Picking an auditing firm for a SOC 2 audit can make all the difference between a horrible experience, and a pleasant one. Since you will have to work with them every 6 to 12 months, here are a few tips to help pick your auditing firm.
Get familiar with SOC 2 reports around you.
- As you begin the process of becoming compliant, start your due diligence by asking your own vendors for their SOC 2 reports. Finding a company of similar size and industry is the best way to get familiar with a report. You can also ask them about their experience with the firm they hired.
- When it comes to pricing, if it's too good to be true, then it probably is. Cheaper firms have a tendency to hire junior staff and you will end up having to put in twice the amount of work. This creates frustration on your staff and will greatly delay your report.
- Find a firm that fits your company size and profile. Hiring a firm that will bring in more resources than you can handle will result in a slow down of the project. Looking for a local firm that is known by your prospects is a good place to start. Auditing firms are CPA firms first and foremost, so finding a CPA firm that is helping other local businesses around you can carry a lot of weight and establish trust.
Obtain SOC 2 audit referrals and recommendations.
- When a firm offers to do the remediation at an additional cost, that's usually a red flag. Since they are auditing, that's considered a conflict of interest.
- If you decide to go with a consultant to help you remediate and become compliant, they should have a few firms to recommend that they've worked with, and picking one of their recommendations can help speed up the process. It's also easier to ask for a recommendation from a consultant's client than it is to ask for a recommendation from a CPA firm's client.