There is one question on everyone’s mind when they learn that they need to get a SOC report for one of their clients… How much is this going to cost? Chances are, if you are reading this, then you have the same question.
You may read or hear that the cost of a SOC 2 audit is a certain number. In fact, some firms may even give you a quote without ever talking to you or know anything about your company. How much would you trust a salesperson who gives you a quote for a new car without knowing the make, model, or trim of the car that you want? That hasn’t worked since Henry Ford first started mass-producing the Model T when he famously offered that you could get your car in any color you wanted as long as it was black.
If you were to ask me to quote you a price without any additional information, I would give you the answer that most do; It depends. I know it is a frustrating answer, but there is no “one size fits all” SOC 1 or SOC 2 audit.
We issue hundreds of SOC reports each year. Some reports are just 40 pages long while others are two or three times that size. There are a number of factors that drive the difference in length between reports, and those same reasons are why a service auditor cannot provide a single standard price for every SOC engagement. However, understanding what factors impact the price will help you to know how to keep the cost of a SOC 2 audit down or perhaps even how to lower the cost of your SOC audit.
What Factors Impact the Cost of a SOC 1 or SOC 2 Audit?
The price of a SOC audit is based on the level of effort needed to complete the engagement. There are a number of variables that need to be understood by an audit firm to determine the amount of effort to perform the examination and; therefore, your costs for a SOC audit. These include the:
- Scope of the Assessment
- Type of Assessment
- Nature of the Organization’s Services
- Composition of the Organization
- Number of Locations
- Extent and Relationship with Subservice Providers
A firm must understand all of these components to provide an accurate and reliable quote. If you get a blind quote (sight unseen), chances are it will change as you move down the road and “new facts” are uncovered or you will get a significant jump in price the following year. This bait and switch typically occurs far enough along in the process that it will be too costly, too difficult, or too late to switch audit firms.
Scope of the Assessment
What or how much is to be covered in an examination will impact the price of the SOC audit.
Number and Nature of Control Objectives in Scope (SOC 1)
The effort to perform a SOC 1 audit can vary a great deal based on the number and nature of control objectives included in the scope. Your organization, as the service organization, specifies the control objectives and controls to be tested based on their impact on your clients’ internal control over financial reporting. For example, if you were getting a SOC 1 report and for a co-location of a data center with no managed services, you may only need four or five control objectives. However, a payroll processor’s SOC 1 report may have more than a dozen control objectives to address the potential impacts that it may have on its clients’ financial reporting. Typically, the amount of effort and price rises as the number of control objectives increases.
Number of Trust Services Criteria in Scope (SOC 2)
How much does a SOC 2 audit cost? That will depend on how many of the five Trust Services Criteria is included in the scope of a SOC 2 audit. They are the following:
The Security criteria is the Common Criteria that must be included in every SOC 2 audit. The remaining four criteria are optional. We counsel our clients to include only the Security criteria unless a client is specifically requiring them to include other areas. The Availability, Processing Integrity, and Confidentiality criteria usually result in smaller incremental increases to the cost of the SOC 2 examination. Adding Privacy is an expensive add-on.
Number of Systems in Scope
Each additional system within scope multiplies the effort required to complete the SOC audit. Don’t panic if you have two systems (not just one) that would be in scope. While it will result in an increase in audit fees, the audit fees should not necessarily double.
Some firms price readiness assessments separate from audits while others will lump them together. You will want both because the last thing you want to do is have a SOC audit performed only to find out that you failed. If you are comparing quotes, be sure to ask firms to provide you the price for performing a readiness assessment and a SOC audit. This will allow you to figuratively compare apples to apples.
Type of Assessment
There are two types of assessments: type I and type II (also commonly referred to as type 1 and type 2). I know, we auditors are really creative in our naming conventions. We have a wonderful post that shares the details of the differences between type 1 and type 2 assessments. In regards to cost, the cost of a SOC 2 Type II audit will typically be more expensive than a Type I.
