The Market Is More Complicated Than You Think
When Priya started looking for a SOC 2 auditor, she expected a simple procurement process. She found the opposite.
There were Big 4 firms quoting ₹45 lakhs. There were boutique CPA firms specialising in cloud companies quoting ₹12 lakhs. There were "SOC 2 readiness" platforms selling automation software. There were consultants who would "prepare" her for the audit but couldn't actually issue the report.
The SOC 2 audit market is crowded, uneven, and confusing. Here's how to navigate it.
First: Who Can Actually Issue a SOC 2 Report?
Only a licensed Certified Public Accountant (CPA) firm can issue a SOC 2 report. This is a legal requirement — the report is a formal attestation under professional auditing standards (AT-C Section 205).
This means:
- Technology vendors cannot issue SOC 2 reports (Drata, Vanta, Secureframe — these are readiness tools, not auditors)
- Individual consultants cannot issue SOC 2 reports unless they're a licensed CPA
- Non-CPA security firms cannot issue SOC 2 reports
The CPA firm issues the opinion. Everything else in the market is advisory.
The Three Tiers of Audit Firms
Tier 1: Big 4 (Deloitte, PwC, KPMG, EY)
Best for: Enterprise companies, regulated industries, companies where the brand name of the auditor matters to customers.
Reality check: They're expensive (₹40-80L for a typical Type II), slow to mobilise, and often not particularly attentive to smaller clients. Their associate-level auditors may have less SaaS industry experience than a smaller specialised firm.
When to choose them: Your customers require a Big 4 auditor explicitly. You're a large company where the cost is not a major factor.
Tier 2: Mid-Market CPA Firms (Schellman, Dansa D'Arata, Johanson Group, A-LIGN)
Best for: Growing SaaS companies, companies with $2M-$50M ARR, companies that want a quality report without Big 4 pricing.
These firms specialise heavily in SOC 2 and understand SaaS and cloud infrastructure well. Their audit teams are experienced, their processes are efficient, and their reports are widely accepted by enterprise buyers.
Typical cost: ₹15-30L for a well-prepared Type II.
Tier 3: Small CPA Firms and Regional Boutiques
Best for: Early-stage companies, Type I reports, companies where audit cost is highly constrained.
Watch out for: Firms without dedicated technology practice teams. An auditor who primarily does financial audits but "also does SOC 2" may produce a technically valid report but may not understand your cloud infrastructure or give you useful guidance.
Questions to Ask Every Auditor You Interview
1. How many SOC 2 audits has your firm completed in the last 12 months, specifically for cloud-based SaaS companies?
Look for: 20+ for a mid-market firm, 5+ for a boutique. Be skeptical of vague answers.
2. What AWS services do you typically see in SOC 2 scopes, and which ones create the most complexity?
A good answer will mention specific services (RDS, S3, EKS, Lambda) and discuss things like IAM permissions, CloudTrail logging, and VPC security groups. A vague answer suggests limited experience.
3. Do you provide readiness assessment services alongside the audit, and how does that process work?
Some firms will do a readiness review before the observation period starts. This is valuable — they can flag issues before they become audit findings.
4. What does your evidence collection process look like? What tools or platforms do you use?
Look for: structured evidence requests, a portal or shared folder system, clear timelines. Avoid: firms that just email you a big Excel spreadsheet and say "fill this in."
5. How do you handle exceptions that arise during the audit?
This is important. An auditor who says "we document everything we find" is being honest. An auditor who promises zero exceptions before even starting is either lying or planning to not test rigorously.
Red Flags That Should End the Conversation
🚩 They quote a firm price before seeing your scope. A quote should follow a scoping call, not precede it.
🚩 They can't explain what your key controls are or why they matter. If they can't speak to ●CC6.3 or ●CC8.1 in plain English, they don't understand what they're auditing.
🚩 They promise "guaranteed clean report." No legitimate auditor can guarantee findings before the audit starts.
🚩 They have no publicly available sample reports or client references. Every established firm should be able to provide anonymised samples or references.
🚩 Their turnaround time seems impossibly fast. A genuine SOC 2 Type II audit requires a real observation period. Anyone promising a Type II in 4 weeks is not doing a real audit.
The Readiness Platform Question
Vanta, Drata, Secureframe, and similar platforms are compliance automation tools. They help you collect evidence, track controls, and manage the compliance process. They do not issue SOC 2 reports — they partner with CPA firms who issue the reports.
Whether to use a readiness platform is a separate decision from choosing an auditor. The platforms can significantly reduce evidence collection burden, especially if you have limited compliance staff. But they add cost (typically $15,000-$30,000/year) and they work best with established cloud infrastructure.
Orion's decision: They skipped the platform for their first audit. Priya spent 6 hours a week on evidence collection herself, using a shared Google Drive folder and a structured evidence tracker. For a 12-person company, the platform cost wasn't justified. For companies with 50+ employees or multiple compliance frameworks, the platforms often pay for themselves.
What Comes Next
With their auditor selected (they went with a mid-market firm that specialised in SaaS — 3-week response times, experienced team, ₹19L for Type II), Orion moved into remediation. The highest priority item on their gap list: access controls. In the next post, we'll go deep on CC6 — the most heavily tested area in every SOC 2 audit.
Rishabh's take: I've worked with audit firms across all three tiers. My honest recommendation for most SaaS companies under $20M ARR: a specialist mid-market firm. Better attentiveness, more SaaS-relevant experience, and a third of the price. The report is equally accepted by enterprise buyers.