How to Choose a SOC 2 Audit Firm (with Vendor Scorecard Template)

Selecting the right partner to assist with SOC 2 compliance (or anything else) can be challenging. If you are trying to sort through the marketplace to select a vendor here are a few considerations. You can also download our free vendor selection template here.

Vendor Scorecard Template
1| Experience

Assess resumes of the individuals who will be performing the audit (including those performing audit fieldwork).

Insight: Ask the vendor for the resumes of all individuals who will be performing audit fieldwork (not just the management team) and the amount of time you can expect with the management team. Obtaining this type of commitment up front can help avoid “resource bait and switch” later.

2| Qualification

Does the audit team have the relevant background and certifications to perform the work for your firm? Are their current or previous clients raving fans?

Insight: Firms that have experience with similar clients in your industry may be able to perform higher quality work.

3| Project Fit

How will the firm accomplish our mission? Do they align with us culturally? Do they get it? 

Insight: Sometimes “project fit” is more up to judgement that anything quantifiable. Start by reviewing their proposal, prior deliverable, and intangibles like responsiveness, flexibility, and a desire to win your business.

4| Audit Software or Tools

How will the firm actually perform the audit fieldwork? How will they request audit documentation, communicate with the team, and will it be a burden to our Company?

Insight: Audit fieldwork is often performed via email communciation and spreadsheets. Overall, this is ineffective and inefficient. Costs go well beyond audit fees and creep into operational disruption. At risk3sixty, for example, we use Phalanx GRC to cut audit time in half and make the audit process easy for all stakeholders.

5| Price

Are prices competitive with the market? Are you getting a good value?

Insight: Consider overall value in addition to cost. Also, consider the total cost of the audit process over 2 or 3 years, not just year one. SOC 2 audits are annual so sometimes the picture is more clear if you look at cost over a couple of years, rather than just year one.  Hint – when using the same audit firm, there is much efficiency to be gained over time:  if you are not realizing pricing efficiencies over time, it may be time to start asking questions.

Let’s Get Started

If you are considering SOC 2 compliance please contact one of our professionals and find out how we stack up.

Share to


Share to

Like our content? Subscribe and stay informed.