Nature of the Organization’s Services
Some industries and businesses are inherently riskier than others just by their nature. Increased risk requires a higher level of scrutiny and additional procedures to ensure that the service auditor is adequately addressing the related risks. Services that entail complex processes, specialized technology, involve multiple systems, or validation of detailed calculations require additional effort. For example, a scheduling service is less risky than loan or tax processing. Similarly, an assessment of a service that runs on a single application is less complex to assess than multiple systems that reside in different IT environments that are supported by siloed personnel that follow different processes.
Composition of the Organization
The size of an organization is one metric used to gauge effort as it can reflect an organization’s complexity. As you might guess, performing a SOC audit for a small start-up typically requires less effort than doing one for a Fortune 500 company. At a small start-up, auditors interview fewer people to understand the systems, processes, and controls in the scope of the audit. Similarly, smaller organizations are often able to provide auditors the necessary information and documentation in a more timely manner than larger ones.
The maturity of an organization’s control environment also impacts how much effort is required to assess it. If the control framework is not formally documented or hasn’t ever been assessed, it will take more effort by auditors to identify the controls within the processes supporting the systems and services. The maturity of the environment will also drive your organization’s ability to obtain a type I or type II SOC report initially. If controls are not in place or have not been operating for a period of time to meet control objectives (SOC 1) of the Trust Services Criteria (SOC 2), you will need to address the gaps internally and operate the controls for the desired period in order to get a type II report.
Number of Locations
The effort and cost of a SOC audit go up as the number of locations increase. If controls relevant to the in-scope systems and services are performed at multiple locations, service auditors will need to assess the controls at each location. If processes are the same at each location, auditors can perform procedures to validate it and combine populations from the various locations into a population for a single testing for a control. However, if controls or processes vary between locations, auditors would need to perform testing separately for each location. Just think about all the data centers that are covered by AWS, Azure, or GCP’s SOC reports.
Extent and Relationship with Subservice Providers
Most service organizations use vendors to perform or support a part of the services they provide. A subservice provider is a vendor that helps the primary service organization meet its service commitments or system requirements and is responsible to perform certain controls as a part of its services. For example, an organization that hosts its SaaS application in AWS relies on AWS to perform controls to maintain the physical security surrounding its facilities.
What Else Impacts the Price of a SOC Audit?
Every accounting firm has to make money. So, each firm’s price will have three components:
- Estimated Cost of Labor – The earlier sections of this post focus on the components of estimating the cost of labor.
- Overhead Expense – Overhead is comprised of expenses a firm incurs that are not directly related to client services.
- Profit – Earnings to be made in excess of the total cost.
One would think that this would be the largest component of the price—and it should be. Unfortunately, for a lot of larger firms’ overhead expense can be the greatest expense or a very close second. This is to account for the firm’s expenses related to marketing, office buildings, sponsorships, and (perhaps the biggest of them all) pensions for the tens of thousands of retired/former employees. At Linford & Company, we have a modest office and keep expenses to a bare minimum so that we can charge clients reasonable fees.
We have briefly discussed how to determine the total cost of obtaining a SOC audit and some of an audit firm’s key considerations when pricing a SOC engagement.
After an engagement scoping discussion, we will deliver a brief audit proposal with firm pricing within a few business days. We price all of our SOC 1 and SOC 2 examinations on a fixed fee basis for professional fees.
Please also note that although our fees are significantly less than the big four accounting firms, they are not always less than other firms. This is due to the experience, background, and certifications of our professionals and the level of partner involvement on each engagement.
See the following blogs for more related information on SOC reports and controls:
- What is a SOC 1 Report? Expert Advice You Need to Know
- What is a SOC 2 Report? Expert Advice You Need to Know
- How Long Does a SOC Examination Take?
This article was originally published on 6/13/2018 and was updated on 3/10/2021.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.