Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

What To Look For When Choosing An Auditing Firm

Audit Readiness

[NOTE: Schellman has since updated this content in a more recent article.]

 

Think of your auditing firm like you would a long-term business partner. They are someone you will work with year after year, and they will be an integral part of setting the stage for your organization’s success. As such, the act of selecting the appropriate assessor shouldn’t be taken lightly. Here are several key qualities your organization should look for when choosing an auditing firm:

The Right Qualifications

Naturally, make sure the auditing firm you’re scouting looks good on paper. Ask for proof of their training and qualifications that certify them to perform the assessments your organization requires. They should have an external auditor certification and certified public accountant (CPA) licensure. It is rare to find a firm that is a globally licensed PCI Qualified Security Assessor, an ISO Certification Body and a FedRAMP 3PAO, in addition to a CPA and external auditor. If you find one—don’t let them get away!

One Auditing Firm That Does it All

Find an auditing firm that specializes in several assessments, including:

  • SSAE 16 (SOC 1)
  • SOC 2 / SOC 3
  • HIPAA / HITECH /HITRUST
  • ISO Certification
  • PCI Annual Validation
  • FedRAMP Assessment
  • CSA STAR Assessment

Using one firm for all assessments will cut out the time and money otherwise spent hunting down, negotiating and familiarizing a new auditor with your business model and needs every time you require assessment or certification. Another single assessor advantage is that they can perform multiple assessments at the same time.

A Solid Reputation

When it comes to auditing firms, their value proposition should be clear and readily apparent to you. If you partner with a new firm or select a firm that’s in a state of rapid growth, there is no guarantee your auditing process will run smoothly or worse—your audit report might be viewed with a degree of skepticism. Choosing a firm with a well-recognized name and demonstrated expertise means you’ll be partnering with a firm that will likely have helped establish the standards for auditing and assessment practices.

Room for Negotiations

Partnering with an auditing firm is a business transaction and like most other business-related power plays, you’ll want to negotiate to get the best possible value for your organization. If the fees you pay your auditor are not fixed, then shop around and choose an auditing firm that offers competitive pricing, exceptional value, and transparency of the total price of the assessment; preferably fixed.

Experience

The ideal partnership is with an auditing firm that has experience in your particular area of business. The entire auditing process will be more straightforward if the assessor is already familiar with your industry’s goals and pain points, and your organization will save time, money and effort otherwise spent on boarding.

Customer Service

During negotiations with your potential new auditing firm, ask to speak with senior partners and get to know the firm from top to bottom. You should also be introduced to the staff member(s) who will be handling your account on a regular basis. Make sure these individuals are people you will be comfortable working with long-term. Note whether firm representatives are responsive, friendly and helpful. Common sense: Do not choose an audit firm that does not make your time a priority or is not available when you need them.

Form an audit committee to help vet auditing firms. This committee should understand what audits may be required and generally, how the audits should be performed. They should also create an evaluation standard that can be used to compare firms. Don’t forget: While price is important, it’s not the only factor you should be concerned about. Qualifications, service offerings, experience, reputation and client support are equally important and will add value to the partnership.

Audits and certifications don’t have to be burdensome. Effectively choosing an experienced and reputable firm that provides multiple assessments and understands your industry, your organization can depend on the same firm for certifications and assessments each year, with a high degree of quality and value.

About RYAN BUCKNER

Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.