When a company determines they need to obtain a SOC report, they usually ask one major question: How much will it cost?
The answer: It depends.
The effort needed to complete the engagement primarily drives the cost. Several factors impact the service auditor’s level of effort, including:
- Scope of the Assessment
- Type of Assessment
- Relationship with Subservice Organizations
Discussing these factors with potential service auditors increases the likelihood of being provided with an accurate price quote. While some service auditors will provide quotes without this information, price changes during the audit are more likely to occur.
Scope of the SOC Assessment
The primary factors affecting the scope of the SOC assessment include the SOC report type and the number of distinct systems, services and locations.
SOC Report Type
The number of control objectives or trust services criteria will impact the required level of effort and the associated cost.
SOC 1: Control Objectives
SOC 1 reports include transaction processing control objectives and IT general control objectives. For each control objective, the service auditor will evaluate the internal controls a company has in place to meet those objectives. The more control objectives needed, the more time and effort required by the service auditor.
SOC 2: Trust Services Criteria
SOC 2 reports use criteria predefined by the American Institute of Certified Public Accountants (AICPA). Companies determine which criteria are in scope based on their service commitments to customers. Similar to the SOC 1 report, the service auditor will evaluate the internal controls a company has in place to meet each criteria. The table below provides the number of criteria in each category:
|Number of Criteria
|Required / Optional
|Common Criteria (Security)
Number of Systems, Services and Locations
Typically, there is more than one business function or software application used by a company to provide services to their clients. The effort and cost of an audit go up as the number of distinct systems, services and locations increases. The location of your systems (on-prem or in a hosted environment like AWS) will also impact the audit effort. If the people, processes and technologies are different across these three, service auditors will need to assess the controls for each. Service auditors can combine and evaluate the controls in aggregate, if they are the same.
Type of SOC Assessment
There are two types of assessments for SOC: Type 1 and Type 2.
- A Type 1 report is of a point in time and only covers the design effectiveness of the internal controls that help to meet the control objectives or trust services criteria.
- A Type 2 report is over a period of time. It covers the design and the operating effectiveness of the internal controls that help meet the control objectives or trust services criteria.
Being the more in-depth audit, the Type 2 requires the most effort from the service auditor; making it more costly than the Type 1.
Relationship with Subservice Organizations
Many companies outsource aspects of their business activities to third-party vendors. The functions performed by these vendors assist the company in achieving service commitments to customers and are considered subservice organizations.
There are two methods for reporting subservice organizations in a SOC report: Carve-Out Reporting Method or Inclusive Reporting Method.
- In the Carve-Out Reporting Method, the control activities performed by the subservice organization are excluded from the scope of the report.
- With the Inclusive Reporting Method, the control activities performed by the subservice organization are included within the scope of the report.
The Inclusive Reporting Method can be thought of as effectively two SOC reports in one and generally requires extensive planning and communication between all parties involved (service auditor, company and subservice organization), which will lead to more effort incurred from the service auditor.
While cost is an important part of your compliance decision, your service auditor’s reputation, experience, approach and availability also directly contribute to the experience, success and timeliness of your SOC audit and report. Partnering with the best CPA for your company’s SOC reports matters!
The Moore Colson Risk Advisory and Compliance Services team are experts in SOC 1 and SOC 2 assessments and take a “client-sized” approach to your SOC needs. Please contact us to discuss your audit needs.