Every year, thousands of companies sign a SOC 2 engagement letter without understanding what they're actually buying — and who's actually doing the work. Platforms like Drata and Vanta have made compliance readiness faster: they automate evidence collection, flag control gaps, and generate the policies auditors want to see. But none of them can issue a SOC 2 report. That still requires an independent, licensed CPA firm — and the difference between a rigorous firm and a rubber-stamp one shows up months later, when a prospect's security team pokes holes in your report during due diligence.
Choosing that firm is a decision most founders and compliance leads make once every year or two, with little basis for comparison. Below is a concrete framework — with real numbers, timelines, and red flags — for picking a SOC 2 auditor, plus where a compliance automation platform (whichever one you use) fits into the process.
Is a compliance automation platform the same thing as a SOC 2 auditor?
No — and conflating the two is the single most common mistake first-time buyers make. Drata, Vanta, and similar platforms sell software that maps your infrastructure to Trust Services Criteria, pulls evidence via API (AWS config, GitHub branch protection, HR onboarding records, etc.), and tracks control status on a dashboard. That's readiness tooling. The actual SOC 2 examination — the report with an opinion letter that your customers' security teams will read — can only be issued by a licensed CPA firm registered with the AICPA, because SOC 2 is an attestation standard (AT-C 105/205) governed by CPA licensure rules, not a certification any vendor can hand out. Drata's own marketing has, at times, blurred this line by bundling a referral network of "auditor partners," which is fine, but it means the platform vendor and the audit firm are two separate contracts, two separate invoices, and two separate scopes of liability. Budget for both.
What licensing and peer-review credentials should the firm actually have?
At minimum, the firm must be a CPA firm licensed in at least one U.S. state and enrolled in the AICPA Peer Review Program, which requires an independent review of audit quality every three years. Ask for the firm's most recent peer review report — a "pass with deficiency" or "fail" rating is a disqualifying red flag, not a technicality. Also check how many practitioners on the engagement hold a CISA, CISSP, or CPA-with-IT-audit specialization; a two-person shop where the sole reviewer is also the sole fieldwork tester has no meaningful separation of duties, which is ironic for a security audit. Firms like A-LIGN, Prescient Assurance, Johanson Group, and Sensiba each publish peer review results and staff credentials on request — if a firm hesitates to share theirs, that's your answer.
How many SOC 2 engagements has the firm completed in the last 12 months, and in your specific industry?
Volume and vertical experience matter more than brand name. A firm that has run 15 SOC 2 Type II audits in the past year for seed-stage SaaS companies will move faster and ask sharper questions than a generalist firm that mostly audits SOC 1 financial controls and picked up SOC 2 as a side offering in 2023. Ask directly: "How many SOC 2 reports did you issue in the last 12 months, and how many were for companies under 100 employees using AWS or GCP?" A firm that can answer with specifics (e.g., "42 reports, 30 for companies under 200 employees, mostly multi-tenant SaaS") has the pattern-matching to spot when your control design won't hold up, rather than discovering it during fieldwork three weeks before your deadline.
Should you start with a Type I or Type II report, and how long should the observation window be?
Start with Type I only if you have a hard, immovable deadline — like a prospect requiring proof of a control framework within 30 days — because Type I only attests that controls are designed correctly on a single point-in-time date, not that they operated effectively. Type II, which most enterprise buyers actually require, examines control operation over an observation window, typically 3 months for a first audit and 6–12 months for renewals. A firm pushing you toward a 12-month Type II for your very first audit is optimizing for their own fee size, not your sales cycle — a 3-month initial window followed by a 12-month renewal the following year is the standard, sensible path recommended by most AICPA guidance and used by the majority of first-time SOC 2 companies.
What does the engagement actually cost, and what drives the price variance?
Expect a real range of $10,000–$60,000 for the audit fee alone, separate from any automation platform subscription (Drata and comparable platforms typically run $7,000–$25,000/year depending on tier and headcount). The variance inside that audit-fee range is driven by three factors: number of Trust Services Criteria in scope (Security alone vs. Security + Availability + Confidentiality adds real fieldwork hours), number of in-scope systems and locations, and whether the firm bills fixed-fee or time-and-materials. Insist on a fixed-fee engagement letter with a clearly enumerated scope — time-and-materials SOC 2 engagements are notorious for ballooning 40–60% over the initial quote once "additional evidence requests" start piling up in month two.
How well does the auditor work with the evidence and tooling you already have?
A good auditor should be able to pull directly from your automation platform's evidence repository — whether that's Drata, Vanta, Secureframe, or Safeguard — rather than requesting a fresh spreadsheet export for every control. Ask for a sample "evidence request list" (ERL) from a past engagement and check whether it references API-pulled, timestamped evidence or manual screenshots; the former shortens fieldwork from the typical 4–6 weeks down to 2–3 weeks because the auditor isn't waiting on your team to hunt down artifacts. Also confirm the firm has audited companies using your specific automation platform before — an auditor unfamiliar with how Drata structures its control mappings will spend billable hours reverse-engineering the dashboard instead of testing controls, and that time gets passed to you as scope creep.
How Safeguard Helps
Safeguard focuses on the part of SOC 2 readiness that generic compliance platforms often treat as a checkbox: software supply chain security controls (CC6, CC7, and CC8 under the Trust Services Criteria) — SBOM generation, dependency vulnerability tracking, build provenance, and CI/CD pipeline attestation. Where platforms like Drata are strong on HR, access control, and infrastructure-config evidence, they largely rely on manual uploads or shallow integrations for artifact-level supply chain evidence, which is increasingly the section auditors scrutinize most closely after high-profile incidents involving compromised build pipelines and unverified third-party packages.
Safeguard continuously generates the SBOMs, vulnerability scan results, and signed build attestations your auditor will ask for under change-management and system-monitoring criteria, and packages them in the timestamped, API-exportable format auditors prefer over static screenshots. That means fewer follow-up evidence requests during fieldwork, a tighter observation window, and a report your engineering-savvy prospects will actually trust when it lands in their vendor security review queue. If you're evaluating auditors this quarter, run your shortlist through the questions above first — then talk to us about closing the supply chain gap before fieldwork starts, not during it.