What's Inside
Finding the right audit firm for your organization can make or break your audit experience. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.
Audit Your Auditor: 5 Questions to Ask a Potential Auditor
Finding the right audit firm for your organization can make or break your audit experience. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.
Get Started With Drata
Not every audit firm will make sense for your business, and selecting an auditor can feel like choosing a new candidate to join your team. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.
Finding the right audit firm for your organization can make or break your audit experience. As auditor Jeffrey Filler mentions, communicating with your auditor early and often is crucial to a smooth and successful audit.
It’s no secret that achieving and maintaining compliance can be a lot of work. From writing your policies to implementing controls, it can take months to prepare for an audit. Unfortunately, a poorly executed audit does little to help you establish a security-first culture and build trust with your customers.
So, when it comes time to find an external auditor, you’ll want to make sure they’ll be a good fit for your organization.
Asking your auditor these five questions can make all the difference in preparing for your audit and knowing what to expect
This question by itself can give you extensive insight into how your audit will look. Working with your au
ditor to determine the scope of your audit—including which departments they plan to include and the main controls they plan on evaluating and why—can help your team know what to prioritize.
This question can help you understand how auditors structure their audits and give you insight to the key milestones to look out for along the way. This will also give you a clearer picture of what success looks like as the audit progresses.
If you’ve undergone an audit before, especially with the same auditor, you can use those previous audits as a baseline for what to expect. Your auditor can go over any new changes that have been made to the audit team, their style of auditing or if any auditing standards have changed.
Professional auditors follow a code of ethics that establishes their objectivity and independence in an audit—both in fact and appearance. Asking your auditor about the safeguards they have in place to remain independent can ensure a fair audit without any conflicts of interest.
If you’re using a compliance automation tool like Drata to help collect evidence, identify and mitigate risk, and streamline the audit process, having an auditor that’s familiar with that platform can facilitate a more effective partnership with your auditor. Auditors can use their side of the platform to evaluate your controls, generate reports, and communicate with you in real time.
So, you know what to ask your auditor, but how do you find a reputable audit firm in the first place? Well, we can help with that. Our auditor directory is filled with pre-vetted, trustworthy audit firms. Browse the directory by client size, region, framework, or more to find the firm that speaks to you.
If you’re already vetting audit firms, some additional topics to consider discussing are:
Fintech companies working with large financial institutions will have different requirements than a healthcare tech company working with large hospital systems. It’s never a bad idea to kick off your auditor interviews with questions about their industry experience and requests for industry-specific references.
Do they know what you mean when you say AWS S3? CI/CD? If you start talking about your tech stack and they don’t seem to know what you’re talking about, this may be worth digging into further. You want an audit firm that can speak intelligently about the tools you’re using.
Auditors should be explaining things as they go. They should be asking you lots of questions to make sure they understand your full program set-up, and if they come across a potential problem, you want someone who will bring it to you and ask deeper questions to help resolve it.
You really want an audit firm that has deep, consistent experience. Ask for references and make sure they are industry-relevant and recent. If the last audit the firm did was nine months ago, they’re probably at least a little rusty. If they only have one reference in your specific industry, they might simply not be a fit for you.
Audits can be a stressful time for businesses, especially for first timers. Thoroughly researching and vetting your auditors gives you the best chance of having a smooth, communicative audit.
Keep Reading
Take Your Learning Further
Discover research, playbooks, checklists, and other resources on SOC 2 compliance.