When selecting an audit provider there’s 10 important things to consider that aren’t obvious to those that haven't been through audits before.
Information security compliance and audits are more complicated than most services. There's a lot of variation in the firms and potential approaches that you should consider before committing to a provider. You may wonder reading this; can we trust AssuranceLab’s perspective on this as an audit services provider themselves?
Maybe we wrote this checklist to favour our approach? Or maybe our approach fits the recommendations in this checklist because we think they’re important. In any case, you can make up your own mind which of these ten considerations are important to you.
1. Level of experience
Ask how many clients they have using the service you’re interested in. There’s some big firms that do very little in cybersecurity, or cloud software specifically. Do they have many clients similar to yourselves? If not, that may be a red flag.
2. Compare like-for-like costs
There are lots of different approaches out there, with nuances in how they are quoted and presented. We've seen it all; hidden fees, deceptive ways for presenting the costs involved, and just naturally different business models that can create confusion when comparing options. It's worth asking each provider to clarify how it compares to other options you're considering.
3. Variable costs
Check if there are any variable costs. Some audit firms may increase fees if it takes them longer or if issues are identified, which seems like an obvious conflict of interest. Other firms apply fees if you need to reschedule or have delays. One of the reasons we moved to an agile audit services model - it’s common to have other business priorities and need to reschedule or delay accordingly.
4. Contract length and future costs
Most firms quote fees that are lower and less profitable in the first year. It’s the industry practice with these audit services that are typically recurring annually. The level of work reduces over time and switching auditors is relatively uncommon. It’s worth it for audit firms to take a hit in the first year, in pursuit of those longer term returns. That’s a good opportunity for you to get a good deal with lower upfront costs as long as you’re not locked in and the future fees are reasonable.
5. Range of cybersecurity services
There’s certainly benefits of a specialist provider. But within the specialism of cybersecurity; it’s good to have a provider that covers multiple standards and services that you may need so you’re not duplicating by using separate providers for each of them. It’s common to see cloud services businesses need SOC 1, SOC 2, and ISO 27001, GDPR, and CCPA, as well as the more industry specific PCI-DSS and HIPAA. There’s so much overlap in these standards, and even just overheads in managing multiple audit providers.
6. Partnerships and networks
Audit firms are limited by independence requirements. We can’t design or implement your control practices. That also prevents or limits related services like penetration tests, managed IT and other cybersecurity services. It’s beneficial to use an audit services provider that has good relationships with other complementary providers.
7. Affinity to modern software solutions
If you use modern software and infrastructure to automate and manage aspects of your cybersecurity practices, it’s important to have an auditor that understands those. If they're not familiar, you may find you're doing extra work and not getting the benefits of the simplicity and automation offered by modern software.
This may include compliance automation platforms, like Drata. It’s best to have your auditor collect evidence directly from these solutions to keep it all in one place rather than having you separately upload it to their own audit platforms. We have a purpose-built Drata Playbook, that provides a clear, simple and faster path to compliance when leveraging Drata.
The brand of the audit firm that issues your report or certification is not as important as it once was. But it forms part of the narrative you give to customers about your compliance. While big brands like the Big4 are obviously well-known and represent quality, in this cybersecurity field it's also generally accepted and favoured to see cybersecurity-specialist audit firms - like us! The number of cloud software customers, accreditations to various standards, and market reputation, play a role in this space.
9. Official standard(s) supported
This one applies mainly to SOC 1 and SOC 2 but it’s worth a mention as it plays a significant role in practice. The SSAE18, AT-C 105 and 205 standards are issued by the American Institute of Certified Public Accountants (AICPA) for reporting on an organisations controls. The SOC 2 Trust Services Criteria are built on the basis of the AT-C 105 and 205 standards. These standards require a Certified Public Accounting (CPA) firm to issue the report with their audit opinion. SOC 1 & 2 reports can also be issued using equivalent international standards, like ASAE 3150 in Australia and ISAE 3150 internationally. For all intents and purposes, these reports are the same thing. But some customers in the US market don’t always recognise them as the same thing. That's why we put a lot of time and focus into our registration with the AICPA (a fair few hoops to jump through!), and we're now one of two Australian firms that can offer AICPA official SOC 1 and SOC 2 reports, with use of the trademarked AICPA logo.
10. The actual audit team
This is the last point on this list - but it may be the most important of all. Who you speak to before you sign up to the audits may not be who you actually deal after you sign up. In traditional audit firms the Senior Manager to Partner level are primarily business development focused - ie. absent once it gets to service delivery. That leaves an inexperienced team on the ground. Check who will be involved and what level of guidance, support and experience they have to offer you through the audit process.
Considering all these factors adds to the existing headaches of determining which standard is best for your compliance goals, and how to resource the project amongst all your other business priorities. There's two easy ways to bypass all these individual considerations:
1. Speak to a reference customer of the audit firm that's been in a similar position to yourselves. If the service is meeting all of their expectations and has solved their requirements, it's a good sign that it will for you too.
2. Take advantage of any free consultations, initial scoping or control assessments, and other resources that audit firms offer. In addition to helping you prepare for your project, you can get to know what it's like working with them before signing up to their service.
If you're considering AssuranceLab's audit services, feel free to ask us about any of the above (or other) points. We have plenty of startup and SMB cloud services clients that kindly offer to speak with those in your position to help you make an informed choice. Our free products, like our Readiness Assessment, are available on our website for anyone to use. You can conduct a free scoping and assessment of standards including; SOC 1, SOC 2, ISO 27001, GDPR, CCPA, HIPAA, the Consumer Data Right, and more!