How to Choose the Right SOC 2 Audit Firm
Security and compliance are vital pieces to expanding your customer portfolio, whether you’re working with SOC 2, HIPAA, ISO 27001, or another respected framework. And part of achieving compliance is—particularly with SOC 2—passing your audit and obtaining a clean audit report.
Before you do that, you’ll need to choose an auditing firm—and this can be trickier than you’d think. The right auditor will not only do the audit but also help you understand and improve your compliance, streamline the process, and get an accurate audit report. The wrong audit firm? Well, they can slow you down, stand by while you miss important compliance tasks, and even saddle you with an inaccurate report at the end of the process.
In other words, finding the right auditor is vital. Which is why we asked our own super-auditor, Troy Fine, what you should look for when choosing a firm. Here’s what he had to say:
What do you want from your auditor?
Before you make a list of what you’re looking for in an audit firm, start by asking yourself: What do you want from your auditor?
Are you new to SOC 2 and hoping to find someone who will advise you as you work toward compliance (before they take on your audit)? Or do you already have the compliance advisory side of things covered and you simply need a qualified auditor to handle the audit itself?
There’s no wrong answer here, but understanding what you need will help you determine how early to bring in an audit firm and what kinds of questions to ask when you’re evaluating them.
When should you start evaluating audit firms?
If all you need is the audit (with no consulting along the way), start your search 3 – 4 months before you want the audit to start. This will give you time to evaluate firms, handle the paperwork, and get on their schedule.
If you prefer to hire a firm that will walk you through the SOC 2 compliance process and advise you as you put controls and policies into place, start asap. As soon as you start putting controls into place, you’ll want an advisor at your side to smooth out the process, catch red flags early, and make your program stronger at every step.
What to look for in an audit firm
1. They answer your questions intelligently
If you ask your auditor basic questions about audits, can they answer them? The answer here must be a resounding yes.
We recommend getting a basic understanding of compliance before you speak to an auditor and then asking them questions like:
Do you recommend a SOC 2 Type 1 or Type 2 report? Why?
What are the pros and cons of a SOC 2 Type 1 vs. Type 2?
Can you explain the HIPAA security rule?
2. They understand your industry
If you’re a FinTech company working with large financial institutions, your requirements will look different than a healthcare tech company working with large hospital systems. Or, if you’re a US-based SaaS company working on SOC 2 compliance, your compliance requirements (and who attests to those requirements) will have a different focus than a UK-based service provider serving Europe and working toward ISO 27001.
When choosing an audit firm, you want a team with experience with your framework and your industry. So, kick off your auditor interviews with questions about their industry experience and requests for industry-specific references.
3. They understand your tech stack
There’s nothing worse than having a conversation with your auditor and watching their eyes glaze over. If you start talking about your tech stack and they don’t seem to know what you’re talking about, run. You want an audit firm that can speak intelligently about the tools you’re using.
For example, do they know what you mean when you say AWS S3? CI/CD? If not, call up the next firm on your list.
4. They’re collaborative
Whether you hire the firm to advise you pre-audit or only bring them in for the audit itself, you need someone collaborative.
They should be advising and explaining things as they go. They should be asking you lots of questions to make sure they understand your full program set-up. And if they come across a potential problem, you want someone who will bring it to you and ask deeper questions to understand whether they’ve unearthed an exception, if they’re simply missing some evidence, or haven’t understood one of your answers.
5. They communicate well
Does the auditor speak your language and understand common industry terms or are they speaking over your head, throwing out jargon, or speaking in broad generalities?
The latter is another red flag.
You want someone who can explain things to you in simple, industry-appropriate ways. As Einstein once said, “if you can’t explain it simply, you don’t understand it well enough.”
6. They let you speak directly to members of their audit team
At the end of the day, it doesn’t matter if the sales team is great at communication (or, conversely, dismal at it), or if they know your tech stack. What matters is that the auditor who is doing your specific audit understands and can explain.
So before you hire a firm, make sure to vet their audit team. Assess their industry experience. Make sure you are comfortable with their communication style.
7. They have solid references
While all CPA firms technically can do an audit, you really want one that has deep, consistent experience. Ask for references and make sure they are industry-relevant and recent. If the last audit the firm did was nine months ago, they’re probably at least a little rusty. If they only have one reference in your specific industry, they might simply not be a fit for you.
Good answers to basic questions like these are a great litmus test for how knowledgeable your firm will be once you get into the nitty gritty of the compliance process.
And if you’re ready to get started on compliance (with or without an audit firm at your side)? We built Drata to help make compliance simpler and more automated. We’d love to show you how.