Audit Report Red Flags
We’ve written before about the importance of balancing audit cost and report quality to ensure the report you get is actually useful to you. In this year’s Compliance Benchmark Report, we asked nearly 700 professionals about their compliance programs and found that companies care about quality, too:
- 69% of survey respondents said the quality of compliance reports is extremely important.
- 22% said report quality was their top reason for choosing an auditor.
But even if you know that quality is important, how can you tell the difference between a thorough audit report and a deficient one? Some auditors may rely on their clients’ lack of compliance knowledge to help them skate by with superficial reports, but you don’t have to be an expert to spot some common red flags.
Here’s what to look out for.
High-level audit report red flags
Here are a few basic factors that should make you think twice while reviewing your audit report:
- Perfect report (no exceptions): Many organizations think a “clean” report with no exceptions is ideal, but that can be a sign that your auditor isn’t being thorough. In a SOC 2 report, for example, it’s possible to receive an unqualified opinion that still contains some exceptions. Exceptions help you understand where you can make changes to improve security. So, if you receive an unqualified opinion with no exceptions, take an extra minute or two to check for some other red flags before you accept the result.
- Vagueness: Are there any specific references to your organization’s security environment? If the report looks like it could have been written about any company, your auditor might be cutting corners to get reports out faster. A vague, cookie-cutter report is a waste of money — you can’t act on it, and customers or partners who read your report may find it inadequate.
- Short report: If it has appropriate and sufficient management controls and respective auditor tests, the report will be long – sometimes 100 pages or more. The length will depend on the report’s scope and the complexity of the controls tested, but you should give a short report a second glance to ensure it is comprehensive.
- Uncooperative auditor. Aside from the report itself, it’s a red flag if your auditor is unwilling to answer questions asked by other auditors or stakeholders about the report. The auditor may be hiding shoddy work or lack of expertise.
Technical red flags
Once you’ve done a quick first read of the report and your auditor’s opinion, review it a second time and keep an eye out for these issues:
- Unclear system scope: The name and scope of the system being audited should be clearly defined — for SOC 2, this should be in sections 1 and 2 of the report. The system description (section 3) should be thorough, addressing all five components of your organization’s internal controls per the COSO framework: control environment, risk assessment, control activities, information and communication, and monitoring activities.
- Undefined subservice organization controls: Most companies use subservice organizations, which the AICPA defines as vendors that “perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” Common examples are third-party IT providers, some SaaS vendors, cloud service providers, or data centers. Any relevant subservice organization controls should be clearly described in the report. The auditor should also cross-reference the subservice organization’s own audit report to verify responsibility for the control lies with that organization and not a fourth-party provider.
- Undefined user entity controls: Similarly, as a service organization, your company likely requires users to take responsibility for some controls to properly and securely use your product or services. These “complementary user entity controls” should be explicitly described in the report in a way that readers of the report will understand.
- Lack of follow-up testing: If exceptions are found, the auditor should inform management personnel at the service organization (in other words, your company’s leadership or compliance/advisory team), record their response, and perform subsequent testing. If none of this is documented in the report where exceptions are found, it does not meet quality standards.
What to do if you find red flags in your audit report
If you’ve noticed several of these red flags in your most recent audit report, you may wonder what to do next. The first step is to reach out to the auditor about your concerns. If they followed compliance best practices correctly, they should be able to answer your questions thoroughly. As we discussed earlier in this post, it’s a bad sign if the auditor refuses to engage with you about the report. A compliance partner acting in good faith should be happy to help you understand the audit report.
In the event that your auditor does not provide sufficient answers, it may be time to look for a new one.
The best way to obtain a high-quality audit report
A-LIGN’s 2024 Compliance Benchmark Report found that a trusted auditor with positive market perception is the top factor companies look for to ensure a high-quality audit report. A reputable auditor should:
- Have a large team of expert auditors
- Have many years of experience in compliance audits
- Be licensed to perform the specific audit you need
- Regularly undergo and pass peer reviews as well as quality reviews by governing bodies (such as HITRUST, the PCI Council, or the ANSI National Accreditation Board)
See how your compliance strategy stacks up
Wondering what other companies look for in an auditor? How many audits are other companies doing each year? How much do they spend on audits? What challenges are compliance teams facing right now? The fourth edition of A-LIGN’s Compliance Benchmark Report uncovered key themes in the world of compliance, including report quality, audit efficiency, a culture of security, and the importance of partnership.
Download the report now to see where your compliance program stands.
