Auditing the auditors: 8 steps to performing diligence on your biggest investment

In a world of 5-star Yelp reviews and confirmed purchaser Amazon reviews, most of us think we can trust our judgment when it comes to choosing the right auditor. But pay for play reviews are one thing when you are purchasing dinner or shoes. Getting reliable reviews–and having reliable trust–in your auditor for your infosec compliance audit is something altogether different. 

It is more important than ever to be sure that the firm you rely on to assess your compliance across a multitude of compliance frameworks and regulations – SOC reporting, HITRUST, HIPAA, PCI, and ISO 27001 to name a few – is a true and valid partner for your business. Not getting it right can have material consequences. To help you conduct your due diligence on your SOC reporting auditor, we put together this 8-step guide to help you make an informed decision. 

Why it’s more important than ever

Having been an auditor and compliance expert for my entire career, I’ve collected an unfortunate number of horror stories from companies who were stuck in challenging situations. Their individual stories are unique, but they almost always come back to one of these issues: 

• The audits the firm produces are not in line with the professional standards
• The firm itself is not a licensed CPA firm 
• The audit firm is not licensed to conduct audits in the state where the customer is based
• The audit firm “partners” with a compliance automation vendor, but forces the customer to use another platform for the audit 
• The compliance software vendor offers a long list of potential auditors without having done any due diligence themselves on the qualifications of that audit firm 

As more and more firms rush into the infosec audit space, these horror stories are unfortunately becoming more common. In one recent example, a SOC 2 Type 2 report we reviewed showed that the audit firm only tested controls at a point in-time when the requirements for Type 2 require an evaluation of controls over a period of time. This material deficiency renders the SOC 2 Type 2 report invalid, and puts the company at risk for sharing an invalid SOC 2 Type 2 report. 

When any of these things happen, the ramifications can be significant. An invalid audit report, lack of trust with procurement and legal teams, and loss of reputation can all lead to significant business losses. The victim in these situations is the business trying to do the right thing. This is why proactively vetting an auditor is increasingly salient.

Auditing the auditors

If the key to real estate is “location, location, location,” the key to auditors is “reputation, reputation, reputation.”

Every company seeking an infosec audit–whether for the first time or for renewal with a new firm–needs to perform their due diligence on not just the compliance automation software  (e.g. how compliance automation software can help automate evidence collection, preparation, and scoping) but also the auditor and the audit reports that they will produce.

Knowing what to expect from an auditor is not unlike knowing a lender, financial planner, or even doctor. It all comes down to trust, and trust is best proven by long reams of evidence and/or experience. Barring that, businesses looking for a new auditor should consider these steps in performing diligence:

1. Verify licenses and qualifications: Always start by verifying the auditor’s licenses and qualifications. The licenses should be both on the firm level and the individual auditor. For example, for SOC 2 audits, they must be performed by a licensed CPA firm, signed off on by an individual that is a CPA, and the firm must be enrolled in the AICPA Peer Review Program. You can verify each of these requirements through the links below:
   1. CPA firm licenses and individual CPA licenses: Use CPA Verify to verify both the firm and the reporting partner’s licenses (these are two different licenses). Remember, the CPA firm must be registered in the state they do business in and the state of your corporate headquarters. Reciprocity may apply depending on the state. If in doubt, reach out to the state board of accountancy where your corporate HQ is located and verify directly with them. Most of them will have their own databases where you can search. 
   2. To verify whether or not the CPA firm is registered in the AICPA Peer Review Program, you can check the AICPA Peer Review Program Public File Search. Once you verify, ask the auditor for their most recent peer review to verify the results. 
   3. In addition to the CPA license requirement to issue SOC reports, infosec auditors should also have information security certifications. Common certifications for infosec auditors include Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM),  Certified Information Systems Auditor (CISA), and various cloud service provider certifications. Confirm that the auditor holds relevant and up-to-date certifications.
2. Review experience and expertise: Evaluate the auditor’s experience in conducting information security audits either in your specific industry or in multiple industries (if you desire a diverse background for context.) Experience in auditing similar-sized companies can often be a good indicator of their ability to work with you and meet your needs.
3. Request references and reviews from past customers: Request references from past customers who have undergone audits conducted by the auditor. Any auditor with relevant experience should be able to provide case studies, samples, and/or contact information for past customers who can speak to their professional and successful engagement. 
4. Understand audit methodology: Inquire about the auditor’s audit methodology and approach. Ensure that their methods align with industry best practices and professional standards. This is especially important if you’re using a compliance automation software. No matter what the compliance automation software tells you about their technology, the auditor is required by each and every information security standard to perform procedures on the evidence they rely on during the audit. That is, the auditor must verify any automation or automated evidence used in an audit through inspection of each integration and each source system. An auditor in compliance with the professional standards will never blindly trust a third party software without the appropriate verification.  
5. Review past audit reports: Review sample audit reports and documentation provided by the auditor. This will give you insights into their reporting style, clarity, and the depth of their analysis. Ensure that their reports are comprehensive, address all relevant areas, and meet the structural requirements of that framework.
6. Insist on insurance and liability: Check if the auditor carries professional liability insurance. This can provide an additional layer of protection in case of errors or omissions during the audit process.
7. Foreground consistent communication and collaboration: Assess the auditor’s communication skills and their ability to collaborate with your internal teams. 
8. Consider legal and ethical aspects: Sometimes diligence can start with a simple Google search: do the details on their website match their documents? Are there good reviews for their services? Look for consistency and transparency. Ensure that the auditor follows legal and ethical guidelines. This includes respecting confidentiality, disclosing any potential conflicts of interest, and conducting the audit in a transparent and unbiased manner.

Go with the safe bet

Pursuing compliance reports is not always a company’s top priority. As a result, the discovery process can be last minute and performed with incomplete priorities. While it makes sense to consider things like price and ubiquity as part of this exploration, those should never be the deciding factors. Compliance is simply too important for your business.

At Thoropass, we’re transparent about our process, experience, and results. Our customer team onboards customers and never leaves their sides. And our auditors meet customers upfront, seamlessly receive evidence from the platform when it’s time for audit, and produce reports that are universally accepted and best in class.

Regardless of which compliance or audit solution a company goes with, I encourage them to do the diligence on the most important part of the process–the auditor and the audit report–before they make any decision.