Least traumatizing auditor recs

Posted by HJForsythe@reddit | sysadmin | View on Reddit | 8 comments

We are now about to be on our third auditor in 5 years. We have very basic requirements SOC 2 type II & PCI DSS 9&12 *only*. Its basically just colocation passthrough or shared responsibility. Our current auditor that we used for the last two years completely changed everything about their process without mentioning anything. Then told us that we violated their ethics clause because we asked why they needed to be on site, in our conference room for 40 hours. (Last year the same company was on site for about 45 minutes) exact same audits. Our concern was just that either the audit we did last year was totally invalid or the one we were working on now is invalid... Anyway, what is the least worst experience you have had with auditors?

Reply to Post

8 Comments

[-]

waelder_at@reddit

Auditorium just colkect the money, amd try to keep the face. Give them domethi g to find fske the rest. Thats the usual audit Procedere i hsve seen, im so Glas thst i was never redponsible fir such a bullshit. I had one "good" audit and that was a suplly chain audit from a customer.

[-]

LividLager@reddit

Were you able to get medical attention in time? Best wishes!

[-]

waelder_at@reddit

Lol

[-]

nukacola2022@reddit

All auditors can be good or bad because you get randomly assigned a team and that team could be their A, B, C, or D team. You could also get a team that only has experience with "legacy" organizations and Windows stacks and they can't make heads or tails of a cloud-first, agile-dev type of shop. Your best bet is to cast a wide net in potential auditors and then treat them like you would any vendor aka, run through a list of your requirements, pose some hard questions to weed out the ones that aren't experienced in your vertical/space, and hopefully you end up with a partner you like. FWIW, Moss Adams has a decent reputation and is the same company handling GitHub's audits. They also aren't the most expensive on the block compared to the big 4.

[-]

HJForsythe@reddit (OP)

It just sucks to have 2 completed audits and then you assume the process will be roughly the same (The same company) asides from updates to the actual criteria and then bam they scam you. Its almost like you should use a different auditor every year so that tney dont just assume you are going to pay them and then they can just act however they want. Our previous audits were 80% "not tested" how hard is it to complete 20% of an audit for almost $50,000?

[-]

MedicatedDeveloper@reddit

> Then told us that we violated their ethics clause because we asked why they needed to be on site, in our conference room for 40 hours. Uhhh what?

[-]

HJForsythe@reddit (OP)

Yeah. Uhm. I was confused too.

[-]

MedicatedDeveloper@reddit

FWIW We've used A-LIGN for our past couple audits and it's been pretty smooth. Much smoother than a couple we've had with a big 4 firm.