4 Common Misconceptions About Auditors
There are a number of misconceptions made every day by companies about the auditing process and auditors themselves. You might have come across them as you prepared for or went through your first audit process. Doing your research is important in choosing the right auditor firm—it’s why we’ve dispelled four common misconceptions about auditors below.
1. All Auditors Follow the Same Methodology
Believe it or not, there is no auditor handbook or school every auditor graduates from. A lot of people think auditors are provided exact directions on how to conduct an audit, what specific evidence is deemed acceptable, and what controls are needed to meet requirements. The truth is, most of this is subjective. Auditors are allowed to use their professional judgment in many cases when determining different aspects of an audit and how it is completed.
Every auditor has their own unique experiences, educational background, and training. There’s no degree that must be acquired or specific experience someone might need to pursue becoming an auditor.
Information security auditors usually have excellent communication and organizational skills, a sense of integrity, information security knowledge, and consider themselves tech savvy. Those traits set them up for success in their roles when firms take them through training. That said, firms train their employees in different ways and they may not have the same framework expertise or follow the same auditing methodology—which brings us to the next misconception.
2. The Same Auditor Can Audit for All Frameworks and Industries
There are over a dozen security frameworks, standards, and regulations that are popular/common for organizations to pursue. The auditor that conducted your SOC 2 may not be the one accredited to also perform an ISO 27001 certification audit or a FedRAMP assessment.
If your company’s industry shifted upon an acquisition or merger, you may also need to seek out a different audit firm to work with. A fintech company working with large financial institutions and a healthcare tech company working with large hospital systems will have varying control requirements. It’s crucial to choose an audit firm based on your needs. A former auditor you worked with may have recommendations on who to work with if they don’t specialize in a certain standard or regulation.
3. You Don’t Need to Establish a Relationship With Your Auditor
Many organizations like the idea of never having to speak to an auditor. However, it’s important to remember that your auditor wants you to succeed.
In cases of SOC 2, CPA firms can perform a readiness assessment prior to the SOC 2 Type 1 “As of” date or the start of your SOC 2 Type 2 audit period. During the readiness, your SOC 2 auditor will help you prepare for the SOC 2 audit and provide recommendations to help reduce the likelihood of issues being identified during the actual SOC 2 audit.
With other standards, like ISO 27001, they are unable to give helpful guidance due to the strict requirements around maintaining independence from the organization they are certifying.
Regardless, if you’re looking to build a security-first culture within your organization, you understand that compliance isn’t a one-and-done deal. Communicating with your auditor and understanding their expectations will be key as you improve and maintain your security program.
4. Your Auditor is Out to Get You During an Audit
Many people hear the word “audit” and panic at the thought of a third party going through evidence collection and evaluating their programs. They think their auditor is out to get them and wants to find issues during the audit process. We’re happy to tell you that this is especially not the case—auditors want to help their customers succeed! They want to help their customers achieve their compliance goals. Many are willing to give you chances to provide evidence in support for compensating controls. They will give you opportunities to meet requirements, even if the first piece of evidence does not meet your needs. We know they want you to succeed because we hear it from our audit partners.
Drata’s Audit Partners
Drata was built with the auditor in mind. With features like a separate auditor view, your auditor will only have access to the evidence they need to see and can download everything into one simple ZIP file for an efficient and seamless auditing experience. We’re also equipped with an in-house team of former auditors and compliance experts dedicated to enabling auditors on our platform and providing support during audits.
Drata has a number of audit partners that we trust to support our customers on their security and compliance journeys. Book a demo if you’re looking to begin automating your compliance journey and get connected with our trusted audit partners. If you’re an audit firm interested in expanding your client reach, sign up to get a tour of the Drata platform, or contact auditors@drata.com.