The greatest tennis player of all time, Serena Williams, once said, “everything comes at a cost. Just what are you willing to pay for it?”
Now, she wasn’t talking about compliance since she’s spent her entire career obliterating opponents on the court, but her question remains relevant to SOC audits.
There are so many factors that will affect just how your own SOC report will shape up—what kind of data you protect, what kind of assurance you’re trying to provide, what kind of time you have?
But let’s be honest, one of your biggest questions is whether or not this thing is going to fit in your budget. It’s less about what you’re willing to pay than what you can pay. And frankly, this is a number that’s difficult to pin down.
All those factors that we mentioned before—plus many others—play a part in figuring your SOC audit price. We speak from experience, given that Schellman has performed SOC examinations for almost two decades now and we’ve worked with all kinds of variables at all kinds of organizations that all ended up with different sums.
At the end of your budgeting process, your number will be unique too, but that doesn’t mean we can’t help you set some expectations ahead of time.
In this article, we will lay out our price ranges for typical SOC audits. But more than that, we will also explain three major factors that can determine your costs, up or down. Then, we’ll provide some tips on how to reduce your final price.
That way, when you do enter contract talks with your auditor, you won’t be blindsided in your discussions—you’ll already have an idea about where you should be on price and the specifics of your organization that will affect your final number.
What Does a SOC Report Cost?
We understand your anxiety about audit prices—costs affect everything in business. So, let’s take a stab at giving you a foundation to steady yourself, no matter if you pursue services with Schellman or not.
Here’s a range of what to expect at a baseline:
*These numbers are based on an application service provider hosted in a well-known cloud environment with a decided scope that only includes required security criteria (for SOC 2) with no third parties--in other words, this is as limited in scope as possible, based on common scenarios. These are also assumed to be individually performed assessments and not part of a broader compliance program.
From our industry knowledge gleaned, that’s what you can expect to spend at a relatively bare minimum on a SOC audit.
Of course, there will also be pricing disparity among firms–you might also consider individual reputation and specializations when choosing an auditor. But what about your organization can drive up your fees?
3 Factors That Will Drive Your SOC Audit Cost Up or Down
1. The Type of Project
If you opt for either a SOC 1 or SOC 2—likely, since these are two of the more popular examinations within the SOC reporting brand—you will need to choose which type of report you want as well.
For both SOC 1 and SOC 2, you have the choice of readiness, Type 1 or Type 2, and as you saw in the chart above, they cost different amounts.
Why? It’s about the effort involved. (This is a trend that’ll emerge among all the factors we’ll mention.)
We wrote extensively on the differences between Type 1 and Type 2 audits, but here is the rub. Being the more thorough audit, Type 2 requires the most investment from your auditors (and from you!), making it more expensive than the Type 1 and readiness assessment in comparison.
As it extends over a period up to a year generally, with regular testing of your controls to monitor their ongoing effectiveness, that’s going to take more planning and preparation. It makes sense that opting for this route would add additional costs to your initial number.
A readiness assessment is only intended to help you plan and prepare for either a Type 1 examination or a Type 2 examination—it won’t suffice in providing assurances to your customers—and said Type 1 examination opines on the controls as of a single date in time.
Because they require considerably less time and effort from your assessor, you can expect those options to drive your costs down, though they may not suit your customers looking for the full Type 2 from you.
2. Which Control Objectives or Trust Service Categories Are Included
The number of control objectives (SOC 1) or trust services categories (SOC 2) will also determine the required level of effort.
SOC 1 Control Objectives
Most SOC 1 reports include a combination of general IT control objectives and transaction or business processing objectives. Your general IT controls could include aspects of the following:
- Logical access controls;
- Physical access controls; and
- Systems security management and monitoring, among others relevant to in-scope business processes.
Examples of business processing objectives commonly include:
- File or transaction input processing;
- Legal or liability management; and
- Information reporting.
For each control objective, your auditor will need to evaluate specific controls. More control objectives mean more controls, which means more time and effort from your auditor—and you.
You might also choose to include relevant controls from your third parties—but then, you may choose to exclude them from control evaluation as well. We call the latter the carve-out method and it’s by far the most common approach—not just because it helps drive down your costs.
SOC 2 Trust Service Categories
Rather than creating control objectives as in SOC 1, for your SOC 2 you will need to select which Trust Service Categories to include, and each contains predefined criteria.
Once you decide which categories are in-scope, your controls will be tested to ensure each of the selected criteria is achieved. The table below provides the number of criteria for each category:
Since the Common Criteria are required for all SOC 2 reports, your organization will be audited against 33 mini control objectives at a minimum. As you add more, the level of effort increases, and so will your cost.
3. Complexity and Size of Scope
Another big factor that can affect the price tag on your SOC examination is the complexity of your scope, i.e., the system or service you’re trying to have evaluated.
Common factors that affect said complexity include:
- Locations: The more facilities or locations where your in-scope processes take place will affect the level of effort by your auditor.
- Applications and Services: Oftentimes, there’s more than one application or business function that helps deliver the scoped service.
- For example, your “Hosted Medical Claims Processing Services” might include backend software, database, infrastructure, and various IT teams to manage the security of the environment, as well as claims management personnel to process, adjudicate, and report claim information.
- Moreover, if all this is done differently due to different regulatory requirements at each location, that adds to the complexity.
- Uniformity of Control Processes: The more consistent you can make your processes, the more cost-effective your audit.
- If your organization has three separate change management processes for applications, infrastructure, and configurations, then your “change management” will require three sets of control evaluations.
- Technology / Architecture: Are you in the cloud? That can help with pricing for audits.
- However, if you use a hybrid model—meaning partly in the cloud, partly on-premise—then both environments would need to be audited.
- If you operate in multiple clouds—perhaps in a combination of AWS, Azure, Rackspace, Google, Avaya, etc.—the same is true. More operating environments mean more auditing becomes necessary.
How to Reduce SOC Audit Costs
To help bring down your price, work with your service auditor to determine the complexity of your environment and see about any efficiency potential. Reductions to the overall number of controls to be evaluated, the fewer third parties to be included, the fewer service commitments you have, and system requirements to be considered will reduce the overall level of effort and the associated fees.
Additionally, combining a Readiness with a Type 1 and a Type 2 into more a strategic multi-year program will also generate cost savings through efficiency and know-how. We recommend this for SOC 2 in particular, and we commonly provide cost consideration for multi-year arrangements that allow to us partner more closely with clients throughout their compliance journey.
At this early stage, you should also consider whether you need or may need to satisfy multiple compliance objectives beyond SOC. If you do, you need to identify an audit provider that can perform all or many of your needs—packaging services can also sometimes help with cost reduction.
Next Steps for Your SOC Examination
Your mind is likely whirling, trying to understand how these variables apply to you. While cost plays arguably one of the largest parts of your compliance decisions, your end goal should also be to engage in the best project for you and your customers.
That’s why you need to ensure you get the right “bang for your buck.”
As you continue shaping what your SOC experience will look like, read our other content on the brand. These articles contain information that can help you make some decisions :
- 3 Benefits to Getting a SOC 2 Report
- How Long Will My SOC Examination Take?
- SOC 2 vs. SOC 3: Understand Your Options
With all this information in hand, you’ll be well-positioned heading into meetings with potential auditors, knowing exactly what services suit you and with set expectations on what you’ll need to budget to get it done.
About the AuthorMore Content by Ryan Buckner