There is some truth to the adage, “You get what you pay for.” How many times have you saved a few bucks by going for the cheaper option only to have it backfire?
We are starting to see an emerging downward trend in the SOC 2 audit fees, reminiscent of a race to the bottom. There is no doubt that the rationale behind auditor pricing is mysterious—some auditors charge according to the number of controls, some charge according to the market, and others will lower fees due to back-end efficiencies or because they can outsource to skilled auditors internationally.
At Strike Graph, we pride ourselves on being auditor-agnostic, with no lead generation fees or side deals with auditors. The audit is meant to be independent, and we don’t want to pigeonhole our customers into a one size fits all audit. We advise our customers to budget around $30k in audit fees for their first year and suggest they get quotes from three different firms. Some may find an auditor that charges half that budgeted amount and if they get lucky, they get lucky.
But it is important to know what $10k, $20k or $30k SOC 2 audit will get you.
Ask yourself the following:
- Are you getting your SOC 2 to ‘check a box’? If you only need to make it through your customer’s procurement process then maybe a $10k audit will work.
- Will auditor ‘brand’ become important when you go up market? For example, your customers may not accept a SOC 2 report from a firm that they have never heard of, or your Board may insist that you go with a well-recognized audit firm. Your customers may demand a well-recognized firm. Imagine you are a sales executive and you have a verbal agreement from the biggest, most high profile deal to date. You send over your SOC 2, issued by a firm they have never heard of, and all of a sudden you are asked to complete a full security review. The likelihood of this happening may be low, but the impact would result in pulling your team away from key product initiatives.
- Can you trust that your auditor will be an expert in security best practices and that they will know the ins and outs of your industry? Will they answer your phone calls when you have a time-sensitive question? Will they be around for your audit next year? Consider who your customers are. Would they be more likely to choose your solution over a competitor's if you have a recognized auditor’s name attached to your report?
- Is the price low due to offshoring? Does this still justify a <$10k SOC 2? If your auditor is offshoring audit tasks, that is not necessarily a bad thing - there are excellent auditors all over the world. The issue is not quality, it’s nimbleness - will the logistics of managing a team across time zones lead to long delays and delivery times? If you have a question that needs to be answered by 10am, will the auditor be unavailable until 6pm? Also, is the data that is being tested offshore going to remain confidential? Does your audit firm have controls in place to protect your data as it shoots around the world? (We sure hope so!)
At Strike Graph, we chose a SOC 2 auditor that was in the middle range of the fees we were quoted. We paid a bit more to have a well-respected regional firm with national brand recognition. We are able to converse openly and readily with them, and they have some expertise in both our industry and companies of our size and age. They are proving to be fantastic, knowledgeable partners in our SOC 2 and cyber security journey. We believe they are well worth the extra cost.
If a firm offers a fee that is ‘too good to be true’, ask yourself what you will be getting and if it will fit your current and future objectives. We believe that auditors are extremely valuable partners in your compliance journey. We also know that audits can be expensive and that is why we suggest you get a bid from at least three firms. Having a respected audit partner will be more valuable than simply checking a box in a procurement process. When selecting the final auditor make sure that you're optimizing for the best business outcome, whether that be cost, prestige, or a balanced strategy.
When calculating your all-in costs for achieving SOC 2 attestation (Note: when you see SOC 2 “certification,” attestation is actually what they are referring to), keep in mind that in addition to the costs associated with the audit, you should also consider designating someone from your organization to oversee the SOC 2 process. This should be someone who deeply understands your organization's policies and processes, and, at a minimum, this person should devote ½ their time to the audit. This may mean hiring a new resource to assume some of their other responsibilities.
Finally, another cost to consider is training. This isn’t just a nice-to-have; it’s an actual requirement and needs to be completed annually. The time involved will obviously vary from organization to organization, depending on things like size and whether members of your staff are already up-to-speed on SOC 2 compliance. Just as designating someone to oversee the audit might result in a loss of productivity or the need for additional staff, ensuring that your staff is sufficiently trained may also mean a loss of productivity. Again, depending on your organization, you may also want to consider additional tools to help you streamline your SOC 2 program.
If this seems like a daunting undertaking, keep in mind that control requirements aside, these sorts of costs incurred on the front-end will pay off in the long term. Consider it an investment in your company as well as your customers, enabling you to respond more quickly and effectively to any issues or concerns as they relate to future SOC 2 audit requirements and reports.
Learn more about how Strike Graph can help you streamline your SOC 2 process, saving valuable time, money, and resources and setting you up for security success in the future.