How to Hire a CPA Firm for Information Security Audits

by Sarah Harvey / November 27th, 2018

What Type of CPA Firm is Right for You?

Before choosing an audit firm to work with, you must understand why, for some types of audits, you need a CPA firm to perform the services. Clients and prospects ask us all the time why accountants are allowed to perform information security audits. We understand the confusion behind this sentiment and want to provide some clarity.

The AICPA’s SOC suite – SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity – specifically require a CPA firm to perform the audit. Why a CPA firm? To name just a few reasons: integrity, independence, and accountability. There are so many different types of CPA firms, though – bookkeeping, forensic, risk, tax, full-service, and audit firms. You specifically want to think about choosing a qualified CPA firm who specializes in information security auditing. We know it’s not a simple choice, though. When winning a new client, complying with regulations, or your business continuity depends on an audit, you want to make the right choice about who performs that audit. Let’s talk about five steps you can take when choosing a qualified CPA firm to partner with on your information security audits.

Steps to Choosing a Qualified CPA Firm

  1. What makes someone an expert in information security? You don’t want to hire just a CPA firm; you need a firm where most employees hold more than one information security certification and have extensive experience. It may seem daunting to find this information, but a little due diligence can go a long way. Look on the firm’s website, ask for an auditor’s bio or resume, or research what certain certifications mean. What information security certifications do their members of leadership have? What information security certification do their auditors have? At KirkpatrickPrice, our average auditor has 17 years of experience and we require specific certifications upon hire. Why would you let someone who doesn’t specialize in information security, IT, or cybersecurity audit your IT department, systems, data, infrastructure, and processes? Your auditor must have the relevant experience to perform this service in a quality way.
  2. Does the firm really specialize in information security? When choosing a qualified CPA firm, you want a firm that can help you reach all of your compliance goals. Let’s say the firm only offers SOC 2 services – what happens if you need help with policy and procedure writing, penetration testing, or SOC for Cybersecurity? Research the rest of their services to ensure you choose a CPA firm that can meet all of your needs.
  3. Does the firm have a peer review and quality assurance program? If the CPA firm doesn’t undergo a peer review, you’ve already caught a flaw; CPA firms are required to undergo peer reviews. The firm you choose should also have a quality assurance team or process to ensure that testing results meet timely, repeatable, accurate, and retainable standards.
  4. Is the firm committed to quality? You want to work with a CPA firm that has a proven track record of delivering thorough, quality audits; no shortcuts, no outsourcing. You’ll want to find information on how many services they offer, how many audits they perform on a yearly basis, if they can deliver multiple audits, and if there are any reported complaints against the firm.
  5. Do the firm’s values align with yours? When choosing to a business partner, you want someone whose principles and values support yours, someone who values your time and money, and someone you can have a positive relationship with. These same qualities can apply when choosing an audit firm. You don’t have to choose the firm with stereotypical auditors, the cheap firm, or one of the Big Four. You can find a CPA firm that wants to partner with you to help you reach your compliance goals. At KirkpatrickPrice, we want to educate, empower, and inspire your organization to greater levels of assurance.

Working with a CPA Firm

Choosing a qualified CPA firm to perform your organization’s information security audits can be a difficult choice for some. It may be more expensive, it may require a deeper level of due diligence, and it may require putting your compliance into the hands of a firm you haven’t heard of before. But a thorough, quality audit performed by someone who has the experience to do so will pay off in the end. What would it cost you if your top client was not satisfied with the quality of your audit? In the current threat landscape, it’s absolutely crucial for organizations to find CPA firms that take risk factors, security and privacy obligations, information security, and cybersecurity seriously. We know you need validation of your security methods. We know you need someone to make information security more approachable. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. In a day and age when security controls must be strong and effective against advanced threats, KirkpatrickPrice’s mission is to deliver quality services.

More Resources for Choosing a Qualified CPA Firm

5 Questions to Ask When Choosing Your Audit Partner

When Will You See the Benefit of an Audit?

Getting Executives on Board with Information Security Needs