What does a SOC 2 Cost?

Updated: Feb 16

How much can you expect to pay for a SOC 2 Report? What are the main drivers of the cost?

 

Let's start with a reality check: SOC 2 is expensive. It requires a CPA firm to sign it off, it covers a broad operational perspective and is based on a standard and guidance that's several hundred pages long. The signatory to the report carries legal liability to a broad range of users. 

 

All SOC 2 report fees start in the 5 figures; Type 1 and Type 2 reports. A SOC 2 Type 2 report tends to be around 30-50% more expensive based on the sample testing required to cover the period of time required for Type 2 reports. A combined fee for first time Type 1 and Type 2 reports would typically be in the range of $50-150k AUD.

 

In theory SOC 2 reports should become cheaper over the years as there's less incremental work by the auditor, but that's not always seen in practice as firms can offer lower introductory rates and aim to profit in the future years with the recurring revenue. There's a few main drivers of the cost.

 

SOC 2 Trust Service Principles

There are 5 Trust Services Principles: Security, Availability, Confidentiality, Processing Integrity and Privacy. Security is required for all reports so that's treated as the base cost. Availability and Confidentiality are the most common additional principles and tend to add about 10-20% to the base cost for each. Processing Integrity and Privacy can vary a lot more between firms as many firms want to avoid reporting on these more complicated and risky areas. Those that do report on them add about 20-50% each to the base cost.

 

SOC 2 Scope

 

The service organisation can, to a large degree, determine the scope of the SOC 2. It may be a single service offering or application rather than the full company's services. However, within that scope all of the relevant systems, data, processes and people need to be included. If some of that is outsourced, it can be excluded using the carve-out method.

 

Without going into all the detail - the scope is the biggest driver of cost. A Software as a Service provider with a single app, outsourced infrastructure, small headcount and limited supporting system components will have the lowest cost. The number of people, processes and systems are the key indicators of the scope and work involved.

 

As headcount grows, processes become more dispersed, larger in scale and the audit work typically requires more coordination and review meetings, etc. The number of systems increases the volume of work in many of the SOC 2 areas but in particular in the logical security area which is the highest volume of the SOC 2 criteria to audit.

 

SOC 2 Support

 

In theory, a SOC 2 report is supposed to be wholly prepared by the service organisation. The auditor then comes in to review that and provides an opinion on it. It rarely works like that in practice though as the auditors experience is often needed to guide the process. 

 

The less support needed, the lower the time costs of audit consultants. Support includes identifying and reporting issues, providing high-level recommendations for remediation, performing multiple reviews during the lead up, and re-work on the report itself from the auditors feedback. Consultants are expensive so this can be a significant difference, and can be a key driver of cost in first time SOC 2 reports in particular.

 

SOC 2 Service Auditors

 

Most products and services are priced in close proximity to competitors in the market. This is not the case with SOC 2 audit services, as illustrated by the broad cost ranges noted above. It wouldn't be appropriate to note any fees on behalf of other providers, but there are general differences that influence the costs:

  • Big 4 accountancy firms: Their brand is their most valuable asset. Companies pay high fees to have the Big4 firms audit their financial statements. Considering this opportunity cost, and the risk to their brand associated with third party reporting over technology companies, these firms invariably quote the highest fees.

  • Mid-tier and boutique accountancy firms: As they are smaller than the Big 4 firms, their opportunity cost and risk of brand damage tends to be lower or less significant. Accordingly they offer lower fees.

  • Cyber security CPA firms: Specialist firms focused on SOC 2 and other technology focused assurance, rather than financial statement audits. These are often ex-big 4 trained consultants. The specialist focus generates economies of scale and a refined operating model which typically allows for the lowest costs on offer.

SOC Reporting

How much should you be paying for your SOC 2 report(s)? What are the drivers of the cost?