Does Your Service Auditor Do These 3 Things When Collecting Evidence?

Auditwerx Triangle Logo

Share this post

AuditwerxBlog Does Your Service Auditor Do These 3 Things When Collecting Evidence

When it comes to compliance reporting it’s important to have an audit partner that is just as invested in your organization’s success as you are. A generic list of evidence artifacts doesn’t properly address your organization’s unique concerns and security needs, leading to a compliance report that is lacking in the essential information your clients are looking for. 

If your service auditor doesn’t do the following, it’s time to start thinking about whether they are providing the appropriate services to help you meet your compliance goals. 

  1. Did your auditor discuss the scope of your assessment with you? Do they know which requirements your organization has deemed non-applicable based on your unique needs? For example, if your organization is undergoing a SOC 2 assessment, did your service auditor discuss the Trust Services Criteria with you to get a better understanding of which of the criteria needs to be examined under the scope of your business practices? 
  2. Did your auditor take the time to develop a thorough understanding of your business practices, your industry, services offered, tech stack, etc.? Receiving a generic or templated report as quickly as possible doesn’t help support your long-term security goals and could be invalidated – possibly duplicating efforts requiring additional time and adding to the cost.
  3. Did your auditor request information about your organization’s specific controls and the implementation of your cybersecurity practices? Your organization’s control catalog is not determined by your auditor. You maintain control and ownership of your chosen control catalog, not your service auditor, regardless of report type.
 If your compliance auditor sends you a generic list of evidence artifacts without taking the time to understand your unique business needs, it’s time to find a new service auditor. Auditwerx is not a one-size-fits-all service auditor. Our experienced team provides unparalleled reporting experiences, paired with tailored service for your organization. 

If you are ready for a true security reporting and compliance partner, contact Auditwerx today. 

We use cookies to ensure the best experience. By accessing our site, you agree to our cookie policy.