Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
There is some truth to the adage, “You get what you pay for.” How many times have you saved a few bucks by going for the cheaper option only to have it backfire?
We are starting to see an emerging downward trend in the SOC 2 audit fees, reminiscent of a race to the bottom. There is no doubt that the rationale behind auditor pricing is mysterious—some auditors charge according to the number of controls, some charge according to the market, and others will lower fees due to back-end efficiencies or because they can outsource to skilled auditors internationally.
At Strike Graph, we pride ourselves on being auditor-agnostic, with no lead generation fees or side deals with auditors. The audit is meant to be independent, and we don’t want to pigeonhole our customers into a one size fits all audit. We advise our customers to budget around $30k in audit fees for their first year and suggest they get quotes from three different firms. Some may find an auditor that charges half that budgeted amount and if they get lucky, they get lucky.
But it is important to know what $10k, $20k or $30k SOC 2 audit will get you.
Ask yourself the following:
At Strike Graph, we chose a SOC 2 auditor that was in the middle range of the fees we were quoted. We paid a bit more to have a well-respected regional firm with national brand recognition. We are able to converse openly and readily with them, and they have some expertise in both our industry and companies of our size and age. They are proving to be fantastic, knowledgeable partners in our SOC 2 and cyber security journey. We believe they are well worth the extra cost.
If a firm offers a fee that is ‘too good to be true’, ask yourself what you will be getting and if it will fit your current and future objectives. We believe that auditors are extremely valuable partners in your compliance journey. We also know that audits can be expensive and that is why we suggest you get a bid from at least three firms. Having a respected audit partner will be more valuable than simply checking a box in a procurement process. When selecting the final auditor make sure that you're optimizing for the best business outcome, whether that be cost, prestige, or a balanced strategy.
When calculating your all-in costs for achieving SOC 2 attestation (Note: when you see SOC 2 “certification,” attestation is actually what they are referring to), keep in mind that in addition to the costs associated with the audit, you should also consider designating someone from your organization to oversee the SOC 2 process. This should be someone who deeply understands your organization's policies and processes, and, at a minimum, this person should devote ½ their time to the audit. This may mean hiring a new resource to assume some of their other responsibilities.
Finally, another cost to consider is training. This isn’t just a nice-to-have; it’s an actual requirement and needs to be completed annually. The time involved will obviously vary from organization to organization, depending on things like size and whether members of your staff are already up-to-speed on SOC 2 compliance. Just as designating someone to oversee the audit might result in a loss of productivity or the need for additional staff, ensuring that your staff is sufficiently trained may also mean a loss of productivity. Again, depending on your organization, you may also want to consider additional tools to help you streamline your SOC 2 program.
If this seems like a daunting undertaking, keep in mind that control requirements aside, these sorts of costs incurred on the front-end will pay off in the long term. Consider it an investment in your company as well as your customers, enabling you to respond more quickly and effectively to any issues or concerns as they relate to future SOC 2 audit requirements and reports.
Learn more about how Strike Graph can help you streamline your SOC 2 process, saving valuable time, money, and resources and setting you up for security success in the future.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?