When a compliance firm helps you build your controls and then audits those same controls, the resulting report has a structural problem: the firm is reviewing its own work. This isn’t a rare edge case, it’s a common arrangement that most buyers never think to question. Independence between advisory and attestation isn’t a technicality. It’s the entire reason a SOC 2 report, a CMMC certification, or a HIPAA assessment means anything to the person reading it.
For the short version of this concept, see our page on what independence actually means → Why Independence Matters
A Question Almost Nobody Asks
If you’ve been through a compliance engagement before, you’ve probably never asked your provider this question: “Did the team that helped us build our controls also sign off on whether they work?”
Most buyers don’t ask because they assume the answer is obviously no, of course the advisor and the auditor are different. But in cybersecurity compliance, that assumption is often wrong. Many firms offer both services under one roof: they’ll help you write your policies, design your access controls, and build your evidence, then turn around and issue the formal attestation on whether those same controls pass.
That’s not a hypothetical conflict. It’s the same dynamic the financial auditing industry spent decades regulating against, for good reason.
Where This Concept Actually Comes From
Independence as a formal requirement isn’t new, it’s borrowed directly from public accounting. The SEC and the PCAOB require that the CPA firm auditing a public company’s financial statements not also provide certain consulting services to that company. The logic is simple: if the auditor has a financial or professional stake in the client looking good, the audit opinion can’t be trusted as objective.
Cybersecurity and compliance attestation is walking the same path, just more slowly and less formally — until recently.
- CMMC made it explicit. A Certified Third-Party Assessor Organization (C3PAO) is prohibited from holding an advisory relationship with the organization it assesses. The DoD didn’t leave this to firms’ discretion. It wrote the separation into the program’s structure.
- SOC 2 leaves more room for interpretation. SOC 2 attestations must be issued by a licensed CPA firm operating under AICPA independence standards — but the line on what counts as a disqualifying advisory relationship is drawn differently by different firms. Some interpret it narrowly. Some don’t interpret it carefully at all.
- FedRAMP follows the same logic as CMMC. Third-Party Assessment Organizations (3PAOs) operate under strict independence requirements separate from the agencies and cloud providers they assess.
The direction across every framework is the same: independence is becoming a structural requirement, not a nice-to-have.
How the Conflict Actually Shows Up
Here’s the mechanism, stripped of abstraction:
A firm is engaged to help a company get audit-ready. They review the environment, recommend controls, help write policies, and guide remediation. Weeks or months later, that same firm, sometimes the same individual practitioners, sits down to formally test whether those controls work, and issues the report.
If gaps remain, the firm now faces an uncomfortable incentive: flag the gap honestly, which reflects on the advisory work they were just paid for, or soften the finding, which protects the relationship and the next contract renewal. Most firms in this position aren’t acting in bad faith. But the structure itself creates pressure that an outside auditor with no prior involvement simply doesn’t have.
This is precisely why financial auditing doesn’t allow it, and why the trend across cybersecurity frameworks is moving the same direction.
What Buyers and Investors Are Starting to Notice
Enterprise procurement teams, investors, and federal contracting officers are getting more sophisticated about this. A SOC 2 report exists to give a third party confidence in your controls without having to verify them personally. The moment the “independent” reviewer has a financial stake in the outcome, that confidence is undermined — whether or not anyone catches it.
This is increasingly showing up as a direct question in due diligence: “Did the same firm that helped you prepare also issue this report?” If your answer is yes, expect a follow-up conversation. If your answer is no — that you used a separate advisory partner and a separate independent auditor — that answer closes the conversation immediately.
What the Right Structure Actually Looks Like
The cleanest model splits the relationship in two:
- An advisory firm that’s unambiguously on your side. Their job is to find your gaps, help you fix them, and get you ready. They have every incentive to be thorough, because their reputation depends on you passing — not on protecting an audit opinion they also have to issue.
- An independent attestation firm with no prior involvement in building your controls. Their only job is to verify, honestly, whether what’s in place actually works. They have nothing to protect by going easy on you, and nothing to lose by being precise.
This is the model RSAA operates within. We are a compliance advisory firm — we do not issue attestation reports for organizations we advise, by design, not by accident. When we tell you you’re ready for your SOC 2 audit or your CMMC assessment, that opinion isn’t shaped by needing to also sign off on the outcome.
A Practical Way to Think About It
If you’re evaluating any compliance partner, ask yourself: is this firm trying to get me through my audit, or is this firm trying to pass me on my audit? Those sound similar. They’re not.
A firm trying to get you through your audit will tell you the truth about your gaps, even when it’s inconvenient, because their incentive is your long-term readiness, not a clean-looking report this quarter. A firm trying to pass you has a structural reason to be less rigorous with itself.
Independence isn’t a compliance buzzword. It’s the mechanism that makes a report worth trusting in the first place. If you’re choosing a compliance partner, the separation between who prepares you and who attests to your readiness should be the first thing you confirm — not the last.
Looking for an advisory partner who isn’t also grading their own work? Book a free 30-minute readiness call.
FAQ SECTION
Q: Can a compliance firm both advise and audit the same client?
A: Many firms do, but it creates a structural conflict of interest — the firm ends up reviewing its own recommendations. Some frameworks, like CMMC, explicitly prohibit this; others, like SOC 2, leave more room for interpretation depending on the firm.
Q: Why does CMMC require independence between advisors and assessors?
A: The DoD built independence directly into the CMMC program structure — a C3PAO cannot hold an advisory relationship with the organization it assesses. This removes the ambiguity that exists in other compliance frameworks.
Q: Is this the same independence rule used in financial auditing?
A: Yes, conceptually. The SEC and PCAOB restrict consulting relationships between auditors and the public companies they audit, for the same reason: an auditor with a financial stake in the client’s outcome can’t be fully objective.
Q: Does using a single firm for advisory and attestation always mean the report is invalid?
A: Not necessarily invalid, but weaker. The conflict is structural, not necessarily a sign of dishonesty — but it’s exactly the kind of risk that sophisticated buyers and investors are increasingly trained to ask about.
Q: How do I find out if my compliance provider has this conflict?
A: Ask directly whether they both prepared your controls and will issue your attestation report. If yes, ask how they manage that overlap. For a full list of questions to ask, see our independence page.
