When selecting an audit provider there’s 10 important things to consider that aren’t obvious to those without experience in this field.
InfoSec compliance and cybersecurity audits are a complicated area of services. There's a lot of variation in the firms and potential approaches that you should be wary of before committing to a provider. You may wonder reading this; can we trust AssuranceLab’s perspective on this as an audit services provider themselves?
Maybe we wrote this checklist to favour our approach? Or maybe our approach fits the recommendations in this checklist because we think they’re important. In any case, you can make up your own mind which of these ten considerations are important to you.
1. Level of experience
ask how many clients they have using the service you’re interested in. There’s some big firms that do very little in cybersecurity. Do they have clients similar to yourselves? If not, there’s probably a good reason why which may be a red flag.
2. Compare like-for-like costs
There’s lots of different approaches out there and nuances in how they are quoted and presented. Before concluding one provider is lower costs it’s important to compare the like-for-like costs, check the proposed approach includes everything you need, and consider reverting back to a provider to adjust their proposed approach if you prefer something different to their initial suggestion to compare like-for-like accordingly.
3. Variable costs and hidden charges
Check if there are any variable costs. Some audit firms may increase fees if it takes them longer or if issues are identified, which seems like an obvious conflict of interest. Other firms apply fees if you need to reschedule or have delays. One of the main reasons we moved to an agile services model - it’s common to have other business priorities and need to reschedule or delay.
4. Contract length and future costs
Most firms quote fees that are lower and less profitable in the first year. It’s the industry practice with these audit services that are typically recurring. The level of work reduces over time and switching of auditors is relatively uncommon. It’s worth it for audit firms to take a hit in the beginning in pursuit of those longer term economics. That’s a good opportunity for you to get a good deal with lower upfront costs as long as you’re not locked in and the future fees are reasonable.
5. Range of cybersecurity services
There’s certainly benefits of a specialist provider. But within the specialism of cybersecurity; it’s good to have a provider that covers multiple standards and services that you may need so you’re not duplicating by using separate providers for each of them. It’s common to see cloud services businesses need SOC 1, SOC 2, and ISO 27001, GDPR, and CCPA, as well as the more industry specific PCI-DSS and HIPAA. There’s so much overlap in these standards.
6. Partnerships and networks
Audit firms are limited by independence requirements. We can’t design or implement your control practices, which also prevents services that fit closely with the audits like penetration tests, managed IT and other cybersecurity services. It’s beneficial to use an audit services provider that has established relationships with other providers that can benefit
7. Affinity to modern software solutions
If you use modern software and infrastructure to automate and manage aspects of your cybersecurity practices, it’s important to have an auditor that understands those. If they don’t you may find key control aspects are missed, and you spend more of your time explaining things to the auditors and working around their preferred software and audit practices. This point is particularly important if you use a compliance platform like Vanta, or GRC solution like ZenGRC. It’s best to have your auditor collect evidence directly from these solutions to keep it all in one place rather than having you separately upload it to their own audit platforms.
The brand of the audit firm that issues your report or certification is important. The purpose of these assurance solutions is to satisfy customers’ requirements to win new revenue and reduce due diligence requirements. The impact of that can be limited by the brand on the report; whether it’s credible and trusted. The Big4 and mid-tier accountancies are traditional firms with brands that are trusted. There’s also a number of specialist cybersecurity CPA firms in the US that have built strong brands in this field of cybersecurity, like our main CPA partner, A-LIGN that is recognised as a top 25 global cybersecurity company.
9. Official standard(s) supported
This one applies mainly to SOC 1 and SOC 2 but it’s worth a mention as it plays a big role in practice. The SSAE18, AT-C 105 and 205 standards are issued by the American Institute of Chartered Accountants for reporting on an organisations controls. The SOC 2 Trust Services Criteria are built on the basis of the AT-C 105 and 205 standards. These standards require a Certified Public Accounting (CPA) firm to issue the report with their audit opinion. SOC 1 & 2 reports can also be issued using equivalent international standards, like ASAE 3150 in Australia and ISAE 3150 internationally. For all intents and purposes, these reports are the same thing. But some customers in the US market don’t recognise them as the same thing. That’s led to most SOC 2 reports in Australia, New Zealand and the U.K. being issued by CPA firms from the US. That's why AssuranceLab primarily partners with US CPA firms to issue our clients reports.
10. The actual audit team
This is the last point on this list - but it may be the most important of all. Who you speak to before you sign up to the audits may not be who you actually deal after you sign up. In traditional audit firms the Senior Manager to Partner level are primarily business development focused - ie. absent once it gets to service delivery. That leaves an inexperienced team on the ground. Check who will be involved and what level of guidance, support and experience they have to offer you through the audit process.
Considering all these factors adds to the existing headaches of determining which standard is best for your InfoSec compliance goals, and how to resource the project amongst all your other business priorities. There's two easy ways to bypass all these individual considerations:
1. Speak to a reference customer of the audit firm that's been in a similar position to yourselves. If the service is meeting all of their expectations and has solved their requirements, it's a good sign that it will for you too.
2. Take advantage of any free consultations, initial scoping or control assessments, and other resources that audit firms offer. In addition to helping you prepare for your project, you can get to know what it's like working with them before signing up to their service.
If you're considering AssuranceLab's audit services, feel free to ask us about any of the above (or other) points. We have a plethora of SMB cloud services clients that kindly offer to speak with those in your position to help you make an informed choice. Our free products, like our flagship Readiness Assessment, are available on our website. You can conduct a free scoping and assessment of InfoSec standards including; SOC 1, SOC 2, ISO 27001, GDPR, CCPA, HIPAA and the Consumer Data Right.