Who Can Perform a SOC 2 Audit?

Key Takeaways

Point	Summary
Who can audit	Only licensed CPA firms can perform SOC 2 audits and issue reports
Independence required	Auditors must be independent - your compliance platform cannot also be your auditor
Auditor types	Big Four ($50K-$150K+), National firms ($25K-$80K), Specialized SOC firms ($15K-$50K), Boutique ($10K-$35K)
Selection timeline	4-5 weeks from shortlist to engagement
Key criteria	SOC 2 experience, industry expertise, pricing transparency, timeline availability

Quick Answer: Only licensed CPA firms can perform SOC 2 audits. For startups, specialized SOC 2 audit firms offer the best value at $15K-$50K for Type 2 audits.

The Short Answer

Only a licensed CPA firm can perform a SOC 2 audit and issue a SOC 2 report.

SOC 2 is an attestation standard developed by the American Institute of Certified Public Accountants (AICPA). By regulation, only licensed CPA firms can issue attestation reports under AICPA standards.

Understanding SOC 2 Auditors

What is a CPA Firm?

A Certified Public Accountant (CPA) firm is a business licensed to practice public accounting. For SOC 2 audits, the firm must:

• Hold a valid CPA license
• Comply with AICPA professional standards
• Maintain independence from the organization being audited
• Have qualified staff trained in SOC examinations

Auditor Independence

Independence is a critical requirement. Your auditor cannot:

• Be employed by your company
• Have financial interest in your company
• Provide certain consulting services that would impair independence
• Have close relationships with your management

This is why compliance platforms (like Bastion) and auditors are separate entities. We help you prepare, but we don't audit you.

Types of SOC 2 Auditors

Big Four Accounting Firms

Firms: Deloitte, PwC, EY, KPMG

Pros	Cons
Highly recognized brand	Very expensive ($50K-$150K+)
Deep expertise	May deprioritize smaller clients
Global presence	Less flexible

Best for: Large enterprises, public companies, highly regulated industries

National/Regional CPA Firms

Examples: BDO, Grant Thornton, RSM, Moss Adams, Armanino

Pros	Cons
Strong reputation	Still relatively expensive
Good expertise	May have waitlists
More accessible than Big Four	Variable quality across offices

Best for: Mid-market companies, growing scale-ups

Specialized SOC 2 Audit Firms

Examples: Schellman, A-LIGN, Johanson Group, Prescient Assurance

Pros	Cons
SOC 2 specialists	Less brand recognition
Competitive pricing	Focused scope of services
Efficient processes	May have capacity constraints
Tech-savvy

Best for: Startups, SaaS companies, tech-focused businesses

Boutique CPA Firms

Pros	Cons
Most affordable	Variable quality
Personalized service	Limited capacity
Flexible	May lack SOC 2 experience

Best for: Very early stage, budget-constrained companies

How to Choose an Auditor

Key Selection Criteria

1. SOC 2 Experience

Questions to ask:

• How many SOC 2 audits do you complete annually?
• What percentage of your practice is SOC examinations?
• Do you have experience with companies like ours (size, industry)?

Red flags:

• SOC 2 is a small part of their practice
• Limited experience with your industry
• Can't provide relevant references

2. Industry Expertise

Different industries have unique considerations:

Industry	Look For
SaaS	Cloud infrastructure experience
Fintech	Financial services knowledge
Healthcare	HIPAA familiarity
AI/ML	Understanding of AI systems

3. Pricing Transparency

Questions to ask:

• What's the total fixed fee for the audit?
• Are there additional charges for scope changes?
• What's included vs. extra (e.g., management letters)?

Red flags:

• Hourly billing with no cap
• Vague pricing "starting at" amounts
• Hidden fees for common activities

4. Timeline and Availability

Questions to ask:

• When can you start our audit?
• How long will the audit take?
• What's your availability for questions during the year?

Red flags:

• No availability for 3+ months
• Unclear timeline commitments
• Unresponsive during evaluation

5. Technology and Process

Questions to ask:

• Do you support evidence collection platforms?
• How do you prefer to receive evidence?
• What's your process for managing requests?

Red flags:

• Require everything via email attachments
• No experience with compliance platforms
• Manual, paper-heavy processes

6. References

Questions to ask references:

• How was the audit process?
• Were there any surprises?
• Would you use them again?
• How responsive were they to questions?

The Auditor Selection Process

Step 1: Create a Shortlist (Week 1)

Identify 3-5 potential auditors based on:

• Recommendations from peers or your compliance platform
• Industry experience
• Size fit (don't engage Big Four if you're a 20-person startup)

Step 2: Request Proposals (Week 2)

Send each firm:

• Company overview
• Systems in scope
• Desired Trust Services Criteria
• Target audit timeline
• Report type (Type 1 or Type 2)

Step 3: Evaluate Proposals (Week 3)

Compare based on:

• Total cost (ensure apples-to-apples comparison)
• Timeline fit
• Experience relevance
• Communication quality

Step 4: Conduct Interviews (Week 3-4)

Meet with top 2-3 candidates:

• Assess communication style
• Evaluate team assigned to your audit
• Clarify any proposal questions
• Check cultural fit

Step 5: Make Decision (Week 4)

Choose based on:

• Best value (not necessarily cheapest)
• Strongest experience fit
• Best communication and responsiveness
• Available timeline

Step 6: Engage and Schedule (Week 5)

• Sign engagement letter
• Schedule audit dates
• Introduce audit team to your compliance team
• Align on evidence delivery expectations

Cost Ranges by Auditor Type

Auditor Type	Type 1 Range	Type 2 Range
Big Four	$40K - $100K+	$60K - $150K+
National Firms	$25K - $50K	$40K - $80K
Specialized SOC Firms	$15K - $30K	$25K - $50K
Boutique Firms	$10K - $20K	$18K - $35K

Note: Costs vary significantly based on scope, complexity, and location.

What to Expect from Your Auditor

Before the Audit

• Engagement letter outlining scope and fees
• Information request list
• Kickoff meeting to align on process
• Timeline and milestone expectations

During the Audit

• Evidence requests (often via platform portal)
• Walkthrough meetings for key controls
• Questions and clarifications
• Status updates on progress

After the Audit

• Draft report for your review
• Discussion of any findings or exceptions
• Final report issuance
• Management letter (if applicable)

Common Auditor Issues and Solutions

Issue	Solution
Auditor unresponsive	Set expectations upfront, escalate early
Excessive evidence requests	Use compliance platform for organization
Scope creep	Get fixed-fee engagement, document scope clearly
Delayed report	Book auditor with availability, provide evidence promptly
Unexpected findings	Do readiness assessment before audit

Working with Your Compliance Platform

How Bastion Helps with Auditors

Auditor Network

• Vetted auditor recommendations
• Negotiated rates with preferred partners
• Introductions and coordination

Audit Preparation

• Organized evidence repository
• Auditor-friendly portal access
• Control narratives and documentation

Audit Support

• Answer auditor questions quickly
• Coordinate evidence requests
• Manage timeline and communication

You Still Choose and Pay

• You select your auditor
• You sign the engagement
• You pay the auditor directly
• Independence maintained

Questions Auditors Will Ask You

Be prepared to answer:

1. What services are in scope for this audit?
2. Who are the key personnel responsible for controls?
3. What compliance platforms or tools do you use?
4. Have there been any security incidents in the period?
5. What changes have been made to systems or controls?
6. Who are your key vendors and subprocessors?
7. What is your risk assessment process?
8. How do you monitor control effectiveness?

---

Need help selecting an auditor? Talk to our team →