Think about famous partnerships in history.
Scooby-Doo & Shaggy, Batman & Robin, Han Solo & Chewbacca, Holmes & Watson. These iconic duos all had something in common—a solid foundation of trust between them. They could be honest with each other and share things. If one got into a sticky situation, he could count on the other to set him straight.
We’re not trying to compare those relationships and their adventures together to those between an organization and its auditor—we understand that our line of work is much less fun. But that doesn’t mean that your partnership with your eventual auditor is less important.
After all, the stakes are high. You’ve got to deliver assurance to your customers and you need to trust your assessor to help you do that. That means, in most cases, trusting them with access to sensitive and confidential data.
It’s important to know who you’re partnering with—whether it’s Schellman or another team. Making this kind of decision can be difficult, but in this article, we’ll attempt to make it a little simpler.
We’re going to detail five factors you should review regarding every service auditor. Some will be more obvious, and this list is not meant to be all-inclusive, but we’ll offer our perspective on each of these key things to think about during this process.
When you’re selecting a practitioner for compliance services, reputation is often the first consideration. You not only want to have confidence that you are receiving a quality return on investment, but that your clients have the same confidence in the compliance reports or certifications being issued.
You’ll have plenty of options, but among other factors, make sure to thoroughly consider how each firm’s established footprint in the industry might affect you:
- If you partner with a new firm or one that’s rapid growing:
- Pros: They’ll be eager to establish a solid reputation for themselves through their work with you.
- Cons: There may be less of a guarantee your auditing process will run smoothly. As such, you may risk your final deliverable being viewed by your customers with a degree of skepticism.
- If you choose a firm with a well-recognized name and demonstrated expertise:
- Pros: You’ll be partnering with someone that will likely have helped establish the standards for auditing and assessment practices.
- Cons: Having been in the industry for so long, their audit methodology might’ve slipped into a perfunctory approach—a simple checking of boxes.
In any case, an audit firm’s value proposition should be clear and readily apparent to you.
2. Experience and Expertise
This goes hand-in-hand with a firm’s reputation, but when it comes to experience and expertise, you need to drill down further.
An audit firm may provide a service, but they’re actually providing the personnel to perform it. The team you get must have—at an individual level—the appropriate knowledge and skill set for the type of examination your clients are requesting or the regulatory requirements required of you to achieve. Depending on your priorities and needs, experience and expertise could mean different things to you:
- Years in the industry
- Audits completed, per assessor (these should be relevant to your type of project)
- The future of their service lines (as most assessments do recur)
(For what it’s worth, here at Schellman, our professionals average 9 years of experience and teams hold an average of 4 professional certifications per professional.)
But whichever of these factor(s) you choose to prioritize—at whichever firm—make sure you request proof of their training and qualifications that certify them to perform the assessments your organization requires. To further prepare for the future, you might want to also ask about their expertise with other compliance standards—after all, using a single provider comes with several benefits.
Moreover, your ideal partnership will be with an auditing firm that has expertise in your particular area of business, for a couple of big reasons:
- Your entire audit process will be more straightforward if your assessor is already familiar with your industry’s goals and pain points, making it less of an ordeal for you.
- You’ll also save time, money, and effort otherwise spent onboarding and creating a knowledge base with the new external team you bring in.
Put it this way: you wouldn’t engage with your local orthodontist and their team of hygienists to perform your cardiovascular surgery. Orthodontists and hygienists are intelligent and qualified, but not suited to your particular needs. Instead, you’d want a heart surgeon with experience handling your condition and support from nurses that had expertise in operating room procedures to ensure you get through a difficult event to obtain what you need.
Moving right along—in today’s world, technology serves as a huge help in so many things, and your audit firm should also be taking advantage of it during your audits to streamline your process.
Audits have always required large amounts of employee time and effort through meaningful process walk-throughs, evidence gathering, and clearing up additional questions, and there’s likely never getting around that. But there are still modern ways to accelerate and organize evidence gathering and data analytics, among other things.
Many audit firms out there have built or obtained these kinds of tools, and all of them will look shiny and helpful on paper. But to make sure the one you choose will work for you, ask for a demonstration to get a real look at user experience. That way, you’ll have a better shot at contracting with the firm whose technology will make for the easiest time during your audit.
4. Ongoing Support
Another thing—you should not hear from your chosen practitioner only once a year. They’re not just your assessor—they’re your business advisor, and as such, consistent contact should be all year round.
A good audit firm/team will establish an open channel for communication available between you and your auditor. That’s important because you’ll need to include them in discussions about:
- Changes to your environment;
- Adding additional business lines; or
- Additional regulatory or compliance requirements that could lead to additional scope or a completely separate assessment.
Ask your potential firms about their planning methodology—how will the two of you remain in contact? Having these discussions proactively can help you establish a trust level early on with the external team that will be critical to your relationship moving forward. If an auditor does not prioritize open dialogue between you, that raises questions regarding how you two will handle emerging risks and technologies, protect your data, and mature your operating processes.
As an audit firm ourselves, we always hear, “why are fees for these services so high?” And it’s true, getting compliant can cost you a lot—not just in the aforementioned time and effort, but also financially. Price is something you must consider, and several factors play into audit fees:
- Time requirements;
- Scope complexity;
- Scope size;
- Location travel requirements; and
- Risk, just to name a few.
It can be tempting to just go for the lowest price, but at the same time, it’s important to remember the always-topical quote: “Sometimes you get what you pay for.”
As can be the case with other cheaper products, you run the risk in the short term of not obtaining satisfactory services demanded by your clients. Not only that, but your fees could become even more costly in the long run if you have to bring in another, more qualified team to get a last-minute assessment completed.
Those possibilities don’t erase your budget constraints, however, though a nice mix of competitive pricing and value would probably be the best bet. When vetting firms, find the one with the most transparency into their total price, and of course, find out if there are any cost efficiencies to be gained for multiple assessments.
Bonus Consideration: Early Impressions
The previous five items will play major parts in your eventual decision, but you also shouldn’t discount the importance of picking a firm whose people will fit in with yours.
During negotiations, ask to speak with senior partners and get to know the firm from top to bottom. Note whether firm representatives are responsive, friendly, and helpful when it comes to your questions or even allowing you this insight.
You should also be introduced to the staff member(s) who will be handling your account regularly. If possible, let your team meet with them too. These are people you’ll be comfortable working with long-term through an arduous process, so a positive connection is important to read early.
Moving Forward in Finding Your Audit Firm
Audits and certifications don’t have to be burdensome. Effectively choosing a reputable firm that has established good standing and understands your industry can make all the difference in not only assurances gained, but also your experience throughout the process.
Now that we have you thinking about these few, but key, considerations to make when choosing our audit firm, it’s time to take it a step further. Read our other content that will help you get that much closer to a decision and prepare you for the start of your assessment:
- Preparing for Your Audit: 3 Mindsets to Have
- Which Big 4 Firm Should Perform Your SOC Audit?
- Schellman vs. Other Single-Provider Cybersecurity Services Firms
Please also feel free to reach out to us if you’d like to learn more about Schellman. We’re happy to have a conversation to satisfy your curiosity about both our capabilities and which assessment is best for your organization.
About the AuthorMore Content by Nick Bruce