What Does a SOC Audit Cost?
The greatest tennis player of all time, Serena Williams, once said, “everything comes at a cost. Just what are you willing to pay for it?”
Now, she wasn’t talking about compliance since she’s spent her entire career obliterating opponents on the court, but her question remains relevant to SOC audits.
There are so many factors that will affect just how your own SOC report will shape up—what kind of data you protect, what kind of assurance you’re trying to provide, what kind of time you have?
But let’s be honest, one of your biggest questions is whether or not this thing is going to fit in your budget. It’s less about what you’re willing to pay than what you can pay. And frankly, this is a number that’s difficult to pin down.
All those factors that we mentioned before—plus many others—play a part in figuring your SOC audit price. We speak from experience, given that Schellman has performed SOC examinations for almost two decades now and we’ve worked with all kinds of variables at all kinds of organizations that all ended up with different sums.
At the end of your budgeting process, your number will be unique too, but that doesn’t mean we can’t help you set some expectations ahead of time.
In this article, we will lay out our price ranges for typical SOC audits. But more than that, we will also explain three major factors that can determine your costs, up or down. Then, we’ll provide some tips on how to reduce your final price.
That way, when you do enter contract talks with your auditor, you won’t be blindsided in your discussions—you’ll already have an idea about where you should be on price and the specifics of your organization that will affect your final number.
What Does a SOC Report Cost?
We understand your anxiety about audit prices—costs affect everything in business. So, let’s take a stab at giving you a foundation to steady yourself, no matter if you pursue services with Schellman or not.
Here’s a range of what to expect at a baseline:
SOC 1 Readiness
$15,000 - $21,000
|SOC 1 Type 1||
$23,000 - $35,000
|SOC 1 Type 2||
$29,000 - $44,000
|SOC 2 Readiness||
$18,000 - $25,000
|SOC 2 Type 1||
$25,000 - $39,000
|SOC 2 Type 2||
$30,000 - $55,000
|SOC 3 (solo)||
$30,000 - $55,000
|SOC 3 (add on to SOC 2)||
|SOC for Cybersecurity||
$30,000 - $50,000
|SOC for Supply Chain||
$30,000 - $55,000
*These numbers are based on an application service provider hosted in a well-known cloud environment with a decided scope that only includes required security criteria (for SOC 2) with no third parties--in other words, this is as limited in scope as possible, based on common scenarios. These are also assumed to be individually performed assessments and not part of a broader compliance program.
From our industry knowledge gleaned, that’s what you can expect to spend at a relatively bare minimum on a SOC audit.
Of course, there will also be pricing disparity among firms–you might also consider individual reputation and specializations when choosing an auditor. But what about your organization can drive up your fees?
3 Factors That Will Drive Your SOC Audit Cost Up or Down
1. The Type of Project
If you opt for either a SOC 1 or SOC 2—likely, since these are two of the more popular examinations within the SOC reporting brand—you will need to choose which type of report you want as well.
For both SOC 1 and SOC 2, you have the choice of readiness, Type 1 or Type 2, and as you saw in the chart above, they cost different amounts.
Why? It’s about the effort involved. (This is a trend that’ll emerge among all the factors we’ll mention.)
We wrote extensively on the differences between Type 1 and Type 2 audits, but here is the rub. Being the more thorough audit, Type 2 requires the most investment from your auditors (and from you!), making it more expensive than the Type 1 and readiness assessment in comparison.
As it extends over a period up to a year generally, with regular testing of your controls to monitor their ongoing effectiveness, that’s going to take more planning and preparation. It makes sense that opting for this route would add additional costs to your initial number.
A readiness assessment is only intended to help you plan and prepare for either a Type 1 examination or a Type 2 examination—it won’t suffice in providing assurances to your customers—and said Type 1 examination opines on the controls as of a single date in time.
Because they require considerably less time and effort from your assessor, you can expect those options to drive your costs down, though they may not suit your customers looking for the full Type 2 from you.
2. Which Control Objectives or Trust Service Categories Are Included
The number of control objectives (SOC 1) or trust services categories (SOC 2) will also determine the required level of effort.
Most SOC 1 reports include a combination of general IT control objectives and transaction or business processing objectives. Your general IT controls could include aspects of the following:
Examples of business processing objectives commonly include:
For each control objective, your auditor will need to evaluate specific controls. More control objectives mean more controls, which means more time and effort from your auditor—and you.
You might also choose to include relevant controls from your third parties—but then, you may choose to exclude them from control evaluation as well. We call the latter the carve-out method and it’s by far the most common approach—not just because it helps drive down your costs.
SOC 2 Trust Service Categories
Rather than creating control objectives as in SOC 1, for your SOC 2 you will need to select which Trust Service Categories to include, and each contains predefined criteria.
Once you decide which categories are in-scope, your controls will be tested to ensure each of the selected criteria is achieved. The table below provides the number of criteria for each category:
Since the Common Criteria are required for all SOC 2 reports, your organization will be audited against 33 mini control objectives at a minimum. As you add more, the level of effort increases, and so will your cost.
3. Complexity and Size of Scope
Another big factor that can affect the price tag on your SOC examination is the complexity of your scope, i.e., the system or service you’re trying to have evaluated.
Common factors that affect said complexity include:
How to Reduce SOC Audit Costs
To help bring down your price, work with your service auditor to determine the complexity of your environment and see about any efficiency potential. Reductions to the overall number of controls to be evaluated, the fewer third parties to be included, the fewer service commitments you have, and system requirements to be considered will reduce the overall level of effort and the associated fees.
Additionally, combining a Readiness with a Type 1 and a Type 2 into more a strategic multi-year program will also generate cost savings through efficiency and know-how. We recommend this for SOC 2 in particular, and we commonly provide cost consideration for multi-year arrangements that allow to us partner more closely with clients throughout their compliance journey.
At this early stage, you should also consider whether you need or may need to satisfy multiple compliance objectives beyond SOC. If you do, you need to identify an audit provider that can perform all or many of your needs—packaging services can also sometimes help with cost reduction.
Next Steps for Your SOC Examination
Your mind is likely whirling, trying to understand how these variables apply to you. While cost plays arguably one of the largest parts of your compliance decisions, your end goal should also be to engage in the best project for you and your customers.
That’s why you need to ensure you get the right “bang for your buck.”
As you continue shaping what your SOC experience will look like, read our other content on the brand. These articles contain information that can help you make some decisions :
- 3 Benefits to Getting a SOC 2 Report
- How Long Will My SOC Examination Take?
- SOC 2 vs. SOC 3: Understand Your Options
With all this information in hand, you’ll be well-positioned heading into meetings with potential auditors, knowing exactly what services suit you and with set expectations on what you’ll need to budget to get it done.
About RYAN BUCKNER
Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.