How to Choose the Right SOC 2 Auditor
The selection of a SOC 2 auditor can be daunting. How do you find one, what should you consider when choosing a SOC 2 auditor, and what interview questions should you ask them? Will they understand your unique environment, product or challenges? Ultimately, the final decision is up to you to select the auditor that best understands where you are now and can be a partner in your journey. SOC 2 is a multiyear journey, so my best advice is to make sure you get along with the audit partner, director or lead who will be in charge of your account. If selecting an auditor fills you with panic and dread, take a deep breath and remember: it doesn’t have to be when you know what you are looking for.
What SOC 2 Auditors Can and Can’t Do
It is important to level-set your expectations for what a SOC 2 auditor can and can’t do. A good auditor absolutely can be a partner on your journey; they can help you flush out controls you may have missed that you should get credit for; they can suggest edits to your system description and can suggest refinements to your controls language. A great auditor will also provide post-audit recommendations and point out areas for improvement.
Auditors are required to be independent to meet the standards of their governing body (the AICPA) and can objectively opine on your system description and the design and, in a Type 2 audit, the effectiveness of your controls. They can never perform a control, design a control or tell you exactly what to do. But a great auditor does have a way of dropping hints that can point you in the right direction.
Questions to Ask Auditors
We suggest you interview at least three auditors and ask them the same questions. The questions below may be helpful in the selection process.
What is your experience with a company of our size and level of security (or privacy, confidentiality, availability, processing integrity) maturity?
You are looking for a firm that has experience auditing companies that are similar to yours in size and level of security maturity. If you are a still-growing startup, and they have no experience with still-growing startups, then their recommendations won’t make sense for your stage of the journey. Whether you are privately held or a public company; whether you employ thirty people or thirty thousand; if you’re a brand-new startup or you have been around for a while and already have a solid security program, you want to choose an auditor who understands who and where you are.
What is your quality review process? How many layers of review do you use?
The answer to this question will impact the time it takes for the auditor to deliver your final SOC 2 report. You absolutely want to see a commitment to quality, of course, but you also want an efficient, nimble auditor. A final SOC 2 report delivered approximately six weeks from the end of the auditor’s field work may be acceptable for you, or perhaps you need it sooner. Make sure you are comfortable with their stated delivery date.
Do you require that we have at least one control for each point of focus?
This one is tricky – some firms require at least one control per point of focus, while others accept adequate coverage for each principle. There is no hard-and-fast requirement that each point of focus be mapped to at least one control; however, we highly recommend that for all of the security specific criteria, you do associate a control with each point of focus. For more operational controls, we find that this one-to-one approach leads to the creation of busywork controls that don’t provide any extra security or meaningful controls.
Can you scale your standard audit approach? Can you dive right into the Type 1?
Many auditors follow a systematic, three-part approach to their audits: Readiness Assessment, SOC 2 Type 1 (point-in-time audit), then SOC 2, Type 2 (and audit over a period of time). The three-pronged approach can take anywhere from six months to more than a year. If you don’t need a readiness assessment, or if you want to get ahead on your Type 2 audit, make sure your auditor can scale their fees and can adapt to these changes.
As an Audit deliverable, will you provide recommendations on how we can increase our security environment’s maturity?
This is especially important if you are a young company. An excellent SOC 2 auditor will meet with you after the audit to provide suggestions and highlight areas for improvement, or recommend processes and technology you should consider to make your security program more mature.
There are many other questions that you can ask, but at the end of the day, these will give you a good sense of the personality, capabilities and approach of the auditors and provide a solid basis for making a decision. Don’t rush into a relationship; the firm will be with you for at least a few years. Make sure they understand where you are in your SOC 2 and compliance journey, that their services are priced reasonably and that you have a good rapport with them. Good luck!
