When looking for an audit firm, here is a list of questions you should consider asking as part of your evaluation process.
For a company like mine, what trust services categories would you recommend?
What other items will I need to complete besides my Drata dashboard to be audit ready?
Will I need to write Section 3 (System Description) of my report or is that something that you do (goal is to understand the level of administrative work)?
What percentage of controls will you be able to confirm through Drata and how much evidence will I need to manually gather?
Should I pursue a Type 1 or Type 2 report?
From planning to report deliverable, what is the high-level audit process and how long does it typically take to complete?
How much communication should I expect during the audit process?
How will I know if you identify an exception? Will we have an opportunity to discuss results prior to the final report being issued?
Ask specific questions on how they would audit your tech stack. For instance, what are the most important controls for S3? What controls would I need for Kubernetes?
What is the minimum Type 2 audit period that you are willing perform an audit over?
How will performing annual controls prior to the start of the audit period impact the control testing for these controls? For example, if we perform an annual penetration test and complete security awareness training for our employees in December 2022 and our audit period is January 2023 to June 2023, we will have to perform another penetration test and ensure our employees complete security awareness training within the audit period?
Does the answer change if we did a Type 1 as of December 31, 2022 before doing a Type 2 with an audit period of January 2023 to December 31 2023?
How will the report be modified for these controls if we do not perform the controls within the audit period?
Is there anything we can do other than re-performing the controls within the audit period?