Do You Trust Your Service Provider's Auditor?

I recently came across a really impressive RFP example that included SOC2 audit requirement language.  You can  view and download it here.

Besides calling for a SOC2 report in connection with security, the great thing about the originator of this RFP (whoever they are) is that they included this language:

The Contractor’s SOC 2 Audit Plan shall identify the independent entity that will perform the Contractor’s SOC 2 Audit, or a description of the means by which the Contractor will select its SOC 2 independent auditor. The OUR COMPANY Contract Manager will have 10 days to review and comment on the SOC 2 Audit Plan, and shall identify any concerns with the scope of the audit, the independence or capability of the SOC 2 auditor, or the described plan to obtain an independent SOC 2 auditor. 

In other words, the contract manager is empowered to veto the auditor that the service organization selects!  This is great news for ethical auditors and very bad news for unethical auditors.

This started me thinking.  On what grounds would a contract manager veto a selected auditor?  How about using the same basis that ethical auditors use to screen the clients that they accept?  One of my CPA firm partners introduced me to the concept of prospective client background investigations.  Please see the following (sanitized)verbiage from an actual form they require all prospective clients to fill out:

Due Diligence Background Investigation Disclosure Form

We may, with your consent, obtain a background investigation report related to a prospective or current business relationship you may have with us. This may include procurement of a consumer report or an investigative consumer report (defined as a report that includes information as to your character, general reputation, personal characteristics, or mode of living).

By signing below, you grant permission to us or any of our affiliated or subsequent companies to obtain such report or reports at any time. You also grant permission to all parties to release information regarding your previous or current military service, employment, education, or criminal matters, including information which may be deemed negative.

Detailed background reports are available for $29.95 on People Smart.  I would encourage anyone accepting third party risk assurance from their service providers to do a quick Google search to find out who the executives of the audit firm are, and make an objective decision about whether to accept their risk assurance or not.


  1. Thank you very much for this useful information.Please keep on blogging.I am looking forward to read your next great article..

  2. Investment became really profitable today. As for the financial crisis in the world, I would say that it has created unique opportunities but most of the investors don’t notice them. If I were investor, I would put my money to virtual data rooms because they would predictably fill the market of Ideals data rooms in the nearest future.

  3. It seems to me that if you are afraid of such problems, then I can advise everyone to use more professional services and software. You can go to and check by yourself what application I use for audit in my company. Good luck!