How to choose a SOC 2 auditor

A SOC 2 audit is how you prove to your customers that your security controls actually work. Choosing the right auditor matters more than most people realize: the cheapest firm often delivers a report your customers won't accept. Here's a practical approach.

1. Decide Type 1 vs Type 2 first

Before you talk to auditors, decide which report type you need. A Type 1 report tests the design of your controls at a point in time. A Type 2 report tests the operating effectiveness of your controls over a period (3, 6, or 12 months).

Most customers and prospects expect a Type 2. If you're doing SOC 2 because enterprise customers are asking for it, they almost always want Type 2. Type 1 is fine for a first-time audit if you need to ship something quickly, but plan to upgrade to Type 2 within 12 months.

2. Check that the firm is a licensed CPA firm

SOC 2 audits can only be issued by a licensed CPA firm — it's an AICPA requirement, not a preference. Any firm that offers SOC 2 audits without being a licensed CPA firm is doing something else, and the report they issue may not be accepted by your customers.

Verify the firm is a licensed CPA in the state (or jurisdiction) where they issue the report. The big 4 and large national firms are obviously fine. For smaller firms, ask for the license number.

3. Look for platform experience

Modern SOC 2 audits rely heavily on cloud-platform evidence: AWS CloudTrail, GCP audit logs, Azure AD sign-in logs, GitHub commit history, Vanta/Drata/Secureframe evidence exports. An auditor who knows your stack will spend less billable time on discovery and more time on judgment.

Ask whether they've audited companies running your stack. If you run a modern SaaS on AWS, you want a firm that does 50+ of those per year.

4. The big 4 vs boutique tradeoff

Big 4 firms (Deloitte, PwC, EY, KPMG) and other large national firms charge more — sometimes 3-5x — and the deliverable is the same. For most early-stage and growth-stage companies, a boutique CPA firm specializing in SOC 2 delivers more value:

• Partner-level attention on every engagement
• Faster scheduling (often 2-4 weeks vs 8-12 weeks)
• Lower fixed fees ($15-30k Type 1, $25-50k Type 2 typical)
• Better fit for a modern SaaS tech stack

The exception: if you're pre-IPO, in regulated industries, or your customers explicitly name a Big 4 firm as a requirement, the brand recognition matters.

5. Get a fixed-fee quote

Most reputable SOC 2 firms offer a fixed fee for a defined scope. The fee is based on:

• Type 1 vs Type 2
• Number of in-scope systems and Trust Services Criteria
• Observation period length (3, 6, or 12 months for Type 2)
• Whether the firm is doing the readiness assessment too

Avoid time-and-materials quotes without a cap. SOC 2 scope creep is real (you add an AWS account, you add a Trust Service Criterion), and open-ended billing can double your expected cost.

6. Ask about evidence collection

Modern SOC 2 audits are evidence-driven. The auditor will need hundreds of screenshots and log exports over the observation period. Ask:

• Do you accept evidence exported from Vanta / Drata / Secureframe / Tugboat?
• Do you have a portal for evidence collection, or is it email + Google Drive?
• How many evidence requests will you send during fieldwork?

If the answer to the first question is "no", pick another firm. The compliance automation tools (Vanta, Drata, Secureframe) are industry standard; firms that don't accept their exports are usually behind on tooling.

7. Understand the report delivery format

The deliverable is a SOC 2 report, typically 30-80 pages. Ask whether the firm will issue it as a PDF only, or whether they have a portal for secure distribution. The latter is becoming table stakes for enterprise sales teams that need to share the report with hundreds of customers under NDA.

8. Plan the observation window

For Type 2, the observation window is the time period the auditor tests. Common windows:

• 3 months — minimum, acceptable for early-stage companies
• 6 months — standard, expected by most enterprise customers
• 12 months — annual cycle, used by mature companies that re-issue yearly

The longer the window, the more evidence you need, but the stronger the report. If you can do 6 months, do 6 months.

Common mistakes to avoid

• Skipping readiness. Most first-time SOC 2 engagements need 4-8 weeks of readiness work before the audit window opens. Skipping it means findings during fieldwork, which delays the report and costs more in remediation.
• Choosing a non-CPA firm. Some consultancies offer "SOC 2 readiness audits" and call them audits. They are not. Make sure the firm is a licensed CPA and the report is the real AICPA SOC 2 report.
• Underestimating the evidence burden. A typical SOC 2 Type 2 requires 500+ evidence items over the observation window. Budget for the team time to collect and upload them, or budget for a compliance automation tool ($8-25k/yr) to do the heavy lifting.
• Not specifying the in-scope TSCs. The default is Security. Adding Availability, Processing Integrity, Confidentiality, or Privacy increases cost. Only add what your customers actually need.

What to ask in your first call

1. Are you a licensed CPA firm? In which jurisdictions?
2. How many SOC 2 Type 2 audits did your team complete in the last 12 months?
3. What's a typical fixed-fee range for a company at our stage?
4. Do you accept evidence from Vanta / Drata / Secureframe?
5. Can you give me two references in [your industry]?

Ready to start?

Browse the SOC 2 auditor directory for a list of firms that issue SOC 2 reports. For background reading, see the FAQ for common questions about cost, timeline, and Type 1 vs Type 2.