Three Questions To Ask Before Choosing a Low-Cost Audit Partner

So you were told you needed a SOC 2, maybe a PCI assessment, or perhaps even an ISO certification in order to close the deal. Well, exactly who do you choose? Who's going to be the right fit? And how would you know?

Well, there's a sliding scale to just about everything in compliance from the very high risk, low risk, very comprehensive, and high level. And yes, very expensive and bargain basement.

Well, if you would like a plain English understanding of the three questions that you must ask when considering a low-cost audit provider. You've come to the right place. Let's get started.

This is Ryan Buckner here, chief knowledge officer at Schellman. Now you need an audit and you also need to know the right auditor at the right price. Now, here at Schellman, we've been doing cybersecurity assessments and audits for over 20 years. And from our very early days as a startup to where we are today, we've competed at just about every price range, whether it's against the big four or against the smaller firms that are just getting started. Well, today we're going to dive in on the three most important questions that you need to consider at any price.

Question #1: What are they selling?

Now, the very first question that you should ask is, what are they selling? You see, oftentimes low-cost audit providers can make promises and create expectations that your audit report is just a few button clicks away. Why? because they've got a special tool or software that does all the work. While automation makes perfect sense when it is optimized, the overreliance on software and templates can take the very purpose of your audit and commoditize it or package it in a way where it loses all competitive advantage. After all, your report could look nearly identical to all of their other client reports, but perhaps not your competitor's report.

The Ask:
Ask your auditor exactly what software and tools will they be using to promote efficiency on your project and ask to see an example of one of their reports. If it looks boilerplate, lacks detail, and reads like a script. Just know that your audit experience may also lack the attention to detail that it deserves.

Question #2: What are you buying?

Your second question needs to be: what are you buying? Any audit firm, hether they sponsor professional golfers or they audit part-time, the auditor team that serves your organization needs to have very deep professional experience to get it right the first time at any price.

Now, if your organization is low on funds, you're probably low on time as well. And the last thing you need to do is to micromanage external auditors that don't know your industry, need to learn theirs, and see your next audit as the very best opportunity to learn both. Ouch!

The Ask:
Ask your prospective auditor for the direct professional experience of the auditors that will be serving your next project, including their certifications and the specific details related to the types of projects that they've performed in the past. Do not accept the inflated numbers of the firm as a whole or the high-level partners and directors, as they will not be the ones that are likely to be pulling samples, interviewing your personnel, or requesting evidence. In fact, you need to know the specific experience of the specific people that will be serving on your project team. This is information they should be happy, if not proud to share with you.

Question #3: What happens after the audit?

The third question that you should ask is: what happens after the audit? And this is important because the purpose of any audit is to help your business partners and customers manage risk. And this is especially important in those moments to where that audit report or that assessment needs to bring money into your door.

A picture is worth a thousand words and an auditor's reputation, well, it can be worth millions.

The Ask:
Ask your auditor for specific client references at their major clients, as well as contacts of those organizations in your industry. While a quality audit may be expensive, a rejected report will always be costly. Your selected auditor should easily be able to demonstrate who relies on their report and validate their quality of service and reputation through references. Unfortunately, lower cost auditors tend to have lower quality control and customer experience scores, both of which should be avoided at any cost.

So there you have it. The next time you consider any audit firm at any price, you need to make sure that all of your questions related to their efficiency, their experience, and their quality of service are fully and thoughtfully answered. Contact us now to have a conversation about your specific budgeting and assessment needs. 

About the Author

Ryan Buckner

Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

More Content by Ryan Buckner
Previous Video
New Access Controls in PCI DSS V4
New Access Controls in PCI DSS V4

Next Video
Scoping Your Environment for PCI DSS V4
Scoping Your Environment for PCI DSS V4