We Treat Your Audit Like It's Ours to Pass

Hire the relationship, not the deliverable. Compliance is a multi-year relationship dressed up as a project, and most people don't figure that out until week 47 when the auditor asks a question nobody anticipated, and the vendor who built their program is suddenly "unavailable."

The sales pitches sound identical. Both kinds of vendors will tell you they "partner" with you. Both will use the word "trust." Both will show you logos of companies you have heard of. Both will be perfectly polite and eventually send you a SOC2 report.

The difference is what happens in week 47 of the engagement, when the auditor asks a question nobody anticipated.

A transactional vendor sees that question as your problem. They built the program. They delivered the report. Their work is done. They might respond to your panicked email within 48 hours with a hedged answer and a hint that follow-up work is billable. They are not unprofessional about it. They are just clear on what they sold you, and what they sold you was a deliverable.

A vendor with skin in the game sees that question as their problem. They built the program with the audit in mind. They know exactly which control the auditor is poking at, why it was scoped that way, and where the evidence lives. They get on the phone with the auditor and walk them through it themselves if necessary. They do this because if the program doesn't pass, their reputation does not pass either, and they have spent decades building that reputation one client at a time.

The first kind treats your audit as a service they performed. The second kind treats your audit as if it were theirs to pass. There is a difference. The difference is everything.

A transactional vendor will quote you a fixed scope and a fixed price. The fixed scope is what they will deliver. Anything outside the scope is a change order. The price is competitive because the scope is narrow. The narrowness is the business model. If you ask "what happens if the auditor finds a gap," the answer is some version of "we can help you address that under a separate engagement." That sentence is the tell. It means the auditor's findings are not their problem.

A vendor with skin in the game will quote you a price, too, but the conversation about scope will be different. They will ask you who your customers are, what they expect, which framework you actually need (versus the one you assumed you needed), how mature your operation is, and what will be the hardest part of getting you ready. They will tell you what they think the engagement will take, and they won't promise that they have priced it perfectly. They will tell you that if it takes longer than expected, that is a problem to solve together, not a margin to extract. They will not be the cheapest quote you get. They will also be the only ones whose number will not change after they show up.

This is not unique to one type of firm. There are excellent transactional vendors. There are skin-in-the-game vendors who are terrible at their jobs. The category is not destiny. What matters is what the vendor is incentivized to do when something goes wrong, and the only way to figure that out is to ask the questions that get to the heart of it.

Ask these questions before you sign.

"If the auditor finds a gap in something you built, what do you do?" Listen for whether the answer involves the vendor showing up at the audit, or whether it involves a remediation quote. There is a right answer to this question. It is not subtle.

"Will my documentation make sense to the next person who reads it, after you are gone?" A vendor with skin in the game builds documentation that someone else can run. A transactional vendor builds documentation that satisfies the auditor on the day it gets reviewed. These produce different artifacts. Ask to see a sample. If the sample looks like a template with your name on it, you know what you bought.

"What is your relationship with the auditor going to be like?" The right answer is that the vendor has built programs that have been audited by hundreds of firms over many years, and treats the auditor as a collaborator in getting the program right, not an adversary. The wrong answer is some variation of "we just deliver our work and let the auditor do theirs."

The first year is the project. The next four years are the relationship. You can hire a vendor for the project and rebid every year; some companies do so successfully. But if you are running a real program, the cost of switching vendors every year is higher than the savings, and the quality of your program drifts the same way any document drifts when it gets handed between people who don't know each other.

There are two kinds of compliance vendors. The ones who hand you a report and disappear, and the ones who treat your audit like it's theirs to pass. Pick the second kind. Pay the difference. The math works out in week 47.