The four approaches
Companies serious about architecture hygiene have four paths. Each does a real thing; each leaves a real gap.
- Big-4 / Tier-1 audit firm — Deloitte, PwC, EY, KPMG, Accenture, McKinsey Digital — six- to ten-week engagement, slide-deck deliverable, $120K–$400K.
- Boutique architecture consultancy — 3–10 person specialist firms. Deeper technical bench than Big-4 partners, smaller scale, similar engagement shape.
- In-house platform team — your own engineers running the audit on dedicated time, often as a quarterly OKR.
- Garnet Audit Retainer — same engineer, every month, indefinitely. Daily passive snapshots, weekly drift diff, monthly executive PDF, merged engineering tickets.
What actually closes findings
| Big-4 | Boutique | In-house | Garnet | |
|---|---|---|---|---|
| Continuous (vs. point-in-time) | No | No | Quarterly | Daily passive + weekly active |
| Same engineer end-to-end | Rotating associates | Sometimes | Yes | Yes |
| Findings shipped as merged PRs | Slide deck | Sometimes | Yes | Yes |
| Compliance posture (SOC 2 / ISO / HIPAA) | Yes | Variable | Variable | First-class metric |
| Cost-axis tracking + recovery | Sometimes | Sometimes | Yes | Yes (~28% in 6mo) |
| Latency / reliability axis | Often skipped | Variable | Yes | Yes |
| Snapshot writer in customer's tenant | No | No | Custom-built | Yes (your R2) |
| Pre-mortem authoring | No | Sometimes | Sometimes | Yes (per change) |
| Engagement model | One-shot, $120K–$400K | One-shot or 6–12 mo, $80K–$300K | 0.5–2 FTE, $100K–$500K loaded | Monthly retainer, $60K–$300K/yr |
Where each approach wins
Big-4 is right when
- You need an audit signed by a name your board recognizes — pre-IPO due diligence, M&A buy-side, post-incident regulator response. The signature is itself the deliverable.
- You want to bench-mark against the firm's cross-industry pattern library. Big-4 associates have seen many similar stacks and can surface "this is how the median bank handles X" data points.
- The scope is broader than architecture — TEM, M&A integration, multi-org compliance rollout — and the audit is a sub-piece of a $3M–$10M engagement.
Boutique architecture consultancies are right when
- You want senior technical depth without the Big-4 markup. Smaller firms ship deeper technical reports; the partner is often the engineer.
- Your stack has unusual domain primitives (HFT, ad-tech RTB, on-prem ML, hardware-in-the- loop) where category specialists outperform generalists.
- You're a one-shot buyer — a single audit ahead of a known event — and don't need ongoing engineering capacity afterward.
In-house platform team is right when
- You're past Series C with a serious platform engineering line item and the architecture-audit role is a full-time hire (typically Staff Engineer + 1 Senior).
- Your domain is so specific that an outside firm would burn 8–12 weeks just learning the architecture before they can find anything useful.
- You have the political capital internally to escalate findings to leadership without needing an outside consultant's signature for credibility.
Garnet Audit Retainer is right when
- You want findings closed, not just authored. The retainer ships merged PRs, not a deck of recommendations.
- You want continuous rather than point-in-time. The state of the architecture today matters more than the state 6 months ago.
- You want one engineer accountable. The same person who wrote the snapshot writer ships the engineering ticket that closes the finding.
- You're between "internal team can't keep up" and "ready to hire a Staff Engineer for the role." The retainer is roughly a 0.25–0.4 FTE in cost, with senior-engineer output.
Where the audit-retainer model breaks compared to Big-4
We are not the right answer for everyone. Three places where Big-4 wins decisively:
- Multi-business-unit rollouts — auditing 30+ subsidiaries, harmonizing findings across legal entities. Garnet's single-engineer model can't parallelize that way. Big-4 puts 40 associates on it.
- Court-defensible signature — audit reports filed in litigation, SEC inquiries, or insurance disputes. Garnet's reports are technically rigorous but don't carry a "signed by the [Big-4 name]" cachet that some legal contexts require.
- Geographic / regulatory diversity — multi-jurisdiction operations where the audit needs LATAM, EMEA, and APAC partners with on-the-ground compliance knowledge. Garnet is one engineer in NYC.
The economic argument by company stage
Pre-Series-A: too early. Architecture is still pre-product-market-fit; the audit signal is noisy because the architecture itself is moving. Defer 6–12 months.
Series A / B: Audit Pro ($4,999/mo, $60K/yr). Replaces the "we should do an audit someday" backlog with continuous discipline. The retainer's quarterly equivalent runs ~30% the cost of a Big-4 one-shot for similar scope.
Series C / mid-market: Audit Scale ($9,999/mo, $120K/yr). Same headline number as a Big-4 audit but ongoing engineering work. Compliance progression toward SOC 2 / ISO is a first-class metric.
Late-stage / pre-IPO: Audit Enterprise ($24,999/mo, $300K/yr) PAIRED with a Big-4 attestation audit at IPO time. The retainer keeps the architecture clean year-round; the Big-4 signature seals it. Most pre-IPO customers we've spoken with are doing both, not one or the other.
How to evaluate any audit vendor
- Will the engineer who scopes the audit be the engineer doing the work? Big-4 partners scope; senior associates execute; manager reviews. The signal-loss between scope and execution is where most audits go wrong.
- What's the deliverable shape — recommendation vs. merged code? Recommendations become technical debt. Merged code becomes production.
- How is drift surfaced after the audit closes? A one-shot audit goes stale within 90 days as your stack evolves. Either you have a continuous mechanism (the retainer) or you accept the staleness.
- Whose tooling produces the snapshots? If the vendor's, your audit trail dies with the engagement. If yours (the Garnet pattern, snapshots in your R2), your audit history outlives the vendor relationship.
- What's the engineering ratio — author : execute? A 4:1 ratio (4 hours of report-writing per 1 hour of fix) leaves 80% of findings unfixed. A 1:4 ratio (1 hour of authoring per 4 hours of fix-shipping) is the inverse and is what moves architectures.
Adjacent lanes
If your team is also evaluating other lanes:
- GEO vs SEO / AI-SEO — citation engineering for AI-search visibility. Same continuous-vs-point-in-time argument.
- Sentinel-aaS — the Discord operations bus that routes audit-drift alerts and weekly drift reports.
- Cluster Ops vs API / cloud GPU — on-prem MLX inference operations.
See Audit Retainer pricing → Read the full methodology → or talk to engineering