The world is full of parity products.
You can choose this brand of corn flakes versus that other brand, or this line of disposable shavers versus that one. Sure, they may have *slight* differences, but ultimately, your life won’t be significantly impacted if you wind up using Aquafresh toothpaste over Colgate.
When it comes to SOC 2 auditors, a lot of InfoSec Compliance professionals assume the same thing: why bother researching auditors if, at the end of the day, they all conduct the same SOC 2 audit? And on the other end of the spectrum, some companies assume that they really have to go with a big firm to pass muster. But in the end, that expense may not equal a better SOC 2 audit and report.
So how can companies know which auditor to choose?
Just like toothpaste and cornflakes, there are lots of auditor options out there and they all may seem pretty similar.
But deciding who to go with is an important decision; it may affect the quality of your SOC 2 construct itself—and doing it wrong would be a waste, because when done properly, SOC 2 can become a major driver for growth and maturity. That’s why having a highly qualified auditor for SOC 2 is a significant asset; the right auditor can become a trusted partner throughout the process by shifting the assessment from a box-checking exercise to an activity that will help you build a rock-solid foundation for success.
1. Has a deep understanding of SaaS environments: Some auditing firms are still stuck in the on-prem mentality and cannot understand the intricacies of complex SaaS-based environments. With the State of Cloud Native Security 2020 survey reporting that 94% of all organizations use more than one cloud platform, and 60% use between two and five, it is critical that the SOC 2 auditor knows their way around cloud native environments and the latest SaaS security practices.
2. Possesses superior communication and listening skills: Genuine relationships are built on give and take. It’s important for the auditors to view themselves as partners in your growth and feel vested in your success. Do they clearly communicate their requirements, and do they encourage questions? Are they in touch regularly? Are they pleasant to be around? The idea of sharing a lunch table with your SOC 2 auditor should be comfortable, not cringeworthy.
3. Can scale with your control volume: As companies grow from startups to hyper-growth and beyond, the complexity and scope of controls increases in parallel. Confirm that your SOC 2 auditor has the capabilities—and the capacity—to handle higher volumes of controls as your business scales. Will the auditor keep up with your annual audit cycles or be left in the dust?
4. Delivers within a reasonable amount of time: A SOC 2 audit typically takes between four and eighteen weeks to complete, depending on the maturity of the company’s data security, the project’s complexity, available resources, and level of motivation. Once the auditors examine the evidence through a mix of remote and on-site work, they will write the final SOC 2 report for Compliance with AICPA requirements. How long do the auditors expect your organization’s process to take? Make sure your timelines are aligned before any work begins.
5. Has a solid reputation and the right experience: Selecting a reputable third-party firm or CPA is essential when determining the qualities of an auditor of a company. Choose an auditor who knows your market and can provide references in your industry from similarly sized companies. Don’t be overly focused on the SOC 2 auditor’s brand name; name recognition comes with a price, and a mid-range firm can often provide the same service at a more reasonable rate.
6. Shares your vision for the future: Here’s a really important one; do they share your vision of what having a SOC 2 report means? Some auditors perform quick, surface-level audits and will “rubber stamp” your report. Promises of SOC 2 in 1 week may sound rosy, but in reality this is referring to SOC 2 Type 1, which they often fail to explain to the customer. Auditors who value Compliance maturity understand the value that SOC 2 can unlock for your business. When implemented properly, it can help ensure security best practices are thoroughly baked into every facet of your operations. SOC 2 done right can also help pave the way for optimized operations across the board and help growing organizations drive efficiency. Does the auditor share this vision, or are they more interested in a “quick n’ dirty” approach?
7. Is competitively priced, with a big caveat: There is no way around it: getting SOC 2 requires an investment of time and money. However, SOC 2 costs can vary substantially depending on company size, audit complexity, and the auditor’s brand name. Feel free to compare prices, but note that price is not the key decision point in light of the other critical variables.
Achieving SOC 2 Compliance is a right of passage for companies as they embark on their Compliance journey. Finding the right auditor to hold your hand on this undertaking is a critical part of the process.