Which Big 4 Firm Should Perform Your SOC Audit?

Whenever anyone considers an Internet search, the first thought is generally Google. That’s the big name that everyone uses. It’s works similarly in most other industries—if there’s not one, there’s a few big players that occur to people before any others.

The same is true if you’re looking for a SOC audit. The nature of how our industry has evolved means you’re probably considering one of what we call the Big 4—Deloitte, PwC, Ernst & Young, or KPMG.

These are the major players when it comes to audits, and obviously Schellman isn’t on the list. As a firm, we were set up differently from those places, though we’ve grown into a prolific audit provider ourselves—specifically, SOC audits.

We’d love for you to consider us for your SOC examinations, but we understand that name recognition is a powerful thing, and the Big 4 have it. Even if you’d prefer to go with a firm of such a big footprint for your audit, that doesn’t mean Schellman can’t still help you.

These are four very distinct firms and you need to pick one. But which?

Only you can know after several conversations with each place, but we’re going to aggregate at least some of the important, basic information you need to know here. More importantly, we’re going to provide a series of questions that you should ask each Big 4 firm—and any other auditor you choose to engage—while in talks.

At Schellman, we’d welcome similar conversations about our SOC methodology, but if you’re already set in this direction, we can respect that. Our goal now is to provide a clear picture of these industry giants in one spot for you while also empowering you to get the most insight—and very important answers—from these candidates.

Who Are the Big 4 Accounting Firms?

All of these firms perform a wide array of accounting and audit services, including SOC. Given how long they’ve all been around, they’ve been in this arena for as long as anyone else, including Schellman.

Here is more information on each of the Big 4 Accounting Firms that is current as of the time of this writing.

Deloitte

Offices: 126

Total Employees: 113,257

Breakdown of Work Performed: 27% accounting and audit, 17% tax, 52% management advisory services (MAS), 4% other

Accounting Today’s Top 100 Firm Ranking: #1

Deloitte has been providing services for more than 175 years, and they’re now in 150 countries and territories. They are the largest organization among the already-large Big 4 and provide their services to respected brands globally, including almost all of the Fortune 500® and 7,000+ companies. 

PwC

Offices: 91

Total Employees: 56,000

Breakdown of Work Performed: 36% accounting and audit, 27% tax, 37% MAS

Accounting Today’s Top 100 Firm Ranking: #2

PwC operates in 156 countries internationally. In 2016, they kickstarted a digital transformation that they say has made them nimbler in providing services to clients—a move that would prove prudent ahead of the 2020 pandemic. 

Ernst & Young

Offices: 101

Total Employees: 48,300

Breakdown of Work Performed: 28% accounting and audit, 29% tax, 33% MAS, 10% other

Accounting Today’s Top 100 Firm Ranking: #3 

E&Y audits 6 of the Top 10 companies within the Fortune 500, as well as over a thousand public companies. As a result of the 2020 pandemic, they now feature a hybrid audit model of both remote and in-person work that they say considers the needs of the companies they work with. 

KPMG

Offices: 99

Total Employees: 40,181

Breakdown of Work Performed: 30% accounting and audit, 29% tax, 41% MAS

Accounting Today’s Top 100 Firm Ranking: #4 

With a similar international presence as the others, KPMG also features an array of strategic partnerships with technology providers. 

*The above numerical data is sourced from Accounting Today’s 2021 Top 100 Accounting Firms.

5 Questions to Ask Your Big 4 Auditor

Each of these companies got to be where they are by being good at what they do. Despite their prestige and global footprint, you’re going to need to dig deeper into each if you want to determine which firm is best to address your needs.

Here’s a list of questions you should ask every auditor you consider.

1. Ask About Their Client Experience.

While there may be confidentiality provisions precluding these firms from disclosing identities, this remains an important question to consider as you determine the right fit for your organization.

It’s not an uncommon tactic to select an auditing firm based on their experience serving other, similarly-sized companies:

  • If you are a very large multi-national organization, a Big 4 partner may have some appeal, given their experience with the Fortune 500.
  • But, if you are a smaller or mid-size organization, you feel more comfortable with a firm that has more experience serving that caliber of environment. 

2. Ask About the Experience of Their Team (By Role).

There’s no doubt the largest auditing firms have extensive experience, but specificity really matters.

