SOC 2 attestation can only be performed by a licensed CPA firm — not by a security consulting firm, a GRC platform, or an ISO 27001 certification body. This is a legal and regulatory requirement: the AT-C Section 205 attestation standard under which SOC 2 reports are issued requires the engagement to be conducted by a member of the AICPA or an equivalent national CPA body. Selecting the right CPA firm is therefore one of the most consequential decisions in a SOC 2 program.
Accreditation Requirements
The SOC 2 auditor must be a licensed CPA firm with demonstrated SOC examination competency. In the United States, this means AICPA membership and, ideally, PCAOB registration for firms also conducting public company audits. For Indonesian organizations engaging a US-based or internationally recognized firm, verification of SOC examination experience is critical — not all international CPA offices have practitioners with SOC-specific competency.
| IMPORTANT | A cybersecurity consulting firm or GRC platform cannot issue a SOC 2 report, regardless of how it is marketed. “SOC 2-ready” assessments, readiness reports, and pre-audit gap analyses from non-CPA firms are valuable readiness tools, but they are not SOC 2 reports. Only a licensed CPA firm can issue the attestation report that clients request. |
Evaluation Criteria for Auditor Selection
| Criterion | What to Assess | Red Flag |
|---|---|---|
| SOC examination experience | Number of SOC 2 engagements completed; years of SOC examination practice; specific industry experience | Firm offers SOC 2 as a new or emerging service; cannot provide client references for completed SOC 2 engagements |
| Technical competency | Understanding of cloud infrastructure, SaaS architecture, and DevOps practices; ability to review cloud console configurations, IaC, and CI/CD pipeline controls | Auditors who rely entirely on questionnaires and are unfamiliar with cloud-native control environments |
| Communication style | Responsive during the sales process; clear about scope, timeline, and deliverables; provides a detailed engagement letter | Vague proposals that don’t specify observation period, testing scope, or report delivery timeline |
| Fee structure | Fixed-fee engagement preferred; clarity on what is included (fieldwork, management responses, follow-up queries) | Time-and-materials pricing without ceiling; extra fees for common scope items like cloud infrastructure review |
| Report quality | Request sample reports (redacted); assess the clarity and detail of control testing descriptions and exception reporting | Generic testing language; control descriptions that don’t reflect the actual technology tested |
| Independence | No consulting relationship that would impair independence; auditors cannot help implement controls they will later audit | Auditor also offering to “implement” your SOC 2 controls as part of the same engagement |
Readiness Consultants vs. Attestation Firms
The SOC 2 market has two distinct categories of service provider, and confusing them is a costly mistake. Attestation firms are CPA firms licensed to issue SOC 2 reports — they conduct the formal audit and produce the attestation. Readiness consultants (including GRC platforms like Vanta, Drata, and Secureframe, and security consulting firms) help organizations prepare for the audit but cannot conduct or issue it.
| BITLION INSIGHT | The most efficient SOC 2 program typically uses both: a GRC platform or readiness consultant to prepare the control environment, collect evidence, and conduct pre-audit gap analysis; and a CPA firm to conduct the formal attestation. The GRC platform reduces auditor time in fieldwork (because evidence is organized and accessible), which directly reduces attestation fees. Organizations that go directly to a CPA firm for both readiness and attestation typically pay 30–50% more than those who prepare through a platform first. |
Typical Fee Ranges (2026)
| Audit Type | Scope Complexity | Typical Fee Range (USD) |
|---|---|---|
| SOC 2 Type I | Single service, Security TSC only, small organization | $12,000 – $25,000 |
| SOC 2 Type I | Multiple services or TSC, mid-size organization | $20,000 – $40,000 |
| SOC 2 Type II (6-month) | Single service, Security + Availability TSC | $25,000 – $45,000 |
| SOC 2 Type II (12-month) | Single service, Security + Availability TSC, standard complexity | $35,000 – $65,000 |
| SOC 2 Type II (12-month) | Multiple services, 3+ TSC, complex cloud infrastructure | $60,000 – $120,000+ |
| Annual renewal (Type II) | Same scope as prior year, clean control environment | $25,000 – $50,000 (typically 20–30% less than initial year) |
Fees vary significantly by firm size, geographic location, engagement complexity, and the organization’s evidence quality. The single most effective way to reduce attestation fees is to enter the audit with well-organized, complete evidence — auditors bill by time, and time spent searching for evidence is time that could be spent on actual testing.