Finding the right Systems and Organizations Controls (SOC 2) auditor for your organization
By Patrick Murray, chief product officer, Tugboat Logic
Given the heightened scrutiny and due diligence organizations place on their vendors nowadays, growing organizations need SOC 2 as a part of the security program – and that involves selecting an auditor that will best fit your unique needs. This article serves as a quick and comprehensive guide on the key considerations CTOs must make as they select the right auditor for SOC 2. These considerations include reputation, experience, opportunity cost, and actual cost.
So, you’re thinking about SOC 2 certification…
If you’ve reached the point where you’re seeking an auditor, you’ve probably already decided that a SOC 2 certification is necessary. If you’re still on the fence, however, here are a few reasons why it’s important. First off, it’s a competitive advantage for your company. Some organizations have lost deals because they didn’t have the right security certifications. Potential customers want to see proof that you can keep their data secure. And it’s likely your competitors have SOC 2 and are clearing the security due diligence phase of the sales cycle. Given the heightened scrutiny and due diligence organizations place on their vendors nowadays, you’re going to need SOC 2 in order to do business. So, you’re better off starting the SOC 2 preparations now.
Once you’ve made the decision to pursue your SOC 2 certification, finding an auditor is crucial.
Key considerations when choosing an auditor
Selecting an auditor can be a daunting process. What questions should you ask? What should you be evaluating? Here are some of the primary areas to consider.
Reputation is important. You want an auditor who is known to be reputable. Most people think of the “Big Four” auditors (Deloitte, Ernst & Young, PricewaterhouseCoopers and KPMG), but these aren’t the only players in town. There are many smaller auditors out there for consideration. That said, you do want to pick an auditor with a national presence, with customers around the country. It’s important to ask about this. To fully vet their reputation, do both formal customers and back-channel reference checks.
Opportunity cost is key. Many times, people think first about the cost of certification, but opportunity costs are a more important consideration. The SOC 2 certification process is probably going to cost you a minimum of $20,000-$40,000. Sales staff may be trying to land $500,000 deals, so the size of the potential deal outweighs the cost of getting SOC 2 certification needed to land those deals.
Experience and expertise matter. Some firms gin up specious certification reports for their customers, so you need to dig deeper than their marketing claims. Determine what other certifications and assessments the auditor is qualified to perform. This is important in case you do need to get another certification; that way, you won’t have to switch auditors and re-do the evaluation and process. You should also examine what types of customers the auditor has worked with previously for SOC 2 certification, in terms of industry and company type. Your auditor doesn’t have to be an expert about your industry, but it certainly helps to work with one who knows your industry and its nuances.
And last but not least, there’s cost. The biggest auditors can often be expensive for smaller companies that are price-sensitive. However, you can’t go wrong with getting certified by any of them, since they are experts. And the maxim “You get what you pay for” certainly applies for certified public accountant (CPA) firms. Now, that’s not to say that you can’t find affordable and quality audit firms out there. But don’t let a low-price quote be a major factor in your decision, because you’re likely to pay for it later with wasted time and money.
Some organizations have had buyer’s remorse with large, well-known auditors whose prices were too good to be true and ended up paying for another auditor to help them complete the audit process. Yes, getting a SOC 2 can be expensive. Yes, it takes time to evaluate different auditors. Yes, it’s a lot of work to get a security audit. All the more reason to make sure that you’re getting what you paid for by doing careful vetting before committing to an auditor.
Security must be front and center
It can be tempting to push security to the back burner during a time of growth. But the reality is that in this digital age, security is more important than ever. Your customers and prospects know that, and they’re looking for assurance that you’ve got what it takes to protect their data and networks from harm.
Having a SOC 2 certification helps pave the way for easier conversations with sales prospects and partners. It also forces your engineers and execs to participate in becoming more security-aware, creating a stronger culture of security. Use the key considerations above to fully vet your SOC 2 auditor candidates to find the one that will best serve your organization’s goals.
About the Author
Patrick Murray is Chief Product Officer and early founding member of Tugboat Logic, the Security Assurance Platform that helps demystify and automate the process of managing your InfoSec program. He has over 20 years of experience in product management at both early-stage security startups and public companies such as Zenprise, DataVisor, and Websense. He specializes in building new companies from the ground up to thriving businesses and has built products across a variety of security areas including Web security, cloud security, mobile security, email security, data loss prevention, and online fraud prevention. He can be reached online at https://www.linkedin.com/in/patrickgmurray/ and at our company website https://www.tugboatlogic.com