It’s one thing to hear about firm-wide experience or national-level expertise in task forces and practice-wide leadership during a sales call. It’s another when you have auditors assigned to your project that have little to no direct experience performing the SOC audit you need.

The project team meeting with your personnel, pulling samples, conducting interviews, and working with your busy employees are typically not the partners, firm-wide leaders, or national subject matter experts with the most experience. This is the case for most any firm you may consider, so it’s important to ask this critical question and demand very specific answers.

If you’re so inclined, ask your assessor candidates to fill out the below rubric regarding the specific team they intend to assign to your engagement:

It’s customary when selling something to lead with your show ponies, but having each candidate lay out individual details like this will give you a fuller picture of what you’d be getting for your money. 

And though it may not always translate positively, the collective experience of your assessment team having gone through many of the same type of service before could be a serious checkmark in terms of finding efficiencies and an easier time for your personnel who must work with them. 

3. Ask How Much Continuity You Can Expect.

The direct team serving you doesn’t just matter in the first few years. What happens if your auditing firm completes your audit in year one with rock-star talent, but then replaces most or all of those personnel with other people in year two? 

Even if they replace them with similarly experienced staff, who has time to teach them your operations and controls all over again? Auditing is a people-based industry serving people-based assurance needs—if you need a long-term audit solution, this kind of continuity can be invaluable, so make sure to ask this question during conversations with anyone you consider. 

4. Ask What Other Services Can They Offer.

Right now, you need a SOC report. But next quarter…? Next year?

Compliance is an ever-expanding, ever-evolving industry, and your customers could be among those that may request further assurances from you eventually. Leaving your obligations aside, what if your organization decides to branch out in its growth? Regulations may stipulate that more assessments than SOC become necessary.

If that’s the case, it would be helpful to hire a firm for SOC that has a foothold in other related services as well. Hiring a firm that can handle more (or all) of it now would set you up to keep every compliance project under minimal umbrellas, and that could mean saving money, time for control owners during the process, and administrative work.

5. Ask How They Use Technology to Conduct Their Assessments.

The prevailing mindset regarding audits is that they’re an ordeal for everyone, and so those of us that provide these services are inclined to make the process as easy as possible for you. That includes moving beyond evidence requests through MS Excel spreadsheets, cumbersome folder structures, and the like.

Many firms have developed their own tools to conduct their audits because, in fact, it helps them stay organized and have an easier time too. As you work through candidates, ask them if you’ll be granted access to such a tool and then ask how it all works.

If everything is flowing through that tool, you’ll also want to make sure you choose the firm whose platform features the best user experience for your team. You can only make your best guess at that if you ask for the details before your negotiations end.

There’s also another major consideration to make. If you’re considering adding on services, their system should seamlessly demonstrate an “audit-once-report-many workflow” so that your SOC, PCI, ISO 27001, HITRUST, etc. are all aligned and satisfied through a unified approach, rather than multiple disjointed or fragmented efforts. 

Moving Forward Towards Choosing an Auditor

Each of the Big 4 firms has a few things in common—they’re all over the world, they have plenty of people to provide services, and they’re large accounting firms that make the vast majority of revenue from financial statement audits, tax advice, and management consulting.

If you’re looking for a SOC audit, you know now what questions to ask them—or any firm—when you get on a call together.

You’re looking for the best auditor for your organization, and it may be among the Big 4. But Schellman has also provided service auditor and cybersecurity services for two decades now.

We’d love to speak with you too regarding your potential SOC reporting or other cybersecurity and training needs. Reach out to us today so that we can rise to the challenge of earning your business. Despite the obvious David and Goliath scenario at play here, we’re confident in our answers to all your questions—including those we just equipped you with above.

About the Author

Jordan Hicks

Jordan Hicks is the Content Manager at Schellman. In addition to maintaining Schellman's editorial calendar and its relevant processes, she is also responsible for the editing and revising of all written copy within the firm, as well as creating original content for publication.

More Content by Jordan Hicks
Previous Article
Preparing for Web 3.0
Preparing for Web 3.0

Web 3.0 is coming—did you know? But what is Web 3.0? We explain that, along with what's holding up its adop...

Next Article
How to Scope a SOC 2 Audit: 3 Steps
How to Scope a SOC 2 Audit: 3 Steps

Doing a SOC 2 audit but not sure what all you need to include? Learn about 3 clear steps you can take to mo...

×

First Name
!
Success
Error - something went wrong!