The reason for that is that the process of a SOC 2 exam is complex. Let’s just take the project management piece, and let’s say there are roughly 1,000 different tasks to complete – selecting the wrong person to direct this orchestra can make your life miserable.
Beyond project management, the SOC 2 process is filled with subjective technical decisions where the ramifications on your customer’s perception of you as a business can be significant. Part of the auditor’s role is to assess that the identified control framework is sufficient to support the SOC 2 criteria – if the auditor does not have sufficient experience to understand what is ‘sufficient’ for your industry, your report may stick out like a sore thumb to those who know.
Your auditor is also obviously responsible to decide the evidence that is sufficient to give them reasonable assurance. You’ll find there is an array of standards when it comes to how much evidence is enough.
So how do you select a SOC 2 auditor?
You to work with a firm that:
- Is not just checking the box – Someone who understands that the business comes first, and that compliance is just a way to talk about the things that are important to the business and their users.
- Is efficient – ask the auditor what the timeline for getting a report issued will be, ask about each step in the timeline – they should be able to give you an estimate, if not, that may be a red flag.
- Is communicative – you’ll be hanging out with these people a good amount, ask the auditor what their communication plan for project status, any issues to be aware of (weekly syncs? Dashboard?).
- Do they use Plain English? Or do they speak in AuditSpeak (vague or industry-specific terms that you don’t understand but make them seem important).
- Uses effective platforms – Ask the name of the software they use for an Evidence Request List – better yet, ask for a 5 minute demo – you will be spending a lot of time on this platform, and if it is not good, it will cause headache and lost, never-to-be-recovered hours for your team.
- Uses straightforward pricing – ask them how they price engagements. What would cause them to raise fees, and at what point would that be communicated?
- Is reputable for your industry – do your report users expect to see a certain type of CPA firm on the report? If you don’t know, interview the customers/prospects/partners who are asking for your report.
- You can afford – Ask for an estimate of their fees. Hopefully they can provide you this on the initial phone call.
You might notice I stuck ‘fees’ at the bottom of the list. Fees are important. But far too often they are the primary driver in selecting an auditor, and the true downstream cost of this decision can be detrimental. If someone offers you a 50% discount on a bad investment, it’s still a bad investment.
Bonus content for scrolling down this far:
So now you know what to look for, but how do you actually find a real company that fits the bill?
Unfortunately there is no Yelp for professional services that delivers trustworthy reviews. Not that I’ve found, at least. So, you can:
- Ask a company (maybe a partner of yours, investor, etc) who you trust, who has done SOC 2 before, and ask them who they use. Ask them detailed questions to find out if the auditor would be a good fit for you
- If you are working with a consultant to implement or manage your SOC controls, ask them who they would recommend.
- Once you have a few auditor candidates, review their websites to see if they are someone you would want to work with. For example, check out ours.
- Schedule a call with them (both to get to know them as a person, and to ask detailed questions about their process – and I mean detailed; a little discomfort here can save a lot later on).
Looking for an auditor who can help guide you through the SOC 2 process? – Contact Render
