The Risks of a Low-Cost Audit Partner

We get it: You didn't budget for a compliance assessment.

You were trying to sell a deal to a customer who came back to you and said you needed a SOC 2 audit or an ISO certification. But when you're making a choice, what are the implications if you go with one firm versus another in particular if you go with a low-cost provider?

I'm Doug Barbin, managing principal and chief growth officer at Schellman. We've been performing assessments for over 20 years of companies of all sizes, from start-up companies to the Fortune 50. You're a start-up company. You're active in the marketplace and you're selling to customers. And you get to that deal where this customer says, this looks great, it looks like a fit for me, but I need to see proof of your security program. I need a SOC 2 report.

From there, what do you do? You go out, you research different types of firms. There are certainly firms that are larger at the higher end, such as the big four firms that have the brand names and the prestige and are very, very expensive. There are often smaller firms, too, that can do this at a much lower cost. What are the things that you need to think about, though, when you're going in the direction of a low-cost provider? In particular, we get that this was not budgeted. We get that this was something that you weren't planning to do. And from a certain degree, it's a checkbox that you need to achieve in order to sell to that customer. However, what does it really mean after that?

A SOC 2 report is really a statement that your security program and your commitments to your customers are being met. And those commitments have been vetted by an independent third-party assessor like Schellman. And that's what we do.

In-Depth Understanding

It's really important that any firm that you partner with takes good care in doing that. And that means from the beginning, starting off with:

  • A deep understanding of what those commitments are
  • What your requirements are
  • What are the different compliance standards and domains that may factor into this are.

The understanding piece is critical because it sets you up for success in performing the assessment and getting to a successful outcome.

All of this comes into a deep understanding phase, which from our perspective is critical. And what we've seen in other instances is sometimes lower-cost providers can skip those. The understanding piece is critical because it sets you up for success in performing the assessment and getting to a successful outcome.

Trust - What is the Firm's Credibility?

When it comes to the actual deliverable, trust is key. What that means is when you're looking at a report from an independent provider, you need to know that the independent provider is:

  • Credible in the marketplace
  • Has experienced people that are performing the work
  • Are doing the testing and the evaluation and writing the report,
  • And that you've got qualified individuals qualified to handle the subject matter, in this case, security oftentimes of that particular report.

In addition, it's not just important to know who are the companies that the firm has worked with to perform these assessments. In Schellman's case, we work with over 900 companies on an annual basis, but what's more important are the customers of our clients that actually rely on these reports, that trust these reports as they're going through their vendor reviews, as they're going through their security reviews. So you need to ask those types of questions because it all leads back to quality because if you have someone that comes in and does a report in two weeks and uses what are obviously templates and are not going into the depth of testing, things can be missed.

The Final Report

It comes back to credibility and it comes back to experience and qualifications, and whether or not that company gets their reports challenged. We've seen that. We've seen reports that have quality issues that are challenged not by the clients who get those reports, but by the client's customers - banks, regulatory agencies, and other types of parties that look at these reports and they go through something and they say, well, that doesn't seem right or that doesn't seem credible. That's where experience comes into play, and that's where the experience of working with quality individuals and experienced people that, for better or for worse, you have to pay more for.

So from our perspective, we want you to look at all the options. We want you to go in eyes wide open. We're happy to have a conversation of what our capabilities are, which differentiates us from companies that are bigger than us. And I'll even clarify that just because a company, a firm is smaller than Schellman does not insinuate that there's a lower level of quality. It's about having good people. It's about having a good process for performing the work, understanding the environment, issuing the reports, and having a process that allows our client's customers to trust and rely on those reports for an extended period of time. We just want you to go in with your eyes open to the risks that could occur if you try to cut corners and potentially go with a firm that is less qualified and has less focus on quality and trust.

Contact us today to speak to one of our professionals and you'll be able to see from that first conversation the types of individuals that we have that would be performing those assessments for you. 

About the Author

Douglas Barbin

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

More Content by Douglas Barbin
Previous Video
The Cost of an MS DPR Assessment
The Cost of an MS DPR Assessment

Next Video
What is PCI SSF
What is PCI SSF