How to Choose the Right SOC 2 Auditor



The selection of a SOC 2 auditor can be daunting. How do you find one, what should you consider when choosing a SOC 2 auditor, and what interview questions should you ask them? Will they understand your unique environment, product or challenges? Ultimately, the final decision is up to you to select the auditor that best understands where you are now and can be a partner in your journey. SOC 2 is a multiyear journey, so my best advice is to make sure you get along with the audit partner, director or lead who will be in charge of your account. If selecting an auditor fills you with panic and dread, take a deep breath and remember: it doesn’t have to be when you know what you are looking for.

What SOC 2 Auditors Can and Can’t Do

It is important to level-set your expectations for what a SOC 2 auditor can and can’t do. A good auditor absolutely can be a partner on your journey; they can help you flush out controls you may have missed that you should get credit for; they can suggest edits to your system description and can suggest refinements to your controls language. A great auditor will also provide post-audit recommendations and point out areas for improvement.

Auditors are required to be independent to meet the standards of their governing body (the AICPA) and can objectively opine on your system description and the design and, in a Type 2 audit, the effectiveness of your controls. They can never perform a control, design a control or tell you exactly what to do. But a great auditor does have a way of dropping hints that can point you in the right direction.

Questions to Ask Auditors

We suggest you interview at least three auditors and ask them the same questions. The questions below may be helpful in the selection process.

What is your experience with a company of our size and level of security (or privacy, confidentiality, availability, processing integrity) maturity?

You are looking for a firm that has experience auditing companies that are similar to yours in size and level of security maturity. If you are a still-growing startup, and they have no experience with still-growing startups, then their recommendations won’t make sense for your stage of the journey. Whether you are privately held or a public company; whether you employ thirty people or thirty thousand; if you’re a brand-new startup or you have been around for a while and already have a solid security program, you want to choose an auditor who understands who and where you are.

 Full Article

Source: Security Boulevard

 Back to List