How Much Will Your Audit Cost?

If you’ve ever been told by your customers or stakeholders that you need to conduct some kind of external audit to win or keep their business, the first question that likely came to mind was, “How much will that cost?” The initial answer, at least, is that it depends.

Whether it's an ISO 27001 certification, a SOC 2 examination, or a FedRAMP assessment, organizations often face a challenge in balancing that customer requirement while ensuring a good return on what will surely be a large investment.

This is made all the more complicated as different assessments have different costs and different firms offer different prices ranges, but even still, there is a set of consistent elements that will affect your final audit cost—no matter the standard or type—as well as different factors to consider before moving forward with your chosen assessment firm.

As one of your options in said assessment firms, we’re going to lay out those cost-affecting elements before providing a quick look at our pricing model and some things to look out for when discussing this critical investment.

While you will eventually have to work out the particulars with the firm you do choose to engage with, you’ll enter those negotiation conversations with more realistic expectations and be in for less of a shock when you hear the initial numbers.

3 Factors That Will Affect Your Audit Price

When undertaking a compliance effort, three big details will factor into your final price:

1. Customer Commitments
2. Scope
3. Timing

1. Customer Commitments

Your compliance journey likely started because of a customer request, and their desires are the first thing that will affect your audit cost because they know exactly what specific assessment and deliverable they want.

Depending on what sector you’re in or what services/products you provide, customer commitments can take different forms—these may translate into specific compliance standards (like PCI DSS) or more general control requirements for security awareness, passwords, encryption, or multifactor authentication.

Your customers may know that they want to see a SOC 2 report or an ISO 27001 certification from you, but oftentimes, we find that—despite requesting it of you—they may not fully understand the differences between some of the assessments available. As such, it’s best to clarify their needs and expectations before heading down a particular path.

2. Scoping

Once you’ve nailed down what security standard you need, the next key factor in audit price will always be the scope of the assessment, and—at least at Schellman—you can get a sense of what yours will be by:

• Completing a scoping exercise (i.e., a questionnaire); or
• Having a conversation with one of our subject matter experts.

In some instances, both are required–the ANSI National Accreditation Board (ANAB) mandates both happen ahead of an ISO 27001 certification, for example. Elements of your scope may include:

• Number and nature of covered lines of businesses
• Number of covered applications
• Technology footprint in terms of the approximate number of system components
• Number of locations that require an on-site visit (e.g., just the physical office or remote employees when the application is hosted by a cloud provider)
• Number of persons covered by the scope of the audit (required for ISO)
• Approximate number of persons to be interacted with during the assessment

No matter if you elect to proceed with an ISO 27001 certification, a PCI attestation, SOC 2 report, or another option, the expectation will be that the scope of your assessment matches the service components and commitments to your customers.

3. Timing

And finally, timing constraints will also affect your final audit price.

In many cases, your time to market and/or a revenue-generating deal depends on the timely completion of an assessment—any rush may also impact your choice in initial audits (e.g., a Type 1 SOC 2 report can typically be executed faster than its counterparts).

But assessments take time and pressing your assessment firm for a tighter squeeze in scheduling so you can satisfy customer or market demands could result in your fees being driven up.

What Will Your Schellman Assessment Cost?

These elements will all likely affect your final audit cost no matter who you choose to partner with, but should you be considering Schellman among your potential options, here’s what you need to know about our pricing model.

Schellman’s Assessment Pricing Model

Schellman performs thousands of different assessments annually, and they usually shake out like this:

• 1,500+ SOC examinations
• 400+ ISO certification projects
• 200+ PCI assessment projects
• 250+ penetration tests
• 100+ FedRAMP assessments

Based on this extensive experience, we’ve become very proficient in approximating the level of effort associated with a wide range of detailed scoping scenarios—for instance, we generally know how many auditor weeks are required for a SOC 2 for a single application that is hosted at a cloud hosting provider like AWS and supported by approximately 20 engineers.

Combining these historical project statistics with the data we gather in our initial scoping discussion with you allows us to provide outcome-based fixed-fee arrangements confidently and consistently. And while we usually get it right, when we don’t, we learn and adjust appropriately.

How Does Schellman’s Pricing Compare With Competitors?

When stacking our model against our fellows regarding the cheaper option, it’s easy for us to say, “We’re more than some, less than others,” but the answer really is that “it depends.”

Though Schellman neither has the overhead of a Big 4 firm nor the financial debt or overhead of a funded company—which allows us a flexible financial structure—we do only hire experienced people and we compensate them well so we can deliver the highest quality assessments to our clients.

So, while our prices often come in less than those of the Big 4, we are commonly more expensive than more comparable smaller firms (that hire less experienced people).  

Things to Look Out For When Choosing an Audit Firm

That being said, we know the most appealing first option is always going to be the cheapest, but before you pull that trigger, there is something you should know.

We often hear stories of prospective clients going with low-cost providers that use low fees to get in the door but two things usually happen:

• The firm later issue multiple amendments to the original contract, effectively eliminating the cost savings that was pitched in the first place; and
• The team is relatively inexperienced, which ultimately results in having to redo a lot of your original work—a lot of times with a new audit firm you’ll need to bring in.

(In contrast, at Schellman, the number of amendments we execute on our agreements after engaging a client is less than 5% and most of these changes are due to a scope expansion requested by the client.)

Moving Forward with Your Chosen Cybersecurity Assessment

When tasked with obtaining a compliance report, the first burning question is always, “How much will my audit cost?” Unfortunately, that’s a complicated question, but at least you now understand what key factors will definitely play into your final audit price, as well as some considerations to make before choosing a provider.

To supplement what you now know, check out our other content that can shed more light on choosing both the best assessment firm for you:

• 3 Questions to Ask Your Single-Provider Cybersecurity Firm
• Return on Investment in Audit and Compliance
• Schellman vs. Other Single-Provider Cybersecurity Services Firms

And, if you’re interested in further considering Schellman as your trusted compliance partner, you can get started by contacting our team, who are ready to answer any questions you may have, including those surrounding your requirements and what level of care and diligence you will expect from us as assessors.