What is a SOC 2 report?

A SOC 2 report is an attestation that assesses a service organization's controls related to security, availability, processing integrity, confidentiality and privacy.

How long does it take to get a SOC 2 report?

Timelines vary with your readiness and the scope of the audit. Type 2 reports typically cover at least six months of operational evidence. Render Compliance guides you through readiness so you can complete your audit more quickly and efficiently.

What’s the difference between SOC 2 Type 1 and Type 2?

Type 1 reports evaluate the design of your controls at a point in time, whereas Type 2 reports assess both the design and operating effectiveness over a period of time.

Is SOC 2 the same as ISO 27001?

No. SOC 2 is an attestation standard focused on the Trust Services Criteria, while ISO 27001 is a certifiable standard for an information security management system. Many SaaS companies pursue both to satisfy different customer and regulatory requirements.

What’s the difference between SOC 1 and SOC 2?

SOC 1 relates to controls over financial reporting, whereas SOC 2 evaluates controls around security, availability, processing integrity, confidentiality and privacy—making it more relevant for SaaS companies.

Can I hire Render Compliance for both readiness and SOC 2 attestation?

Yes. Render Compliance offers readiness assessments to prepare your organization and then conducts independent SOC 2 Type 2 attestation.

How do I select a SOC 2 Auditor?

August 26, 2023

Selecting an auditor is not like choosing a gas station.

Choosing a SOC 2 Audit Firm

The reason for that is that the process of a SOC 2 exam is complex. Let’s just take the project management piece, and let’s say there are roughly 1,000 different tasks to complete – selecting the wrong person to direct this orchestra can make your life miserable.

Beyond project management, the SOC 2 process is filled with subjective technical decisions where the ramifications on your customer’s perception of you as a business can be significant. Part of the auditor’s role is to assess that the identified control framework is sufficient to support the SOC 2 criteria – if the auditor does not have sufficient experience to understand what is ‘sufficient’ for your industry, your report may stick out like a sore thumb to those who know.

Your auditor is also obviously responsible to decide the evidence that is sufficient to give them reasonable assurance. You’ll find there is an array of standards when it comes to how much evidence is enough.

Audit Firm Evaluation Criteria

You want to work with a firm that:

Is not just checking the box – Someone who understands that the business comes first, and that compliance is just a way to talk about the things that are important to the business and their users.
Is efficient – ask the auditor what the timeline for getting a report issued will be, ask about each step in the timeline – they should be able to give you an estimate, if not, that may be a red flag.
Is communicative – you’ll be hanging out with these people a good amount, ask the auditor what their communication plan for project status, any issues to be aware of (weekly syncs? Dashboard?).
- Do they use Plain English? Or do they speak in AuditSpeak (vague or industry-specific terms that you don’t understand but make them seem important).
Uses effective platforms – Ask the name of the software they use for an Evidence Request List – better yet, ask for a 5 minute demo – you will be spending a lot of time on this platform, and if it is not good, it will cause headache and lost, never-to-be-recovered hours for your team.
Uses straightforward pricing – ask them how they price engagements. What would cause them to raise fees, and at what point would that be communicated?
Is reputable for your industry – do your report users expect to see a certain type of CPA firm on the report? If you don’t know, interview the customers/prospects/partners who are asking for your report.
You can afford – Ask for an estimate of their fees. Hopefully they can provide you this on the initial phone call.

You might notice I stuck ‘fees’ at the bottom of the list. Fees are important. But far too often they are the primary driver in selecting an auditor, and the true downstream cost of this decision can be detrimental. If someone offers you a 50% discount on a bad investment, it’s still a bad investment.

How to Actually Find the Auditor

So now you know what to look for, but how do you actually find a real company that fits the bill?

Unfortunately there is no Yelp for professional services that delivers trustworthy reviews. Not that I’ve found, at least. So, you can:

Ask a company (maybe a partner of yours, investor, etc) who you trust, who has done SOC 2 before, and ask them who they use. Ask them detailed questions to find out if the auditor would be a good fit for you
If you are working with a consultant to implement or manage your SOC controls, ask them who they would recommend.
Once you have a few auditor candidates, review their websites to see if they are someone you would want to work with. For example, check out ours.
Schedule a call with them (both to get to know them as a person, and to ask detailed questions about their process – and I mean detailed; a little discomfort here can save a lot later on).

Questions to Ask Prospective SOC 2 Audit Firms

Ask the following questions when you meet with prospective audit firms:

Walk me through your project timeline
Do you provide any project management services?
Can you give me a demo of your audit platform?
Are you familiar with [list your internal GRC platform]?
Can I see a copy of your demo report to know what the “final product” will look like?
What meetings would need to be scheduled throughout the whole process?
What is your commitment to report issuance timing?
Can I see a copy of your peer review letter?
Will you be able to review my controls beforehand and let me know any gaps? (And is this included in your audit fees?)
What are your audit fees? What circumstances would result in an increase in stated fees?
What are your recommendations for scoping the audit based on my situation?
Can you tell me who will be the team members scheduled on my audit? Where are they located? What type of technical audit and technology experience do they have?
Who would be my main point of contact for the audit?
What kind of response time do you commit to for questions that come up?
To get a sense of how you evaluate the design of controls, what controls would you say need to be in place for security monitoring given our tech stack?
To get a sense of how you evaluate the operating effectiveness of controls, can you give examples of common testing exceptions that occur in your projects? What about qualifying your opinion – what’s an example of a testing exception that might result in qualifying the report opinion?

Render Compliance vs. Other SOC 2 Audit Firms

How do we stack up? Here’s a comparison of how we view ourselves compared to other firms, prepared as honestly as possible:

	Low	Medium	High
Report Quality			x
Testing Robustness			x
Project Management Experience			x
Affordability		x
Big Firm Credibility	x
Sound Firm Reputation			x
Auditor Technical Experience			x
Technology Offered		x
Speed			x

Render Compliance

How do I select a SOC 2 Auditor?

Choosing a SOC 2 Audit Firm

Audit Firm Evaluation Criteria

How to Actually Find the Auditor

Questions to Ask Prospective SOC 2 Audit Firms

Render Compliance vs. Other SOC 2 Audit Firms

Approach

Pricing

Resources

About

Let's Work Together