Can you provide tips on what to look for in an auditing firm?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Choosing an auditor is a serious commitment on behalf of an organization. You're likely making a long-term decision and choosing a company that will contribute significantly to the success of your business over time. Here are a few tips to help you in that selection process:
- Name recognition matters. There's a reason that the Big Four audit firms (PwC, Deloitte, Ernst & Young and KPMG) have been so successful -- they're the recognized gold standard for auditing. If you select one of these firms, you won't have to explain your choice to anyone. If you choose to go with a less-recognized (and less-expensive) auditor, you run the risk that others will view your audit report with just a bit more skepticism than if it came from one of the Big Four.
- Pricing is negotiable. Like any business service, the fees you pay your auditor are not cast in stone. You should treat it like any other contract and negotiate a fee that is fair and reasonable to both you and the auditing firm.
- Experience counts. Try to find an audit firm that has specific experience in your industry. There's a reason that most businesses tend to use the same auditor year after year -- it's simply easier (and therefore less expensive) for a firm to audit a company that they already know in an industry that they're familiar with.
- Know who will be working on your account. When you're in the sales stage, expect to have conversations with senior partners in the auditing firm. You can generally expect, however, that these people will quickly disappear when there's work to be done. When interviewing auditors, ask to meet the staff who will actually be working with you and the rest of your staff.
Take the time to select an auditor that not only suits your budget and experience, but also that you'll be comfortable working with for many years to come. After all, it's always more pleasant when you're sitting across the table from people you enjoy.
Dig Deeper on IT security audits and audit frameworks
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.