Why Audits Start Broken (And Nobody Talks About It)
The scoping problem is upstream of everything. Quality, rework, defensibility, they all trace back to a conversation that happened before the auditor was in the room.
A few months ago I started tracking a pattern across conversations with audit firm partners.
It wasn't about evidence quality or testing methodology or report structure. It was earlier than that. It was about the moment an auditor first joins an engagement.
More often than not, by the time an auditor enters the picture, the scope has already been set. The compliance tool has been configured. The controls have been mapped. The client's expectations about what the audit will cover and what it will cost have already been established.
The auditor inherits a framework they didn't design.
When that framework is wrong and it often is, the auditor absorbs the rework.
This Is a Structural Problem, Not a People Problem
It would be easy to frame this as a discipline issue. Firms that let clients drive scope are cutting corners. But that's not what I'm seeing.
What I'm seeing is a market structure that has systematically moved auditors downstream of the conversations that should require their judgment.
Here's how it happens. A prospective client goes looking for a SOC 2 audit. Before they talk to an auditor, they talk to a GRC platform. The platform helps them understand what SOC 2 requires, maps their systems to the criteria, and gives them a sense of what the engagement will look like. By the time an auditor enters the conversation, the client has a price expectation, a scope in mind, and a tool already configured.
The auditor didn't set any of that. But they're responsible for the report at the end.
What Happens When Scope Is Wrong
When inherited scope doesn't match the actual risk profile of the engagement, a few things tend to happen.
Some auditors push back and renegotiate. That's the right call, but it's uncomfortable. It means telling a client that the engagement they budgeted for isn't the engagement that needs to happen. It creates friction, sometimes kills deals, and occasionally damages relationships.
Some auditors work within the scope they inherited and document accordingly. That produces a technically compliant report that may not reflect the organization's actual control environment. This is where post-audit defensibility risk concentrates.
And some auditors absorb the rework quietly. They expand scope after the fact, spend unbudgeted hours to get the engagement to where it should have started, and eat the margin.
None of these outcomes are good. All of them trace back to the same root cause: scope was set before the person responsible for the audit was in the room.
That's not a corner-cutting problem. It's a structural one.
The Connection to Quality
This is why the quality conversation can't start at engagement close. By the time a report is issued, the quality of that report has already been shaped by decisions made weeks or months earlier, before testing started, before evidence was collected, and sometimes before the auditor was even selected.
A rigorous auditor working within a broken scope produces a rigorously documented version of the wrong engagement. That won't show up in peer review. But it's a real defensibility problem, because the report reflects the scope that was handed to the auditor, not the scope the risk environment actually required.
The industry talks about audit quality as though it's a property of the report. It's a property of the process. And that process starts earlier than most quality frameworks assume.
A Different Starting Point
The firms I've seen navigate this well share one thing in common: the auditor is upstream of the client's tool selection, not downstream of it.
They treat scoping as a professional judgment, not a technical configuration. They enter engagements before the compliance platform has defined the parameters. And they have internal standards for what adequate scope looks like, standards that don't bend to client budget expectations.
That's hard to do at scale. It requires consistency across engagement teams, which requires documentation and shared standards, which requires a workflow that supports it rather than bypassing it.
Most current tools don't support it. They were built for the client experience, not the auditor's judgment. That's not an accident, clients are the buyer in most of the market. But it means the tool ecosystem has been optimizing for the wrong outcome.
The tools weren't built for auditors. And the auditors are the ones paying for it.
A Question Worth Sitting With
On your last five engagements, how many of them started with scope you set? How many started with the scope you inherited?
If the ratio surprises you, you're not alone. It's one of the more consistent patterns across every conversation I've had this year.
And it's the reason that quality, real quality, not just a clean report is harder to produce than it should be.
Explore the auditor-first audit system we’re building with Audora
