looking for an auditor that, they pick a firm with a proven track record of successful attestations. Often times its best to interview at least three different auditing firms.

Size Matters

Depending on the size of your organization it's best to start your search locally. Many times there is a local auditing firm that can provide the same if not better results than large firms that have many clients.

Personality types

You as a lead implementer or consultant for the organization will be working hand in hand with the auditing team. During the selection phase it's important to get to know their personalities. Ask yourself, can I envision myself working with this auditor in a continuous audit engagement.

Previous attestations

Prior to selection, it's always nice to review your auditors' work from previous engagements. Ask them about controls they have found not suitably designed. For example, you could ask the auditor(s) the following questions.

  1. How did you report on a control that you found not suitably designed and not operating effectively?
  2. Did you assist the client with recommendations regarding how to fix the control?
  3. What is the most common occurrence you see during the audit engagement that clients fail to understand?
  4. Ask the potential auditor if they can provide a list of contacts so you can make a reference check.
  5. Ask them about their sampling methodology to ensure it is in line with best practice.
  6. Ask the relevant audit manager, how many SOC 2 attestation he/she has performed.

Communication Style

Communication style is important. Everyone communicates differently and when running point one a SOC 2 project for an organization. It's imperative that the communication barrier is broken down. You as a lead implementer for the organization will need to communicate with the organization as well as the auditors.

You will need to translate the requirements to the business and then help communicate those findings back to the auditors. Ensuring to do it from their perspective.