Who Can Perform SOC 2 Audits?

SOC 2 audits must be performed by a licensed CPA (Certified Public Accountant) firm. This is a regulatory requirement—non-CPA firms cannot issue SOC 2 reports.

Important Distinction

Auditor/Assessor: Licensed CPA firm that performs the examination and issues the SOC 2 report
Consultant: Non-CPA firm that helps you prepare for the audit (readiness, remediation, documentation)

A consultant can help you prepare, but only a CPA can issue the final SOC 2 report.

Types of SOC 2 Auditors

  • Big Four: Deloitte, PwC, EY, KPMG - prestigious but expensive, typically for large enterprises
  • National Firms: BDO, Grant Thornton, RSM - mid-market focus, strong capabilities
  • Regional Firms: Large local/regional CPA firms with SOC 2 practices
  • Boutique Firms: Specialized firms focused primarily on SOC 2 and IT audits

Selection Criteria

Evaluate potential auditors across these dimensions:

1. Experience and Expertise

  • SOC 2 Volume: How many SOC 2 reports do they issue annually? (More = more experience)
  • Industry Experience: Have they audited companies in your industry?
  • Technology Experience: Are they familiar with your technology stack (AWS, Azure, GCP, specific tools)?
  • Trust Services Criteria: Do they have experience with all criteria you're including?

2. Reputation and References

  • Ask for references from similar-sized companies in your industry
  • Check peer review results (CPA firms undergo periodic quality reviews)
  • Look for online reviews and testimonials
  • Ask your network who they use

3. Team Qualifications

  • Certifications: CISA, CISSP, other relevant credentials
  • Team Stability: Will the same team work with you through the engagement?
  • Partner Involvement: How much access will you have to the signing partner?

4. Communication and Accessibility

  • Responsiveness during the sales process (indicative of engagement quality)
  • Communication style and frequency
  • Availability for questions during the audit
  • Time zone alignment (matters for international firms)

5. Methodology and Tools

  • How do they collect evidence? (Portal, email, manual)
  • What's their testing approach?
  • How do they handle exceptions and findings?
  • What's their timeline and process?

6. Pricing and Value

  • Total cost (not just audit fees - include any platform costs, etc.)
  • What's included vs. additional cost
  • Payment terms
  • Multi-year pricing considerations

Questions to Ask Potential Auditors

About Their Experience

  • "How many SOC 2 engagements did you complete last year?"
  • "How many clients in our industry have you audited?"
  • "Are you familiar with [our specific cloud providers/tools]?"
  • "What Trust Services Criteria do most of your clients include?"

About the Team

  • "Who will be our primary contact?"
  • "What's the team's background and certifications?"
  • "How much partner involvement should we expect?"
  • "What's your team's turnover rate?"

About the Process

  • "Walk me through your audit process."
  • "How do you collect and manage evidence?"
  • "What's your typical timeline for [Type I/Type II]?"
  • "How do you handle exceptions and findings?"
  • "Can you provide a sample report (redacted)?"

About Support

  • "What readiness support do you offer?"
  • "How do you handle questions during fieldwork?"
  • "What happens if we're not ready when fieldwork starts?"
  • "Do you offer post-report support?"

About Pricing

  • "What's the total cost, and what does it include?"
  • "What could cause the price to increase?"
  • "What are the payment terms?"
  • "Do you offer multi-year agreements?"

References

  • "Can you provide 2-3 references from similar clients?"
  • "What was your most recent peer review result?"

Red Flags to Avoid

Watch for these warning signs when evaluating auditors:

Guaranteed Pass

No legitimate auditor guarantees you'll pass. If someone promises a clean report before seeing your controls, question their independence and quality.

Extremely Low Pricing

If one quote is dramatically lower than others, understand why. Are they cutting corners? Using junior staff? Limited scope?

Vague Scope

The auditor should clearly define what's included. Vague proposals often lead to surprise fees later.

No Industry Experience

If they haven't audited companies like yours, they may not understand your environment, leading to inefficiency and inappropriate findings.

Poor Communication

If they're slow to respond during the sales process, expect worse during the engagement when you're already committed.

High Team Turnover

If they can't keep staff, you may get inexperienced auditors or team changes mid-engagement.

No References Available

Reputable firms can provide references. Inability to do so suggests limited experience or unhappy clients.

Independence Concerns

If the same firm provides consulting and audit services, ensure proper independence safeguards exist. Better yet, use separate firms for each.

Understanding SOC 2 Pricing

Typical Price Ranges (2025-2026)

Report Type Small/Simple Medium Large/Complex
Type I $3,000-15,000 $15,000-30,000 $30,000-50,000
Type II $5,000-20,000 $20,000-40,000 $40,000-60,000

What Affects Price

  • Scope: More systems, services, locations = higher cost
  • Trust Services Criteria: Each additional criterion adds work
  • Company Size: More employees, transactions, controls = more testing
  • Complexity: Custom systems, multiple environments, complex architecture
  • Readiness: Well-prepared clients cost less to audit
  • Auditor Tier: Big Four costs more than boutique firms

Hidden Costs to Watch

  • Readiness/gap assessment fees
  • Platform/tool fees (some auditors require specific tools)
  • Additional criteria or scope changes
  • Expedited timeline fees
  • Carve-out or additional testing requests

Recommended Selection Process

Step 1: Define Requirements

  • Scope (services, systems, criteria)
  • Timeline requirements
  • Budget range
  • Must-have vs. nice-to-have requirements

Step 2: Create a Short List

  • Research 4-6 firms
  • Get recommendations from peers
  • Include mix of firm sizes

Step 3: Request Proposals

  • Send RFP with clear requirements
  • Provide same information to all bidders
  • Set clear deadline for responses

Step 4: Evaluate Proposals

  • Score against your criteria
  • Compare pricing apples-to-apples
  • Narrow to 2-3 finalists

Step 5: Conduct Interviews

  • Meet the actual team (not just sales)
  • Ask your prepared questions
  • Assess cultural fit

Step 6: Check References

  • Talk to actual clients
  • Ask about responsiveness, quality, surprises

Step 7: Negotiate and Contract

  • Negotiate pricing and terms
  • Clarify scope and change provisions
  • Understand cancellation terms

When to Engage an Auditor

Timing affects your success and potentially your cost.

Ideal Timing

  • 3-4 months before observation period start: Allows for scoping, readiness review, and remediation time
  • Before implementing controls: Get input on what auditors expect
  • Early in fiscal year: Align report period with your business cycle

What Happens If You Wait

  • Rush fees for expedited timelines
  • Auditor availability constraints
  • Less time to address readiness issues
  • Potential delays in getting your report

The auditor relationship is ongoing - you'll work together annually. Choose a firm you trust and can communicate with effectively, not just the cheapest option. A good auditor is a partner in improving your security program, not just a checkbox.

SOC 2 Vendor Selection Auditor