Keeping specialists separate from your day-to-day coverage

You have a mandate from the board: get the company audit-ready, and do it without turning the next two quarters into a fire drill. So you start collecting names. One firm runs your help desk and devices. Another watches your Microsoft 365 and AWS for threats. A third writes policies and gets you ready for SOC 2. And somewhere in the sales calls, a fourth firm offers to do all of it, including the audit itself, under one logo and one invoice.

That last pitch is the tempting one. Fewer contracts, fewer calls, one number to dial. On a slide it looks like maturity. You are the one who has to decide whether it is, and the founder who handed you the mandate is going to skim your recommendation and trust that you checked the things they would not think to check.

Here is the thing worth slowing down on. Some of those layers should live under one roof, because the work between them is where problems hide. And one of them, the audit, should be held at arm's length on purpose. Knowing which is which is the difference between a partner model that stays honest and one that quietly grades its own homework.

Start with the line that is not a preference; it is a rule. Under the way SOC 2 attestation works, the firm that designs or implements your controls cannot also be the firm that audits them. An auditor is not allowed to review its own work, take on management's responsibilities, or act as the decision-maker for the controls it later signs off on. A firm that does both for the same engagement has a problem with independence, and an independence breach can void the report you paid for, according to AICPA guidance on independence in SOC reporting that several audit firms summarize.

Read that twice, because the all-in-one pitch runs straight into it. If one firm gets you ready and the same firm signs the report, either they are not truly doing both, or the independence of the report is in question. Neither is what your board thinks it is buying.

This is why we keep the audit at a deliberate distance. We run the environment and do the readiness work; the attestation comes from a separate audit partner whose job is to be skeptical of ours. That separation is not friction. It is the thing that makes the report mean something to the customer asking for it.

The arm's-length rule applies to the audit. It does not apply to everything else, and pretending it does is how companies end up with five vendors who do not talk to each other.

Most of the daily work belongs together because it overlaps. Consider where the seams sit:

• Identity lives in Microsoft Entra, which the team running M365 administers and the team watching for compromise also depends on.
• Cloud guardrails in AWS Control Tower are set by whoever runs the account and watched by whoever reads the GuardDuty findings.
• Conditional Access policies are an IT change and a security control at the same time.

When those layers are split across separate firms, you become the relay between them. When they sit with one operator, the handoffs happen below your desk. That is the case for integration: not one giant vendor that does all of it, but one accountable owner for the layers whose work bleeds into each other.

Integration is for the seams that share work. Independence is for the one relationship that has to stay skeptical. A serious partner draws that line out loud.

The reason to keep specialists separate is not modesty. It is that a generalist who claims everything has no honest answer when the work needs real depth. Some engagements need more AWS or Azure depth than any all-in-one team can credibly offer. Some need an auditor who has never touched the controls. A partner model names those specialists; it does not bluff past them.

Three commitments keep the model honest:

• The audit partner is separate from the readiness work, full stop, so the report carries weight.
• Deep specialists get brought in by name when an engagement needs more than a generalist should claim, and they stay separate from the day-to-day coverage.
• The seams that do belong together get one owner, so nobody can point across a contract when something falls through.

The opposite of this is the firm that answers every depth question with "we handle that too." That answer feels reassuring in the room and expensive later, when the thing they handle turns out to be the thing that breaks.

You do not need to be an auditor to test the all-in-one pitch. You need a few questions the vendor cannot hand-wave. Ask any firm calling itself integrated:

• Who signs our SOC 2 report, and are they independent of the team that gets us ready?
• When we need real AWS or Azure depth, do you bring in a named specialist, or do you stretch the generalist?
• When an auditor finds a control gap, which role owns the fix?

A firm with a real partner model answers these in a sentence each, with names. A firm selling a stitched stack dressed as an integrated one starts qualifying, because the honest answer would undercut the pitch.

Walk back to the four firms on your shortlist. The mandate was never to collapse them into one logo. It was to put the overlapping layers under one accountable owner, and to keep the one relationship that has to stay skeptical, the audit, genuinely separate. That is a partner model, and it is a sturdier thing to hand your founder than a single invoice that hides where the lines blurred.

The pitch that promised to do all of it, audit included, was selling you the absence of seams. What you want is someone accountable for the seams that share work and honest about the one that should not. So when the next all-in-one deck lands, ask the quiet question: which of these layers genuinely belongs together, and which one are they bundling because it is easier to sell than it is to keep separate?