There is some truth to the adage, “You get what you pay for.” How many times have you saved a few bucks by going for the cheaper option only to have it backfire?
We are starting to see an emerging downward trend in the SOC 2 audit fees, reminiscent of a race to the bottom. There is no doubt that the rationale behind auditor pricing is mysterious - some auditors charge according to the number of controls, some charge according to the market, and others will lower fees due to back end efficiencies or because they can outsource to skilled auditors internationally.
At Strike Graph, we pride ourselves on being auditor-agnostic, with no lead generation fees or side deals with auditors. The audit is meant to be independent, and we don’t want to pigeon hole our customers into a one size fits all audit. We advise our customers to budget around $30k in audit fees for their first year, and suggest they get quotes from three different firms. Some may find an auditor that charges half that budgeted amount and if they get lucky, they get lucky.
But it is important to know what $10k, $20k or $30k SOC 21 audit will get you.
Ask yourself the following:
- Are you getting your SOC 2 to ‘check a box’? If you only need to make it through your customer’s procurement process then maybe a $10k audit will work.
- Will auditor ‘brand’ become important when you go up market? For example, your customers may not accept a SOC 2 report from a firm that they have never heard of, or your Board may insist that you go with a well recognized audit firm. Your customers may demand a well recognized firm. Imagine you are a sales executive and you have a verbal agreement from the biggest, most high profile deal to date. You send over your SOC 2, issued by a firm they have never heard of and all of a sudden you are asked to complete a full security review. The likelihood of this happening may be low, but the impact would result in pulling your team away from key product initiatives.
- Can you trust that your auditor will be an expert in security best practices and that they will know the ins and outs of your industry? Will they answer your phone calls when you have a time sensitive question? Will they be around for your audit next year? Consider who your customers are. Would they be more likely to choose your solution over a competitor's if you have a recognized auditor’s name attached to your report?
- Is the price low due to offshoring? Does this still justify a <$10k SOC 2? If your auditor is offshoring audit tasks, that is not necessarily a bad thing - there are excellent auditors all over the world. The issue is not quality, it’s nimbleness - will the logistics of managing a team across time zones lead to long delays and delivery times? If you have a question that needs to be answered by 10am, will the auditor be unavailable until 6pm? Also, is the data that is being tested off shore going to remain confidential? Does your audit firm have controls in place to protect your data as it shoots around the world? (We sure hope so!)
At Strike Graph, we chose a SOC 2 auditor that was in the middle range of the fees we were quoted. We paid a bit more to have a well respected regional firm with national brand recognition. We are able to converse openly and readily with them, and they have some expertise in both our industry, and companies of our size and age. They are proving to be fantastic, knowledgeable partners in our SOC 2 and cyber security journey. We believe they are well worth the extra cost.
If a firm offers a fee that is ‘too good to be true’, ask yourself what you will be getting and if it will fit your current and future objectives. We believe that auditors are extremely valuable partners in your compliance journey. We also know that audits can be expensive and that is why we suggest you get a bid from at least three firms. Having a respected audit partner will be more valuable than simply checking a box in a procurement process. When selecting the final auditor make sure that you're optimizing for the best business outcome, whether that be cost, prestige or a balanced strategy.