5 Questions to Ask When Choosing Your Audit Partner
How do you choose the right audit partner for your compliance journey?
In order to successfully protect your data and your reputation through an information security audit, you must first choose an audit firm. This firm is the entity that will have access to your people, your assets, your data, and your risks. This can be an overwhelming task, but it’s extremely important. Hiring a firm to provide information security audit and assurance services to your organization is the first step in developing a relationship with the professionals who will be uncovering any unknown vulnerabilities, testing your security and privacy methods, and preparing you for future compliance efforts.
Choosing an audit firm to partner with requires your time and your resources but is a decision that can affect the well-being of your organization. We know this is an important choice, so let’s look at a few questions to consider when choosing an audit firm.
- Is the firm qualified?
When you’re undergoing something as important as an audit, you want to work with someone who is qualified to give you the best audit possible. For any information security audit, you need to hire a firm that is appropriately qualified and hires experts. What makes someone an expert? It may sound obvious, but for an information security audit, your auditor needs to have information security certifications, showing that they stay up to date on the latest cybersecurity and compliance policies and regulations.
These are the certifications you should look out for based on the type of audit you need:
- Look for certifications like CISA, CISM, CRISC, or CISSP.
- Need a SOC 1 or SOC 2? You need to find a CPA who has also earned information security certifications. All too often we see SOC audits performed by someone who is a CPA but isn’t experienced in information technology or security.
- Need a PCI RoC? You need a QSA.
- If you need a HIPAA audit, look for a HICISSP certification or someone who is well-versed in regulatory compliance and privacy law.
- For a HITRUST CSF assessment, first find a CSF Assessor firm, and then you’ll be working with a CCSFP.
- Look for CEH, GPEN, GXPN, or GWAPT certifications when you need someone to perform penetration testing.
- What about an audit to validate your cloud service or environment? You’ll want to work with someone who has a CCSP or CCSK certification.
Not only should you make sure your auditors have the proper certifications to deliver the audit report you need, but they should also have enough experience. Will you be working with a junior auditor or a recent graduate? For a quality, thorough audit, you want to work with a skilled professional who has a diverse, extensive background in information security and technology. This enables the auditor to comprehensively test, analyze results, and use those results to support future compliance efforts.
Finding a qualified auding firm may take extra research, but in the end it will be worth it.
At KirkpatrickPrice, our certified auditors have completed over 10,000 audits and have 20-30 years of industry experience. Make sure you partner with a firm who has all of the qualifications to allow your organization to succeed.
- Is the firm committed to quality?
There are many benefits that stem from an information security audit, but the core goal of an information security audit is to protect and validate the security of your services. In an age when security controls must be effective against advanced threats, the audit firm you choose should have a commitment to quality that starts at the top and runs throughout the organization. Think about what it would cost you if your top client was not satisfied with the quality of your audit.
To determine if a firm is committed to quality, we recommend reading the firm’s client testimonials, asking about a peer review, and requesting information on their quality assurance process.
- Reading testimonials or speaking to any of the firm’s references is a good place to start when trying to see a commitment to quality. Examine what types of companies have provided a testimonial, how long they’ve been working with the firm, what type of assurance service they received, and if their testimonials detail the quality of the audit that they received. Do they talk about being educated by the auditor or feeling like a partner in the process?
- If the firm doesn’t undergo a formal peer review, especially if it’s a CPA firm, this is a red flag. You want to work with a firm who has independent assurance that they’re delivering quality audits.
- The firm you choose should also have a quality assurance program. If they do not have a quality assurance program, how does the firm ensure that their testing results and reports meet timely, repeatable, accurate, and retainable standards?
- The firm should take the time to understand your processes and procedures. A firm that doesn’t actually read your policies and visit your offices is bound to miss something that could end up costing your organization thousands, if not millions of dollars. What’s the point of showing an auditor your policies and procedures if they don’t take the time to make sure they are accurate and effective?
A quality audit may take more time and cost more than a less thorough audit, but we believe that taking the time to do something right the first time is better than having to deal with complications later on.
- Do the firm’s goals align with yours?
When working with any type of business partner, you want to work with someone whose principles and mission support yours, someone who values your time and money, and someone you can have a positive relationship with. These same qualities should apply to your audit firm. You don’t have to choose the stereotypical firm, the cheap firm, or the firm with a household name. You can find an audit firm who wants to educate, empower, and inspire your organization to greater levels of assurance. With a little bit of research or a short conversation, you should be able to determine if the firm that you’re vetting is the type of business partner you want.
- An audit firm’s mission, vision, or value statements should be readily available to the public. If you don’t see the qualities that you’re looking for – integrity, innovation, quality, transparency, and education – take that into account.
- When you speak to members of their sales team, do you feel like they want to help your organization reap the full benefits of an audit? Listen for points like avoiding breaches and security incidents, meeting regulatory obligations, strengthening your business practices, attracting new customers, or improving your operations.
Working with a firm that cares about what your organization stands for and wants to help you meet your compliance goals is better than an “off the rack” audit. Choose a firm that has the ability to customize the audit process for you.
- How can the firm help you prepare?
An audit will cost your organization time, money, and resources. In order to receive the best quality audit and outcome, look for a firm that can help your organization prepare for the audit.
- Does the firm offer services like consulting, remote or onsite gap analyses, or remediation plans? This is an especially important question if it’s your organization’s first time through an information security audit. Knowing what steps to take before you even start an audit can feel overwhelming, but if you find a firm who can not only help you complete an audit from start to finish but also provide the prerequisite steps for an audit, the process can feel more manageable.
- Does the firm produce educational content like a blog, training videos, white papers, or webinars? Content like this shows the firm’s commitment to educating and empowering their clients and can be a valuable resource to your team before, during, and after an audit.
- Does the firm have any support staff that will be available to your organization? Before choosing a firm to work with, make sure you feel like they will give you the support you need to make it through an audit. If the firm has custom software, ask about training. No matter the size of the audit firm, ask if you will be working solely with an auditor or if there will be some other type of support personnel on your engagement team.
If an auditing firm doesn’t take the time to help you prepare for an audit, how can you know if they’ll be there to support you and answer your questions during the audit?
- What does the audit process entail?
When considering something as involved as an information security audit, you need to understand what you’re getting into before you start. The audit firm you choose should be able to easily explain their audit process to you. This should include steps like:
- Gap analysis and remediation
- Scoping and project planning
- Information gathering and documentation review
- An onsite visit
- Report delivery
Understanding an audit firm’s custom audit process will help you determine if the firm can meet your deadline and provide the types of services that you’re wanting.
Finding the audit firm that’s right for your organization is intimidating. With every firm claiming to be the best, how can you really know who will deliver the audit that will make sure your organization is as secure as possible?
At KirkpatrickPrice, our qualified auditors, commitment to quality, and client dedication speak for itself. Since 2007, we have not stopped working to provide quality audits that will help our clients stand out against their competitors. We want to cultivate a positive relationship with our clients, provide an expert, senior-level auditor on each engagement, and utilize a unique online methodology to streamline the audit process, saving you time, finances, and resources.
An audit from KirkpatrickPrice means education, empowerment, and positive growth for your company. We invite you to ask us the five questions you just read about and see if our answers align with your organization’s compliance goals.