Audit Your Auditor: 5 Questions to Ask a Potential Auditor

Finding the right audit firm for your organization can make or break your experience. We've put together a list of five questions to ask a potential auditor to make sure it's a good match.
Media - Anthony Gagliardi

by Tony Gagliardi

July 05, 2023
Audit Your Auditor - Header

Not every audit firm will make sense for your business, and selecting an auditor can feel like choosing a new candidate to join your team. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.

Finding the right audit firm for your organization can make or break your audit experience. As  auditor Jeffrey Filler mentions, communicating with your auditor early and often is crucial to a smooth and successful audit.

Why It’s Important to Vet Your Auditor

It’s no secret that achieving and maintaining compliance can be a lot of work. From writing your policies to implementing controls, it can take months to prepare for an audit. Unfortunately, a poorly executed audit does little to help you establish a security-first culture and build trust with your customers.

So, when it comes time to find an external auditor, you’ll want to make sure they’ll be a good fit for your organization.

How to Audit Your Auditor

Asking your auditor these five questions can make all the difference in preparing for your audit and knowing what to expect.

1. How do you approach Scoping with clients?

This question by itself can give you extensive insight into how your audit will look. Working with your auditor to determine the scope of your audit—including which departments they plan to include and the main controls they plan on evaluating and why—can help your team know what to prioritize.

2. What does a typical audit engagement look like for your firm? 

This question can help you understand how auditors structure their audits and give you insight to the key milestones to look out for along the way. This will also give you a clearer picture of what success looks like as the audit progresses. 

3. How will this year’s audit differ from last year?

If you’ve undergone an audit before, especially with the same auditor, you can use those previous audits as a baseline for what to expect. Your auditor can go over any new changes that have been made to the audit team, their style of auditing, or if any auditing standards have changed. 

4. How can you ensure independence?

Professional auditors follow a code of ethics that establishes their objectivity and independence in an audit—both in fact and appearance. Asking your auditor about the safeguards they have in place to remain independent can ensure a fair audit without any conflicts of interest.

5. Are you familiar with our compliance automation platform?

If you’re using a compliance automation tool like Drata to help collect evidence, identify and mitigate risk, and streamline the audit process, having an auditor that’s familiar with that platform can facilitate a more effective partnership with your auditor. Auditors can use their side of the platform to evaluate your controls, generate reports, and communicate with you in real time.

How to Find the Right Auditor

So, you know what to ask your auditor, but how do you find a reputable audit firm in the first place? Well, we can help with that. Our auditor directory is filled with pre-vetted, trustworthy audit firms. Browse the directory by client size, region, framework, or more to find the firm that speaks to you.

If you’re already vetting audit firms, some additional topics to consider discussing are:

  • They understand your industry: Fintech companies working with large financial institutions will have different requirements than a healthcare tech company working with large hospital systems. It’s never a bad idea to kick off your auditor interviews with questions about their industry experience and requests for industry-specific references.

  • They understand your tech stack: Do they know what you mean when you say AWS S3? CI/CD?  If you start talking about your tech stack and they don’t seem to know what you’re talking about, this may be worth digging into further. You want an audit firm that can speak intelligently about the tools you’re using.

  • They are collaborative: Auditors should be explaining things as they go. They should be asking you lots of questions to make sure they understand your full program set-up, and if they come across a potential problem, you want someone who will bring it to you and ask deeper questions to help resolve it. 

  • They have solid references: You really want an audit firm that has deep, consistent experience. Ask for references and make sure they are industry-relevant and recent. If the last audit the firm did was nine months ago, they’re probably at least a little rusty. If they only have one reference in your specific industry, they might simply not be a fit for you.

Audits can be a stressful time for businesses, especially for first timers. Thoroughly researching and vetting your auditors gives you the best chance of having a smooth, communicative audit. For more information on how Drata can prepare you for a successful audit, book a demo today.

Trusted Newsletter
Resources for you

What Is a PCI ROC + When Do You Need One?

SOC 2 Compliance Checklist hero image

SOC 2 Compliance Checklist: 9 Key Steps To Take

PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

Media - Anthony Gagliardi
Tony Gagliardi
Tony Gagliardi is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Tony is a Certified Information Systems Security Professional (CISSP) specializing in GRC, SOC 2, ISO 27001, GDPR, CCPA/CPRA, HIPAA, various NIST frameworks and enterprise risk management.
Related Resources
Asset - Podcast Episode 12 Drataverse Live

Compliance Uncomplicated Episode 12: Transparency and Continuous Compliance Live From Drataverse

Evidence Library Blog Header

Streamline Evidence Collection with Our New Evidence Library

Asset - Image - Uncomplicated Podcast Pinwheel Episode 11

Compliance Uncomplicated Episode 11: Securing the Future of Financial Innovation With Pinwheel’s CISO

Asset - Uncomplicated Podcast - Labelbox

Compliance Uncomplicated Episode 10: The Power of Secure AI Solutions With Labelbox