20 Pre-Contract Questions To Ask Your Next SOC 2 Audit Firm

What information do you need to know before your SOC 2 audit?

When it comes time for a SOC 2 report, there are several things you must know before selecting a firm. Failing to establish mutual expectations pre-contract can lead to miscommunications, process errors and, ultimately, inefficiencies within the audit.

That’s why it’s important to determine upfront if the firm’s approach will be a good fit with your organization. Below are 20 questions and sub questions to ask any prospective audit firm before you sign:

  1. Experience: What's your firm's experience with SOC reports? How many have you performed in the last year and can you provide references from our industry?
  2. Industry Expertise: Do you understand our industry's nuances?
  3. Scope: Can you help define the scope of the report? What areas should/shouldn't be covered and what controls will be tested?
  4. Team: Who will be leading the engagement? What are their qualifications, certifications and experience? Will he/she be the dedicated point of contact throughout the engagement?
  5. Resources: Will you be leveraging any subcontractors to conduct the engagement? If so, where are they located and do they maintain the same level of security controls?
  6. Timeline: What's the estimated timeline for the report? How flexible can you be to accommodate our needs?
  7. Remote/On-site: Can you perform the entire engagement remotely? How's that compare in terms of effectiveness and cost to coming on-site?
  8. Communication: What are your preferred communication protocols? How will findings be communicated?
  9. Issue Resolution: If an issue arises during the engagement, how will you help to resolve them?
  10. Cost: What factors determine the cost of the engagement? Are there any potential additional fees we should be aware of? What will the report cost in subsequent years?
  11. Conflicts of interest: Do you or anyone at your firm have any conflicts of interest that would impair your independence?
  12. Continuous Monitoring: Do you offer any ongoing monitoring services or partner with any tools/solutions to help us maintain compliance and operate controls effectively over time?
  13. Technology: How does your firm stay current with the emerging technologies that we have or might adopt to ensure you can competently test our controls?
  14. Data Protection: How does your firm ensure the Security, Availability, Confidentiality, Privacy, and Processing Integrity of our data? Can you provide a SOC 2 Type 2 report of the systems that process our data?
  15. Approach: Can you walk us through your methodology and approach?
  16. Questionnaires: Will this report ultimately diminish the number of security questionnaires that we receive?
  17. Results: How frequently do you issue reports with qualified or adverse opinions when you also performed a readiness assessment?
  18. Future: How long is the report good for? Will you help us write a bridge letter? What is the process for renewal?
  19. Contract: Are you able to incorporate any of the above into our contract?
  20. The Closer: What questions haven't we asked that we should have?

A great SOC 2 audit firm should be partnership – an evolving collaboration to enhance the security and trustworthiness of your services. These upfront questions will help you forge a successful partnership and ensure a thorough and effective audit process.

Most of these questions are applicable to other Cybersecurity Risk and Compliances services, too, such as ISO 27001/2, PCI-DSS, NIST 800 Series, CMMC, HIPAA, HITRUST, Privacy frameworks, and everything in between.

How Can Schneider Downs Help?

If you have any questions about SOC compliance, assessments and readiness, please contact us at [email protected] or visit our dedicated SOC page. 

About Schneider Downs IT Risk Advisory

Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.  

To learn more, visit our dedicated IT Risk Advisory and Third-Party Risk Management pages. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
President Biden Signs Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
Americans with Disabilities Act – What to Know about Web Content Accessibility Guidelines 2.1
Prevention and Detection – Key Methods to Protect Against Identity Fraud
Top 5 Identity Fraud Schemes of 2023
Identity Theft vs. Identity Fraud – What’s the Difference?
20 Pre-Contract Questions To Ask Your Next SOC 2 Audit Firm
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.