Audit Your Auditor: 5 Questions to Ask a Potential Auditor

Not every audit firm will make sense for your business, and selecting an auditor can feel like choosing a new candidate to join your team. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.

Finding the right audit firm for your organization can make or break your audit experience. As  auditor Jeffrey Filler mentions, communicating with your auditor early and often is crucial to a smooth and successful audit.

Why It’s Important to Vet Your Auditor

It’s no secret that achieving and maintaining compliance can be a lot of work. From writing your policies to implementing controls, it can take months to prepare for an audit. Unfortunately, a poorly executed audit does little to help you establish a security-first culture and build trust with your customers.

So, when it comes time to find an external auditor, you’ll want to make sure they’ll be a good fit for your organization.

How to Audit Your Auditor

Asking your auditor these five questions can make all the difference in preparing for your audit and knowing what to expect.

1. How do you approach Scoping with clients?

This question by itself can give you extensive insight into how your audit will look. Working with your auditor to determine the scope of your audit—including which departments they plan to include and the main controls they plan on evaluating and why—can help your team know what to prioritize.

2. What does a typical audit engagement look like for your firm? 

This question can help you understand how auditors structure their audits and give you insight to the key milestones to look out for along the way. This will also give you a clearer picture of what success looks like as the audit progresses. 

3. How will this year’s audit differ from last year?

If you’ve undergone an audit before, especially with the same auditor, you can use those previous audits as a baseline for what to expect. Your auditor can go over any new changes that have been made to the audit team, their style of auditing, or if any auditing standards have changed. 

4. How can you ensure independence?

Professional auditors follow a code of ethics that establishes their objectivity and independence in an audit—both in fact and appearance. Asking your auditor about the safeguards they have in place to remain independent can ensure a fair audit without any conflicts of interest.

5. Are you familiar with our compliance automation platform?

If you’re using a compliance automation tool like Drata to help collect evidence, identify and mitigate risk, and streamline the audit process, having an auditor that’s familiar with that platform can facilitate a more effective partnership with your auditor. Auditors can use their side of the platform to evaluate your controls, generate reports, and communicate with you in real time.

How to Find the Right Auditor

So, you know what to ask your auditor, but how do you find a reputable audit firm in the first place? Well, we can help with that. Our auditor directory is filled with pre-vetted, trustworthy audit firms. Browse the directory by client size, region, framework, or more to find the firm that speaks to you.

If you’re already vetting audit firms, some additional topics to consider discussing are:

• They understand your industry: Fintech companies working with large financial institutions will have different requirements than a healthcare tech company working with large hospital systems. It’s never a bad idea to kick off your auditor interviews with questions about their industry experience and requests for industry-specific references.

• They understand your tech stack: Do they know what you mean when you say AWS S3? CI/CD?  If you start talking about your tech stack and they don’t seem to know what you’re talking about, this may be worth digging into further. You want an audit firm that can speak intelligently about the tools you’re using.

• They are collaborative: Auditors should be explaining things as they go. They should be asking you lots of questions to make sure they understand your full program set-up, and if they come across a potential problem, you want someone who will bring it to you and ask deeper questions to help resolve it. 

• They have solid references: You really want an audit firm that has deep, consistent experience. Ask for references and make sure they are industry-relevant and recent. If the last audit the firm did was nine months ago, they’re probably at least a little rusty. If they only have one reference in your specific industry, they might simply not be a fit for you.

Audits can be a stressful time for businesses, especially for first timers. Thoroughly researching and vetting your auditors gives you the best chance of having a smooth, communicative audit. For more information on how Drata can prepare you for a successful audit, book a demo today.