Does Your Service Auditor Do These 3 Things When Collecting Evidence?

When it comes to compliance reporting it’s important to have an audit partner that is just as invested in your organization’s success as you are. A generic list of evidence artifacts doesn’t properly address your organization’s unique concerns and security needs, leading to a compliance report that is lacking in the essential information your clients are looking for. 

If your service auditor doesn’t do the following, it’s time to start thinking about whether they are providing the appropriate services to help you meet your compliance goals. 

1. Did your auditor discuss the scope of your assessment with you? Do they know which requirements your organization has deemed non-applicable based on your unique needs? For example, if your organization is undergoing a SOC 2 assessment, did your service auditor discuss the Trust Services Criteria with you to get a better understanding of which of the criteria needs to be examined under the scope of your business practices? 
2. Did your auditor take the time to develop a thorough understanding of your business practices, your industry, services offered, tech stack, etc.? Receiving a generic or templated report as quickly as possible doesn’t help support your long-term security goals and could be invalidated – possibly duplicating efforts requiring additional time and adding to the cost.
3. Did your auditor request information about your organization’s specific controls and the implementation of your cybersecurity practices? Your organization’s control catalog is not determined by your auditor. You maintain control and ownership of your chosen control catalog, not your service auditor, regardless of report type.