The importance of choosing the right auditor
Since I’m in the business of helping organizations prepare for information security and data privacy audits, I’m often asked how to choose an auditor. This article discusses some of the considerations that companies should take into account when choosing an auditor.
Of course, the goal is to find an auditor who will be a good fit for their organization and provide a reasonably pleasant customer experience. Audits might not be fun, but they don’t have to be painful either.
Since there are many frameworks, such as SOC 2, ISO 27001, HIPAA, PCI, CCPA, and GDPR, it makes sense that there are a lot of different auditors. I’ll put them into a few buckets: “big four,” “big eight,” “large mid-tier brands,” and “everyone else.”
The big four
Let’s start at the top with the “big four” audit firms. They have brand prestige, they’re good for impressing your prospects and customers, they provide the highest level of assurance, they have considerable influence over AICPA audit standards and guidelines, and they’re super expensive.
Why would someone choose a big four auditor? First, their customers require it. The expectation with a big four audit is that it will be the most thorough, meticulous, and exhaustive. Everything will be done correctly in accordance with the relevant criteria and requirements. Big four customers tend to be large and/or inherently risky businesses. Think major cloud providers and big tech, large financial and insurance companies, big government contractors, and other large enterprises.
While a big four audit is the industry gold standard, it’s quite simply too expensive for most medium enterprises and small businesses to even consider. If you don’t have a specific reason, and your customers aren’t demanding a big four audit, this probably isn’t a cost-effective option.
The big eight
“Big eight” is the next tier below the big four. Like the big four, these firms target a similar market segment and are a good fit for enterprise customers who need a large, respected audit brand, but whose customers don’t specifically require a big four audit. This tier will provide a similar level of audit assurance and capabilities as the big four at a lower cost.
Large mid-tier brands
The next bucket of auditors are what I consider the large, mid-tier, brand name firms. These audit firms tend to perform a number of different information security audits for many of the common security frameworks, they also typically provide consulting services and sometimes technical audit services like penetration testing.
These firms have strong marketing operations and are very visible in internet searches for things like “SOC 2 auditor” and “ISO 27001 auditor.” They are significantly cheaper than the big four, the audit methodology is less exhaustive, the level of assurance is arguably lower, though they still meet the requirements of most customers. These auditors are a fine choice for many companies. The brands are known, and generally respected, however, there will be individual buyers who are knowledgeable about the industry and have a more negative opinion of certain auditors based on personal experience or some other factor.
One consideration for this type of auditor, as with any large company, is that consistency, customer experience, and quality control are ongoing challenges. You will engage with a dedicated sales team that will not be involved with the actual audit. The audit managers are typically experienced practitioners, but many of the actual auditors are young and fairly junior in the industry, but this can be true with big four and big eight firms too.
When thinking about how to choose an auditor, remember that the auditor who gets assigned to your account can heavily impact your overall audit experience. Auditors may not remain the same year after year due to turnover or reallocation, and junior auditors are more likely to do things that customers find burdensome, such as asking for evidence that’s not relevant or required because it’s on their standard Information Request List (IRL) template. There is a higher likelihood that a junior auditor may have difficulty understanding non-standard practices or complex technologies and how they relate to real-world risks and standards—many of which have outdated control language that doesn't map well to current and emerging technologies. They can also get hung up on minor details that have little impact on real-world risk.
The final auditor bucket contains the “Unknown Brand” or basically “Everyone Else.” This is the most diverse and eclectic group. This group could include large traditional, financial CPA firms, with a less well-known information security practice. They could be boutique and independent firms run by former auditors and managers from the larger firms listed above. They also consist of regional information security firms, and foreign firms based in another country but with an international audit capacity.
While this last pool can be a bit harder to assess, this is where small and mid-sized companies can find some real gems. Before I dig into the details, I’ll disclose my personal bias on how to choose an auditor. For almost all professional services, I typically prefer boutique providers. In smaller firms, senior management tends to be more hands-on, there is less separation between sales and operations, auditors themselves tend to be more senior, and the customer experience is overall more consistent and reliable. In addition, there’s less overhead to pay for the brand name which makes pricing more competitive. In my experience, boutique firms provide a “higher touch” experience as their auditors aren’t servicing as many clients simultaneously.
There are no good or bad auditors—just different
At the end of the day, it's not so much that auditors are fully “good” or “bad”, but it is important to pick the auditor that satisfies your goals and objectives; one that aligns with your needs, budget, and organizational culture.
Here’s a quick checklist of things we consider whenever we refer an auditor to one of our valued customers:
- Cost: What is the audit budget?
- Inherent risk: The inherent processing risk will influence their customer’s expectations.
- Brand: Who are the end-users and how sensitive are they to the auditor brand?
- Reputation and quality: Can the auditor provide strong and relevant references?
- Communication: Is communication timely and helpful? Are expectations set properly?
- Technical competence: Is the auditor experienced in relevant technologies like cloud and serverless architectures?
- Availability: Can the auditor deliver the audit at the time the customer wants?
- Timezone: Are time zones compatible for interviews and communications?
- Cultural fit: Do you simply “hit it off” with the auditor and like them and want to work with them? Are there any language barriers?
- Audit Platforms and tooling: Are you aligned on the mechanics of the audit and evidence sharing methods? Can the auditor access and utilize evidence from your repository or do you need to manually re-upload everything into their tool or platform?
Compliance is a bit like information security—it needs to be well-aligned with the organizational context and objectives in order to be efficient and cost-effective. Compliance enables the achievement of business objectives, it is not an end in itself. If this is not properly understood, organizations risk spending too much time and money on something that does not have a justifiable return on investment.
Beyond that, life is short. When you have choices, which you do in the case of your auditor, choose wisely. Your future self, and your organization, will thank you for it.
About the author: Matt leads the Privacy and Compliance team at Vanta. He has spent his 20+ year career in security and information technology. Prior to joining Vanta, Matt was the U.S. Director for the Cyber, Risk & Advisory practice at BSI where he led an information security consultancy providing risk management and readiness consulting for common industry frameworks such as ISO 27001, SOC2, HIPAA, and PCI. At Vanta, Matt works closely with audit partners, advises customers on security and compliance, and provides input to the product team.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC