What You Get With Low-Cost Audit Firms: 5 Things to Consider

March 3, 2016

Whether it is shoes, real estate or professional services, capitalism means for competition among suppliers in ways that are both healthy and necessary.  For consumers, competition also provides a reasonably reliable measurement of equilibrium between what is offered and what is required for goods or services: the price

A central component of the decision to purchase or not purchase a good or service is the cost, which is too often mistaken for the price of a good or service.  In the case of buying commodities, the consumer is likely to have an easier time determining the total cost of purchasing a good (or not purchasing it) relative to the price of that good. 

Services, though—mainly professional services—are not commodities, and the total costs can often be less obvious, making the decision to purchase (or more precisely who to buy from) riskier.

Is one vendor that much more efficient than the other? Maybe. Is one vendor less experienced than the other? Probably. Is one vendor more costly than the other? Sure. Prospective buyers of audit and compliance services; however, should strongly consider the actual costs of “low-cost” providers.

Here are five ways that actual costs of an audit can manifest itself beyond the report deliverable:

1. The internal resource time required

One of the most costly aspects of selecting low-cost (or lowest cost) vendors is their inability to execute their audit procedures without a lot of client resource time efficiently. Despite their claims, it is typical for low-cost audit and compliance vendors to be inefficient. Often, they may propose and price their engagements with a perfect case scenario in mind with the hopes of just auditing the existing controls, and requiring the client organization to have an expert knowledge of the compliance objectives, reporting requirements, authorship of the report, and knowledge of exactly what audit evidence will be necessary.  Another cost-driver related to this is that inexperienced auditors don’t know how to ask the right questions because they are constrained by inefficiently built audit programs that are exhaustive and seek to request everything that might be needed, rather than efficiently asking the right questions of the right people.

2. Hourly billing arrangements

A growing positive trend for audit and compliance vendors is the move toward fixed-fee arrangements. For many low-cost vendors; however, who continue to use very low pricing models to get in the door, the hourly billing model burdens client organizations with additional costs for follow-up discussions, related document review, and customary post-audit correspondence specific to the audit that can be expected in many cases. This is reminiscent of airlines that have very low ticket fares but charge a premium for drinks, checked baggage, peanuts and other “extras.”

3. Remediation

Some client organizations may experience increased costs to remediate audit findings or implement processes based on inaccurate or imprecise audit results. A primary driver for this is the low-cost vendor’s templated or one-size-fits-all approach to auditing environments. These vendors use these templates to make the audits more efficient for them, versus taking the time to understand the client’s unique control environment and adapt their audit methodology for the particular client environment when determining compliance.  Understanding the client environment and evolving compliance landscape requires both time and expertise, and many micro-firms are reluctant to invest in those areas if they can simply commoditize the engagement for the lowest prices possible.

4. Lack of synergy

Of the items mentioned, this one perhaps has as much to do with the prospective client organization as it does the particular vendor selected. The growing reality for many service organizations is the ever-increasing compliance demands required from regulators, potential customers, vendor assessments, industry councils and business partners.  It is becoming more common for organizations to need to comply with requirements for AICPA SOC reports, ISO certifications, PCI compliance reports, HIPAA business associate agreements, or more.  The decision to engage the lowest cost security assessor or CPA firm may translate into higher total compliance costs, compared with a vendor that is duly licensed and authorized to perform multiple compliance audits and may be able to leverage a single audit effort toward multiple compliance objectives: one audit, many reports.  This requires effective planning, experience and a tremendous degree of expertise, but can be a major area for cost savings for organizational compliance.  Don’t just believe the assessor’s claims for this ability, however, ask for specific references to instances where they have performed this multi-compliance audit efficiently.

5. Switching costs

Unfortunately, some client organizations realizes the mistake they may have made by selecting a lowest-cost vendor, well into the audit engagement. For these organizations, the unfortunate but inevitable course of action becomes evident, and an experienced and appropriately priced vendor will be necessary to rescue the current project, or perform future projects.  This, of course, equates to the anticipated cost savings of the previous low-cost vendor choice becoming a near total loss, as the audit deliverables in many cases are incomplete, insufficient, or the process was overly costly from an internal perspective (See No. 1 above).  Again, client references from entities of similar size and complexity to the prospective client are necessary and invaluable tools when evaluating vendors.

If you’re considering audit and compliance services, consider not only the price for such services but also the total costs associated with a vendor selection.  For a given dollar consider:

  • What will the auditor provide your organization toward achieving your overall compliance objectives?
  • Will the vendor be locally available to your organization throughout the year?
  • Will the vendor maintain an active and expert knowledge of your compliance objectives?
  • Will the vendor be adaptable to your evolving compliance needs and adapt their methodology accordingly?
  • Will the vendor be able to leverage one audit towards completion of another, will the vendor offer training, webinars, or similar services?

See how Schellman can make a difference for your compliance and audit needs. Contact us for a consultation.

 

Audit Readiness

Previous Article
What Private Industry Needs to Know About Federal Security Programs
What Private Industry Needs to Know About Federal Security Programs

Originally published on www.meritalk.com The Federal government is the leading creator, collector, consumer...

Next Article
4 Cloud Security Myths, Busted!
4 Cloud Security Myths, Busted!

“Is the cloud secure?” In this day and age, the topic of security places itself at the apex of all informat...