Your SOC 2 report is only as credible as the firm that signs it. Choosing the right auditor affects your cost, your timeline, and how much your prospects trust the result. Here’s how to find and vet one.
Who can issue a SOC 2 report
A SOC 2 is an attestation performed by a licensed CPA firm. Compliance-automation vendors and consultants can help you prepare, but they cannot issue the report — the CPA firm does. Always confirm the firm is a licensed CPA practice in good standing.
Where to find candidates
- Referrals from peer companies who recently completed SOC 2 — the single best source.
- Your compliance platform’s partner list, if it has one.
- Your investors and design partners — they’ve often been through it.
- Professional directories of CPA firms that specialize in SOC examinations.
Aim to talk to two or three firms so you can compare scope, price, and fit.
Questions to ask
- How many SOC 2 reports do you issue a year, for companies our size and industry? You want someone fluent in startups, not a generalist doing their third one.
- What’s the timeline from kickoff to report, and what drives it?
- Type I, Type II, or both? What observation window do you recommend for a first report?
- What does the evidence process look like? Do you work from a platform, a shared drive, or screen-share sessions?
- Who actually does the fieldwork — a partner, or junior staff you’ll be coaching?
- What’s included — the readiness/gap assessment, or just the examination?
- How do you handle exceptions if a control slips during the window?
What good looks like
A good auditor is responsive, opinionated, and pragmatic. They tell you when a control is over-engineered for your size, help you scope sensibly, and explain why they’re asking for a piece of evidence. They’ll happily work from your compliance platform’s exports rather than making you assemble everything by hand.
Red flags
- A “guaranteed pass.” SOC 2 is an opinion, not a pass/fail — anyone promising a specific outcome misunderstands the product (or is selling something).
- The same firm doing your remediation and your audit. Independence matters; using their consulting arm to build controls they then audit undermines the report.
- No references they’ll let you talk to.
- Opaque pricing or scope that balloons after signing.
- Extremely low cost. A rock-bottom price often means a thin report enterprise buyers won’t respect.
A note on independence and cost
Keep your preparation and your examination cleanly separated. It’s completely normal to use a compliance platform to build and evidence your controls, and a separate CPA firm to audit them — in fact that’s the healthy model. What you want to avoid is one party grading its own homework.
For what to expect on price, read what a SOC 2 audit costs.
How Keel helps
Keel is your preparation layer: it builds and maps your controls, collects evidence continuously, and exports clean, auditor-legible readiness reports — so whichever CPA firm you choose, fieldwork is fast and cheap. We stay independent of the audit itself, by design.
Start free and get audit-ready before you even sign the engagement letter.