FINDING A PARTNER NOT A SUPPLIER
Taking the decision to do a SOC-2 Type 1,2 or SOC-3 audit and report can be daunting. The commitment in time and resources is not insignificant. Given the importance to your company and the impact on your team’s resources and processes, your decision to find the auditor with the best fit is crucial. You should view your risk advisory service provider as a true partner in the journey to attaining an attestation for a security framework like the AICPA SOC standard, ISO 27001 standard or HITRUST. Focusing solely on price or solely on speed to get a checkbox will likely result in a poor quality report that may only be called into question by your customers and external stakeholders, potentially requiring you to redo your report with more satisfactory detail.
Your engagement with an IT auditor will range from between 3 months and several years as most accreditation standards are required to be renewed annually or every few years. Achieving SOC-2 compliance isn’t just “once-and-done”. SOC-2 attestation requires an organization to: assess risk, classify IT and data assets, implement controls, verify controls enforcement, measure impact and outcomes on risk mitigation, assess on-going within a framework of persistent communication with your auditor. The level of effort is one dimension, but with costs of audit ranging from tens of thousands to hundreds of thousands – ensuring your auditor is on the same page as you is critical to the success of your certification.
WHAT TO LOOK FOR
Naturally, you need to find a reputable and competent auditor and that starts with their qualifications. Look for a firm that is accredited or licensed to provide services for the particular standard for which you’re seeking certification. Ideally, your new audit firm is a CPA firm with experience as an external auditor while also being one or more of the following: PCI Qualified Security Assessor, ISO 27001 Lead Auditor, FedRAMP 3PAO, or HITRUST CSF Assessor.
Ask your prospective audit firm if they can handle multiple assessments over time such as AICPA SOC 2, Type 1 and 2 reports with a roadmap for your firm to complete ISO 27001 (Information Security Management) or PCI DSS for example. Leveraging one firm saves time and money by leveraging existing evidence, evidence gathering processes and reviewing gap assessments.
Ensure your auditor can demonstrate their audit process and documentation review utilizing scalable and easy to use tools. Tugboat Logic works with leading audit firms to prepare clients with an easy to use system of record, called the Tugboat Logic Virtual CISO Platform to help manage the SOC-2 or ISO 27001 process. Tools such as the Security Certification Module help map gaps in certification readiness and automate audit-ready evidence gathering to ensure you stay on track to complete your audit.
Base your selection of an audit firm on their ability to demonstrate a quality engagement, excellent support and high integrity. There are a lot of rapid growth all-in-one shops that can appear efficient but often don’t provide a comprehensive enough report to pass muster with discriminating risk management teams or external auditors. Choose a firm with a well-recognized name and several client references. Tugboat Logic has partnered with Skoda Minotti and OREAD Risk and others to help demystify and accelerate your SOC-2 certification.
4. Transparency and Commitment
When negotiating with your potential new auditing firm, request a conversation with a senior partner and thoroughly review their credentials. Try to get an understanding of their philosophy to an audit and how they will accommodate the scope of work to your particular organization, its size and the goals you’re trying to attain for your business. One tip: ask for a follow up call and determine how responsive and helpful they are when answering your questions. Will they take the time to explain their process? Do they seem to be prioritizing your needs? Make sure these individuals are people you will be comfortable working with long-term.
Security audits don’t have to be a burden. When done correctly and with the right combination of technology from Tugboat Logic and an audit firm, you get a best of breed solution that is cost effective and delivers a higher ROI than going with just an audit firm alone. Just make sure you’ve found the best partner with the right-sized solution and price point to meet your organizations needs.