Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


3 risks of going with the low-cost SOC audit provider

Sep 23, 2020

If you’ve started to research SOC audit providers, you’ve probably noticed right away that one of the biggest differences between them is price. Some SOC auditors are priced much lower than others. Why is that? Are higher-cost providers delivering things that low-cost providers aren’t? Are there risks to going with a low-cost provider?

The short answer is, price isn’t the only difference between SOC exam providers. Here are three big benefits to going with a high-service provider:

1. High-service providers save you and your team significant time and effort

Everyone in business knows that employees don’t have much extra time on their hands. Everyone has day-to-day duties that take up most of their day, and what extra time they do have is better spent on meeting core business priorities and goals.

Performing a SOC audit is a large time investment if your employees have to do the majority of the work themselves.

Often, low-cost providers require the client to identify what to test, provide them with samples, learn how to write the description of controls and then do so, and then document the controls.

A high-service provider comes onsite to perform interviews with your employees, learn about your processes, help you identify your controls, help you prepare the description of the controls, audit the controls and then prepare the SOC report. This saves your employees a significant amount of time, allowing them to focus on your business instead.

2. High-service providers spend time onsite to perform the work and build a relationship with your organization

Whereas low-cost providers tend to perform most of their work remotely, a high-service provider comes onsite.

This allows them to observe the controls in operation, work with you to identify the best method to test the controls (instead of requiring you to provide this information on your own and without guidance), gain an in-depth understanding of your operations and establish a good working relationship with you. They’re even available as a resource to your organization throughout the year, not just when the SOC exam is underway.

Even with the COVID-19 pandemic temporarily moving SOC exams remote, high-service providers hold video meetings and interviews that allow them to gather necessary information and observe areas such as server rooms.

With a low-cost provider, you may find they spend minimal time with your organization, perform testing only on the documents and evidence you provide them and are not available to answer questions outside the SOC exam period.

3. High-service providers are committed to high quality

High-service providers are committed to delivering accurate, comprehensive SOC reports written by experienced personnel. They do not use subcontractors to perform SOC audits but rather full-time professionals trained specifically in SOC audit requirements. They also send management-level personnel onsite to help conduct the exam, lead the management discussion of findings and hold the exit meeting.

High-service providers also undergo a thorough peer review process by another CPA firm once every three years, as dictated by the AICPA and measuring up to stringent AICPA standards.

Plus, high-service providers are committed to value. While performing your SOC audit, they deliver additional feedback and recommendations for how to close any gaps they discover. Recommendations are extremely valuable to organizations — helping reduce your risk and providing a significant value-add to the traditional SOC audit. You may find that in working with a low-cost provider, you might be able to check the box that a SOC audit was done, but you did not get additional value out of the time and money you invested into the process.

SOC audit cost vs. service

A SOC report is an important piece of assurance you provide your customers so they know their data is in safe hands. When your report is prepared by a high-service auditor, you gain added peace of mind that you’re receiving a high-quality report and added recommendations for how to reduce risk and close gaps in your internal controls.

While price is a big difference between high- and low-cost providers, so is the amount of time you’re putting into the process, and the service and value you’re receiving in return.

To learn about Wipfli’s commitment to quality service and clear, thorough SOC exams, click here. Or continue reading on:

Do I need a SOC exam? And do I need more than one?

What will my first SOC audit be like?

How to choose the timing of your SOC exam

After the chaos of COVID-19, a SOC exam is more important than ever


Durward J. Ferland, Jr., CISA, CISM, CRISC
View Profile