SOC 2 audit fees typically range from $15,000–$40,000+ depending on scope, the number of Trust Services Categories, your environment’s complexity, and whether a readiness assessment is included. We provide fixed-fee, all-inclusive proposals after a discovery call — no hourly billing, no change orders for standard scope.
A SOC 2 Type I typically takes 8–12 weeks from engagement start to report delivery, assuming your controls are substantially in place. A Type II audit requires an observation period of at least 6 months before fieldwork begins; total elapsed time from kickoff to report is typically 12–18 months for a first engagement.
SOC 2 is a U.S.-based audit framework governed by the AICPA that produces an audit report, widely required by U.S.-headquartered enterprise buyers. ISO 27001 is an internationally recognized certification standard that results in a formal certificate issued by an accredited certification body. Many technology companies with global enterprise customers pursue both.
A readiness assessment is a structured review of your current controls against the target framework criteria, conducted before the formal audit begins. It surfaces gaps that would become findings during the audit, lets you remediate on your own timeline, and results in a significantly smoother audit process. We almost always recommend a readiness assessment for first-time SOC 2 and ISO 27001 clients.
If you have a functioning cloud environment, a defined set of security policies, and basic access controls in place, you’re likely ready to at least start a readiness assessment. You don’t need to have perfect controls before engaging an auditor — that’s what the readiness assessment is for.
More than most vendors will admit. A well-run SOC 2 or ISO 27001 engagement requires meaningful time from your engineering, security, and operations teams — typically 5–15 hours per week during active fieldwork phases. We structure our evidence requests to minimize burden and avoid redundant requests.
Yes. The Security category (Common Criteria) is required in every SOC 2 engagement. All other categories — Availability, Processing Integrity, Confidentiality, and Privacy — are optional and should be included only if they are relevant to the services you provide and the commitments you’ve made to customers.
Your signed report can be shared with current and prospective customers as a security assurance artifact — typically under NDA. A clean Type II report with no exceptions is the most compelling outcome. We also stay available after delivery to help you respond to technical questions from customer security teams.
Look for three things: independence (the firm should have no financial interest in your technology or implementation outcomes), technical depth (auditors should understand cloud infrastructure, not just accounting standards), and partner involvement (you should deal directly with the person issuing the opinion). Ask specifically who will lead your engagement from start to finish before signing an engagement letter.
Yes. While Bodnar & Co. is a U.S.-licensed CPA firm, we serve technology companies headquartered globally, including clients in Canada, the United Kingdom, the European Union, and beyond. SOC 2 is an AICPA standard; ISO 27001 is inherently international.