Cybersecurity is more than a technology issue. It’s a business imperative.
If your company handles your customers’ data, you must prove that their information is secure if you are to meet their needs and win more business.An IT security audit assures customers that their data is safe by demonstrating how well you are protected against a data breach. An audit also gives you an advantage over competitors who lack that same proof.You can gain more customers and close bigger deals because you can attract larger organizations, who typically are interested in doing business with companies that are fully compliant with industry standards. Increasingly, stakeholders like investors and boards of directors are demanding proof of the preparedness and effectiveness of cybersecurity risk management programs.The right audit partner can help you improve your business as well as your security by addressing operational impacts of a breach as well as technical. You can build a relationship in which your audit firm helps you identify and work toward improvements between audits.Follow these steps to get the best audit firm for your company.
1) Identify potential partners.
Start with who you know. Ask your professional advisors if they have an audit firm that they would recommend.Contact representatives from any trade groups that you belong to as well. Get contact information for any possible partners with good reputations among people whose opinions you respect.Supplement your outreach to individuals with internet searches. Broad queries like “IT audit” will only give you the biggest firms, which may not be the best for you. Tailor your searches to keywords specific to your industry and audit needs.You also can search the Public Company Accounting Oversight Board’s website for a directory of PCAOB-registered firms that is sortable by criteria like city and state. PCAOB-registered firms are held to the strictest of auditing standards. The American Institute of Certified Public Accountants (AICPA) also has resources to aid you in your search for an audit firm. For example, you can download a guide for hiring a quality auditor.
2) Assess qualifications.
A proven vetting process is key to finding the right external audit firm, according to ISACA, an independent, nonprofit association focused on the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. ISACA recommends developing qualification questions and reviews relevant to your company.
Experience:Sometimes an audit firm will use one set of personnel to sell an engagement and another to service it, perhaps one with less experience and efficiency than you were promised.Ask questions like:
- How many audits has the firm conducted?
- Do the auditors that you would work with have relevant experience and references?
- What is the experience of your auditor(s) in particular?
- What is the collective experience of the team?
SearchSecurity.com notes in its article “Best practices for choosing an outside IT auditor” that an auditor in high demand will likely perform several audits a year and focus solely on auditing.
The right auditing partner can help you learn what you need to know if your business has new requirements but you don’t know what is required to pass the new audit. Certifications indicate that auditors are current with standards and regulations. Ask questions like:
- How do auditors stay current in their areas of expertise?
- What certifications does the auditing team hold?
Look for someone who asks relevant questions and listens more than he or she talks, because these are signs of a “true professional.” the SearchSecurity.com article suggests.
3) Do your due diligence.
Don’t just accept what you’re told. Confirm everything independently before moving forward with an audit firm.The Council of Nonprofits recommends that charitable organizations take the following steps when selecting an audit firm. The suggestions apply to businesses as well.
- Check references. You will likely get more candid assessments by calling instead of emailing.
- Request a copy of the firm’s latest Peer Review, which is a third-party audit of the firm itself.
- Check for any conflicts of interest, including among your company’s stakeholders.
Reviewing examples of a firm’s work on projects similar to yours also can be helpful.
4) Choose the audit firm for you.
Set criteria for evaluating all of your final choices. Then apply those criteria equally to each firm.The Council of Nonprofits suggests criteria like:
- Responsiveness to the request for proposal
- Relevant experience
- Availability of staff with professional qualifications and technical abilities
- Results of external quality control reviews
- References from other nonprofit clients
Also, consider a firm’s potential to assist you in improving operations as well as security. The right audit partner will make you more competitive by helping you with both.
5) Clarify terms and expectations.Establish the parameters of your relationship before finalizing a deal and moving forward.You want an audit partner who is:
- a collaborator
- a good communicator
- able to speak your industry’s language
- able to resolve issues as they present themselves
You will work closely with your auditor for several weeks, sometimes dealing with sensitive issues and tight deadlines. So tell your auditors that you will expect them to be timely and responsive when issues arise. Confirm billing arrangements as well. Many firms quote a low fee with a lot of assumptions and then hit the client with change orders when the work inevitably takes longer. Avoid surprise bills by looking for a firm that will work on a fixed fee instead. When a firm commits to a fixed fee, it is willing to write off any excess time it takes to get the work done properly. When you choose the right audit firm, you gain a strategic partner that is there to advise you on the best ways to comply and compete. The firm will ensure your data is secured and communicate that value to your clients.Have questions about your audit needs? Contact us for a free consultation.