Johanson Group, LLP

View Original

7 Things To Look For In A SOC 2 Auditor

A SOC 2 audit can prove to customers that their data is secure.

However, mistakes, misunderstandings, and hiring an incompetent auditor can make the SOC 2 audit process more complicated than it needs to be.

What is a SOC 2 audit?

A SOC 2 audit is a service organization control (SOC) auditing methodology regulated by the American Institute of Certified Public Accountants (AICPA) that helps companies ensure the security and confidentiality of the customer data they handle.

This audit is carried out by an independent third party, who will evaluate your company's controls and procedures for protecting sensitive customer information. This audit is designed to show that you have a system in place to protect customer data, and it's one of the most common types of audits carried out by external parties.

An official SOC 2 report is valid for one year after its issue date, and future annual audits must be completed by an external auditor from a licensed CPA firm.

Why hire a SOC 2 auditor?

While compliance software can provide an excellent starting point for SOC 2 compliance, solely relying on it to prove your organization's compliance is not enough.

Compliance software tools can help companies prepare for a SOC 2 audit, but these programs cannot replace the work of an actual CPA firm. When conducting such audits, businesses must turn to professional auditors who specialize in this area.

7 Things to Consider When Choosing a SOC 2 Auditor

When trying to determine whether they need a compliance audit, many service organizations face obstacles. However, choosing the right SOC 2 auditor for your organization—although difficult—is an important step in addressing these hurdles.

1. The CPA firm must be affiliated with the AICPA

Before even looking at any of the criteria below, the first thing you need to do is check to see whether the auditor is affiliated with AICPA or a certified CPA firm. Choosing an independent SOC2 assessor is essential to receive a valid attestation.

2. Experience and Reputation

One of the most important things you can do to ensure that your SOC 2 audit goes smoothly is to choose an experienced audit firm with a reputation for excellence.

Determine whether the audit firm has performed similar SOC audits in your niche and for organizations of similar size. It will be significantly easier to work with an audit firm that has previously audited similar companies to yours.

You should also look into how many years the audit firm has been in business, its total number of employees, clients served, and overall financial stability.

A company with a strong reputation is more likely to be able to meet all of your needs, both before and throughout the course of your assessment.

See what others say about risk advisory specialists, Johanson Group

3. Qualifications to complete the audit in your specific industry

Because auditing is such a specialized skill, it's important to choose an auditor with experience in your industry—particularly if your company is similar in size and complexity to other companies within the same sector.

4. Look for well-rounded risk advisory specialists

Before hiring an auditor, ask if the firm can provide assessments and attestations for any other certifications your industry might need—such as HIPAA compliance or ISO 27001. Swapping auditors each time you pursue a different certification will waste your time and money.

READ MORE: SOC 2 vs. ISO 2700: Which to choose 

5. Communication: Do you and your auditing firm agree on how to conduct the audit, gather evidence, and share information?

You should always choose an auditing firm that understands how you communicate.

Mismanagement and miscommunication with your auditing firm will waste time, effort, and money.

6. Thorough understanding of your organization's specific tech stack

If the potential audit firm doesn't seem knowledgeable about the technologies you use and depend on, it may be a sign that they aren’t an ideal fit for the job.

Finding an audit firm that understands your company's unique business practices and can use its expertise to find any vulnerable spots in your controls is essential for a successful audit.

7. Budget Alignment

If you are on a tight budget, consider working with a CPA firm that is responsive to your needs. However, affordable services often include hidden costs—especially if the price seems too good to be true!

Instead of considering just the expense for the first year, plan for two or three years because SOC 2 compliance is an ongoing process. In cases like these, collaborating with the same audit firm will be much more efficient over time.

Best practices to follow while selecting a SOC 2 auditor

It's crucial to have the right kind of auditor on your team—one who will be thorough and give you an objective assessment. Here are some tips for how to go about finding one:

  • Interview several auditors before choosing one.

  • It is always a good idea to ask for references from customers your auditors have served and clients who are similar in size and industry.

  • Speak directly with the person who will be conducting your audit.


The bottom line is that clients need to perform due diligence on their SOC 2 auditors before signing a contract with them. An hour with a vendor selling their services isn't going to tell you much about the actual quality of the work. So choose your auditor based on the right criteria and get your money's worth.