Pricing for a SOC 2 audit depends on scoping factors, including business applications, technology platforms, physical locations, third parties, audit frequency, and the Trust Services Criteria to be included in the audit. Pricing will also vary based on the report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.

The SOC 2 audit typically consists of the following:

• Gap analysis
• Scoping exercises
• Onsite visit
• Evidence gathering period
• A SOC 2 report

The SOC 2 audit process must be facilitated by licensed CPA firms.

The average SOC 2 audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the AICPA requirements for an engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

A SOC 2 audit culminates in a SOC 2 report. The components and formatting of SOC 2 reports delivered by KirkpatrickPrice are based on guidelines provided by the AICPA and written by our in-house Professional Writing team. SOC 2 reports provide a service organization’s clients with documentation outlining their system and controls, demonstrating how client information is maintained in a secure manner, and aides clients in performing their evaluation of the effectiveness of controls that may require their administration.

SOC 2 reports cover a period in the past. Typically, your clients will not accept a report issued more than 12 months ago because they want your testing to be relevant for their own audit period.

A SOC 2 Type I audit may be performed initially but then replaced with a subsequent SOC 2 Type II audit. Because the Type II report covers a period of time in the past, it is recommended that you perform a new engagement that picks up at the date of your last period. Maintaining an audit process that covers each fiscal year will demonstrate a commitment to compliance and ongoing testing of controls, which ultimately contributes to the health of your organization.

In every SOC 2 engagement, the Auditor is required by the AICPA to maintain communication with management and those charged with governance from the service organization. Other team members involved in the audit could come from anywhere in your organization, ranging from human resources to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.

SOC 2 audits are regulated by the American Institute of Certified Public Accountants (AICPA) and must be completed by an external auditor from a licensed CPA firm.

When you receive a SOC 2 audit, you’ll receive an opinion that speaks to the operating effectiveness and design of your organization’s security program. In your audit report each control objective will outline if there were any exceptions found during testing. An exception represents the area of a control or practice that is not operating according to an organization’s own policies or industry standards and frameworks. Exceptions allow organizations to double check themselves against the controls required of them and to implement improvements to their overall security and compliance program.