There is one question on everyone’s mind when they learn that they need to get a SOC report for one of their clients—How much does a SOC audit cost? Chances are, if you are reading this, that you have the same question.
There are three components that make up the total cost to get a SOC report. The three components are:
- Readiness / Gap Assessment Fees
- Internal Costs of Compliance
- SOC Audit Fees
One must understand all three of these components to determine the total cost to the organization. This blog focuses on the first and last components as these are those that we can provide insight on. You are better suited to calculate your internal costs to comply with the control objectives or Trust Services Criteria.
How Much Are the Fees for a Typical SOC 1 or SOC 2 Audit?
The truth is that accounting firms’ prices for SOC 1 (f. SSAE 16) or SOC 2 examinations vary widely. Some firms price readiness assessments separate from audits while others will lump them together. You will want both because the last thing you want to do is have a SOC audit performed only to find out that you failed. If you are comparing quotes, be sure to ask firms to provide you the price for performing a readiness assessment and a SOC audit. This will allow you to figuratively compare apples to apples.
Price estimates differ between firms as each will:
- Estimate the effort / cost required to do the work
- Have related overhead expenses allocated to the audit
- Require a certain level of profit from the engagement
Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.
What Factors Impact the Cost of a SOC 1 or SOC 2 Audit?
If you were to ask me to quote you a price without any additional information, I would give you the answer that most do—It depends. I know it is a frustrating answer, but there is no “one size fits all” SOC 1 or SOC 2 audit.
We have issued hundreds of SOC reports. Some reports are just 25 pages long while others are well over 100 pages. There are a number of factors that drive the difference in length between reports, and those same reasons are why a service auditor cannot provide a single standard price for every SOC engagement.
Our pricing of a SOC audit is based on the level of effort needed to complete the engagement. Some of the factors that impact the level of effort and; therefore, your costs for a SOC audit, include the following:
- Organizational Size
- Control Environment Maturity
- Number of Systems in Scope
- Inherent Risk / Complexity of Business Services
- Number and Nature of Control Objectives in Scope (SOC 1)
- Number of Trust Services Criteria in Scope (SOC 2)
- Timing of the Audit
The effort and cost of a SOC audit go up as the number of locations increase. If controls relevant to the in-scope systems and services are performed at multiple locations, service auditors will need to assess the controls at each location. If processes are the same at each location, auditors can perform procedures to validate it and combine populations from the various locations into a population for a single testing for a control. However, if controls or processes vary between locations, auditors would need to perform testing separately for each location.
The size of an organization is one metric used to gauge effort as it can reflect an organization’s complexity. As you might guess, performing a SOC audit for a small start-up typically requires less effort than doing one for a Fortune 500 company. At a small start-up, auditors interview fewer people to understand the systems, processes, and controls in the scope of the audit. Similarly, smaller organizations are often able to provide auditors the necessary information and documentation in a more timely manner than larger ones.
Control Environment Maturity
The maturity of an organization’s control environment also impacts how much effort is required to assess it. If the control framework is not formally documented or hasn’t ever been assessed, it will take more effort by auditors to identify the controls within the processes supporting the systems and services. The maturity of the environment will also drive your organization’s ability to obtain type I or type II SOC report initially. If controls are not in place or have not been operating for a period of time meet control objectives (SOC 1) of the Trust Services Criteria (SOC 2), you will need to address the gaps internally and operate the controls for the desired period in order to get a type II report.
Number of Systems in Scope
Each additional system within scope multiplies the effort required to complete the SOC audit. Don’t panic if you have two systems (not just one) that would be in scope. While it will result in an increase audit fees, the audit fees should not necessarily double.
Inherent Risk / Complexity of Business Services
Some industries and business are inherently riskier than others just by their nature. Increased risk requires a higher level of scrutiny and additional procedures to ensure that service auditor is adequately addressing the related risks. Services that entail complex processes, specialized technology, involve multiple systems, or validation of detailed calculations require additional effort. For example, a company providing co-location data center services is less risky and less complex than a business that provides payroll and tax processing.
Number and Nature of Control Objectives in Scope (SOC 1)
The effort to perform a SOC 1 audit can vary a great deal based on the number and nature of control objectives included in the scope. The service organization specifies the control objectives and controls to be tested based on their impact on their clients’ internal control over financial reporting. Thus, a SOC 1 report for a data center may only need four or five control objectives while a report for a payroll processor may have more than a dozen of them. In this case, the former will certainly be less expensive than the latter.
Number of Trust Services Criteria in Scope (SOC 2)
The Trust Services Criteria has five different areas of criteria that may be included in the scope of a SOC 2 audit. They are the following:
The Security criteria is the Common Criteria that must be included in every SOC 2 audit. The remaining four criteria are optional. We counsel our clients to include only the Security criteria unless a client is specifically requiring them to include other areas. The Availability, Processing Integrity, and Confidentiality criteria usually result in smaller incremental increases to the cost of SOC 2 examination. Adding Privacy is an expensive add on.
What Else Impacts the Price of a SOC Audit?
Every accounting firm has to make money. So, each will have a profit margin built into the price. They will also include overhead expenses allocated to engagement in the price of your SOC audit. Overhead is comprised of expenses a firm incurs that are not directly related to client services. A few examples of overhead expenses are a firm’s expenses for marketing, office buildings, sponsorships, pensions, etc. Firms, like any business, must allocate these expenses to each transaction of its services. At Linford & Company we have a modest office and keep expenses to a bare minimum so that we can charge clients reasonable fees.
We have briefly discussed how to determine the total cost of obtaining a SOC audit and some of an audit firm’s key considerations when pricing an SOC engagement.
After an engagement scoping discussion, we will deliver a brief audit proposal with firm pricing within a few business days. We price all of our SOC 1 and SOC 2 examinations on a fixed fee basis for professional fees.
Please also note that although our fees are significantly less than the big four accounting firms, they are not always less than other firms. This is due to the experience, background, and certifications of our professionals and the level of partner involvement on each engagement.
See the following blogs for more related information on SOC reports and controls:
- What is a SOC 1 Report? Expert Advice You Need to Know
- What is a SOC 2 Report? Expert Advice You Need to Know
- How Long Does a SOC Examination Take?
- Establishing an Effective Internal Control Environment
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.