supernav-iconJoin Us at AWS re:Invent 2024

Contact Sales

  • Sign In
  • Get Started
HomeGRC CentralSOC 2Audit Your Auditor

Audit Your Auditor: 5 Questions to Ask a Potential Auditor

Audit Your Auditor

What's Inside

Finding the right audit firm for your organization can make or break your audit experience. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.

Contents
Why It’s Important to Vet Your AuditorHow to Audit Your AuditorHow to Find the Right Auditor

Not every audit firm will make sense for your business, and selecting an auditor can feel like choosing a new candidate to join your team. You’ll want to make sure they’re qualified, trustworthy, and have the right amount of experience and technical know-how to get the job done.

Finding the right audit firm for your organization can make or break your audit experience. As  auditor Jeffrey Filler mentions, communicating with your auditor early and often is crucial to a smooth and successful audit.

"With Drata, we had 98% of the requests upfront and ready for our auditors before they even asked for it." —Joe Reeve, Software Engineer

Read the Story

Why It’s Important to Vet Your Auditor

It’s no secret that achieving and maintaining compliance can be a lot of work. From writing your policies to implementing controls, it can take months to prepare for an audit. Unfortunately, a poorly executed audit does little to help you establish a security-first culture and build trust with your customers.

So, when it comes time to find an external auditor, you’ll want to make sure they’ll be a good fit for your organization.

New to SOC 2?

Learn how to get started and save time with our Start-to-Finish SOC 2 Guide.

Download Now

How to Audit Your Auditor

Asking your auditor these five questions can make all the difference in preparing for your audit and knowing what to expect

1. How Do You Approach Scoping With Clients?

This question by itself can give you extensive insight into how your audit will look. Working with your au

ditor to determine the scope of your audit—including which departments they plan to include and the main controls they plan on evaluating and why—can help your team know what to prioritize.

2. What Does a Typical Audit Engagement Look Like for Your Firm?

This question can help you understand how auditors structure their audits and give you insight to the key milestones to look out for along the way. This will also give you a clearer picture of what success looks like as the audit progresses.

3. How Will This Year’s Audit Differ From Last Year?

If you’ve undergone an audit before, especially with the same auditor, you can use those previous audits as a baseline for what to expect. Your auditor can go over any new changes that have been made to the audit team, their style of auditing or if any auditing standards have changed.

4. How Can You Ensure Independence?

Professional auditors follow a code of ethics that establishes their objectivity and independence in an audit—both in fact and appearance. Asking your auditor about the safeguards they have in place to remain independent can ensure a fair audit without any conflicts of interest.

5. Are You Familiar With Our Compliance Automation Platform?

If you’re using a compliance automation tool like Drata to help collect evidence, identify and mitigate risk, and streamline the audit process, having an auditor that’s familiar with that platform can facilitate a more effective partnership with your auditor. Auditors can use their side of the platform to evaluate your controls, generate reports, and communicate with you in real time.

How to Find the Right Auditor

So, you know what to ask your auditor, but how do you find a reputable audit firm in the first place? Well, we can help with that. Our auditor directory is filled with pre-vetted, trustworthy audit firms. Browse the directory by client size, region, framework, or more to find the firm that speaks to you.

Begin Building a Relationship with an Audit Firm

Explore our Audit Network directory and jump start your SOC 2 process.

Learn More

If you’re already vetting audit firms, some additional topics to consider discussing are:

They Understand Your Industry

Fintech companies working with large financial institutions will have different requirements than a healthcare tech company working with large hospital systems. It’s never a bad idea to kick off your auditor interviews with questions about their industry experience and requests for industry-specific references.

They Understand Your Tech Stack

Do they know what you mean when you say AWS S3? CI/CD?  If you start talking about your tech stack and they don’t seem to know what you’re talking about, this may be worth digging into further. You want an audit firm that can speak intelligently about the tools you’re using.

They Are Collaborative

Auditors should be explaining things as they go. They should be asking you lots of questions to make sure they understand your full program set-up, and if they come across a potential problem, you want someone who will bring it to you and ask deeper questions to help resolve it. 

They Have Solid References

You really want an audit firm that has deep, consistent experience. Ask for references and make sure they are industry-relevant and recent. If the last audit the firm did was nine months ago, they’re probably at least a little rusty. If they only have one reference in your specific industry, they might simply not be a fit for you.

Audits can be a stressful time for businesses, especially for first timers. Thoroughly researching and vetting your auditors gives you the best chance of having a smooth, communicative audit.

Get Audit-Ready Faster With Drata's SOC 2 Compliance Solution

Book a demo of Drata’s SOC 2 compliance solution to learn how to get audit-ready faster.

Schedule a Demo

Keep Reading

See More
SOC 2 Audit Hero Image

ARTICLE

SOC 2 Audits: What You Can Expect From Start to Finish

SOC 2 Readiness Assessment

ARTICLE

Prepare for Your Audit With a SOC 2 Readiness Assessment

Audit exceptions

ARTICLE

SOC 2 Audit Exceptions: What Are They and How to Avoid Them

SOC 2 Report

ARTICLE

What Is a SOC 2 Report?

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on SOC 2 compliance.

Explore SOC 2 Hub