Why Choosing the Right Auditor Matters: 5 Signs of a High-Quality Auditing Firm

At BARR Advisory, we don’t just want to get our clients over the finish line to a SOC 2 report or ISO 27001 certification. We want to empower organizations to use compliance to build trust with their customers and their communities.

To do this, BARR’s attest services team takes a refreshing approach to auditing, rooted in BARR’s core values of trust, transparency, and simplicity. By committing to adding value and maintaining the highest standards of quality, we help cloud-based and hybrid organizations improve their security postures and organizational resilience, while demonstrating their commitments to information security best practices. We do all of this in a friendly, approachable style. Clients have often said their audits with BARR were fun!

Not all auditing firms are fueled by this philosophy, however. So how can you tell which auditors are cutting corners, sacrificing depth in favor of volume or ignoring the client experience to maximize profit margins? Here are five things to look for:

1. World-Class NPS Score

One of the best ways to gauge the quality of an auditing firm is to solicit feedback from clients. Did you know that less than half of CPA firms use Net Promoter Score (NPS)? At BARR, we consider client feedback necessary to help us maintain and improve our world-class client service. 

After all of our engagements, we ask organizations to rate their experience with our team from 1 to 10 based on how likely they are to recommend our services to others. NPS can be found by subtracting the percentage of “detractors” (1-6 scores) from the percentage of “promoters” (9-10 scores). Anything over 80 is considered world-class. 

Over the last 12 months, BARR has maintained an average NPS of 92. In fact, we’ve maintained a world-class NPS since our founding in 2014.

BARR’s world-class NPS places us in the top quartile in the professional services and technology industries:

• For the professional services industry, the median NPS ranges from 44–50.
• For the tech and software industries, the median NPS ranges from 36–40.

“The difference between BARR’s consultation and that of our last firm is light years apart in terms of quality, efficiency, and collaboration.” –3Cloud

2. Accreditation

Accreditations serve as a concrete way to ensure an auditing firm is qualified to perform a specific compliance engagement. For instance, to achieve and maintain accreditation with a formal accreditation body like the ANSI National Accreditation Board (ANAB), which accredits BARR Certifications to perform ISO audits, firms must undergo a rigorous process that includes being audited themselves. 

The same is true for other popular cybersecurity compliance frameworks. The PCI Security Standards Council (PCI SSC) qualifies auditors to complete audits against the Payment Card Industry Data Security Standard (PCI DSS). Similarly, HITRUST certifications are only valid when performed by a HITRUST Authorized External Assessor.

While cloud service providers can work with non-accredited auditors to comply with standards like PCI DSS and ISO 27001, the absence of accreditation often also means a lack of credibility. With no external body ensuring the auditor is performing up to the established standards, the attestation is likely to hold less weight in the eyes of stakeholders.

Choosing an accredited auditor means potential customers can rest assured your compliance certifications are valid, thorough, and accurate.

“I can’t imagine a better partner in this than BARR. Your approach helps us not just earn the SOC 2, but strive for ever-improved services in a market that deserves higher trust and confidence.” –Zingly

3. Simplifies the Complex

A popular quote often attributed to Albert Einstein reads: “If you can’t explain it simply, you don’t understand it well enough.” The theory contends that in order to demonstrate true mastery of a subject, you must be able to communicate the concept to a broad audience, regardless of their technical or professional background. 

To ensure clear communication, cybersecurity auditors should be able to explain in layman’s terms how a security team can design controls to satisfy compliance requirements and why those controls are important for maintaining strong data security. During your kickoff meeting, your auditor should also be able to map out your compliance engagement in simple, straightforward terms so you have a clear understanding of what to expect throughout the process.

At BARR, we work with organizations at all growth stages, including small businesses pursuing compliance attestation for the first time and large-scale enterprises maturing their security and compliance programs. By prioritizing clear, straightforward, and frequent communication, we take the unnecessary complexity out of cybersecurity to make achieving compliance more accessible and actionable for organizations of all sizes.

“BARR turned a stressful, intimidating project into a straightforward, understandable one.”
–Revelstoke Security

4. Approachability

In addition to possessing technical expertise, a high-quality IT auditor should be approachable and committed to clear, human-first communication. Effective auditing is a collaborative process, and an auditor who is easy to engage with fosters a more productive and trusting relationship.

An approachable auditor ensures that your team feels comfortable seeking clarification, raising concerns, and discussing sensitive issues that may arise during the audit. This is why, at BARR, we actively encourage open dialogue, making ourselves available for discussions and ensuring that communication is always a two-way street. This not only builds trust, but also helps us identify potential issues early, leading to more successful audit outcomes for your team.

By placing an emphasis on understanding the people behind the systems, we can better align our recommendations to the unique needs and concerns of your organization, making the entire audit process smoother and more effective in helping your team achieve long-term cyber resilience.

“BARR’s services were highly tailored to our organization. The team took the time to understand our unique operational procedures and tailored their audit process.”
–Kili Technology

5. A Trusted Advisor

A high-quality auditor should be more than just another service provider—they should be your trusted advisor and partner in your success. The best cybersecurity auditing firms don’t just check boxes; they invest in understanding your organization, its mission, and its unique challenges. They share your values and are committed to helping you achieve your goals.

When your auditor genuinely cares about your organization, they can offer insights that go beyond compliance, providing strategic guidance that strengthens your overall security posture. This level of partnership ensures that your auditor is not only identifying risks, but also helping you to build a stronger, more resilient organization.

At BARR, we pride ourselves on being more than just auditors—we’re dedicated partners in your success, fully committed to supporting your organization’s growth and mission while helping you navigate the complexities of cybersecurity with confidence.

“We felt that the BARR team was genuinely invested in our success. They took the time to understand our unique organizational context and tailored their approach to meet our specific needs.” –Permutive

Are you looking for an approachable, simplified audit that provides actionable insights on improving your organization’s security posture? Contact us today to find out how we can help.