The Smart Guide to Selecting a SOC 2 Auditor—Beyond the Certification Stamp

Kels dethlefs

Kels Dethlefs

Principal, Coalfire

December 10, 2025
Adobe Stock 648743776 web Opt 1080p

Audits are no one’s favorite part of the year. For many companies, their audit cycle is rife with lost efficiency, numerous questions out to technical stakeholders, and more meetings than anyone would ever want to sit in. Those companies who are lucky enough to have a GRC practice that can dedicate their time to audit coordination even feel the strain as they play a game of telephone between the technical teams and the assessors. 

On one hand, this is a somewhat inevitable part of the process. Audits are disruptive because they are designed to be done by third parties who aren’t involved in your system. Therefore, in order to properly assess what they’re looking at, they have to be walked through all of the processes. The time this takes, not only to understand but to process and ask clarifying questions, isn’t something that can be skipped to avoid problems down the line.

On the other hand, there are just bad assessors and bad audit firms out there. These are companies that will sell you a “SOC Certification” (which is not a thing), barely look at the evidence, or worse, hire assessors who aren’t properly trained. This can drastically change the experience of your audit for the worse; it’s never a fun experience, but it should never be a nightmare.

This means that the actual act of choosing an assessment firm can be an essential step in the process, and audit firms don’t make it easy. For one, there’s a huge number of them out there, all advertising an easy and quick SOC 2 experience. Just separating out who is qualified can be a hard step, let alone determining which firm will be best for your company.

In a quick nutshell, firms who issue SOC 2 reports should be:

  • AICPA licensed and accredited: This means that the American Institute of CPAs has accepted the firm as a qualified assessor.  These firms additionally go through a peer review process every three years to ensure that they are assessing to the level that the AICPA requires and can be searched under the AICPA Peer Review Program.
  • Have a licensed CPA to sign the report: The AICPA understands that CPAs may not be the best assessors of technical controls, even with the training they’ve done. Assessors who have technical training often perform the actual testing, but the actual signer of the report must be a licensed CPA in the state where the firm is located.
  • Independent: Firms who have a financial interest in the company being assessed cannot be the auditor.  This also extends to the individual assessors themselves; an assessor who has a relationship with the client in any way (such as family, financial interests, or other strong ties) must not perform the assessment.

Assuming that the list is narrowed down to those who can issue a SOC 2 report, the next step is to start talking to the assessment firms to discuss things such as pricing, process, teams, and so on.  This process can also reveal some red flags:

  • Talking about a SOC 2 Certification
    • This was mentioned earlier, but it’s worth mentioning again because it’s so pervasive. SOC 2 is an attestation framework, which means that there is no centralized certification body that it’s submitted to and there’s no fancy stamped certificate at the end.
    • Any firm that states that they can issue a certification is a firm that should not be used.
  • Not knowing enough about SOC 2
    • Much like the above point, any firm that can’t talk about the five Trust Service Categories (TSCs) shouldn’t be used.  The TSCs are an essential part of understanding what parts of the environment need to be assessed.
    • The Security TSC must always be in scope.  This is not a TSC that can be removed for anything other than a readiness assessment. The other four can be added or removed depending on what would benefit the service.  If the system deals with healthcare data and ePHI, all 5 TSCs being in scope isn’t unexpected.  However, for a firm that only analyzes technical data, this may be overkill.
    • A standard report is the Security, Availability, and Confidentiality TSCs.  Companies looking to do Processing Integrity or Privacy should have a conversation with the assessment firm to determine the level of effort, because these TSCs are quite in-depth in comparison and can add additional difficulty to an audit with little benefit.
  • Not spending enough time talking about the scope
    • Scope is the king of all conversations for any cybersecurity service, and SOC 2 is no different.  If a firm doesn’t ask enough questions about how your systems are set up, how many products or servers are in scope, what cloud service providers or hosting providers are being used, whether there is any on-premises hosting, etc., they’ll be unable to estimate the level of effort for their staff or the best staff to put on the project to address the specific needs of the assessment.
    • This can make negotiations take longer, but it’s far preferable to get these details hammered out before a contract is signed and not after.  For one, if a project was incorrectly scoped, it can often culminate in a change order asking for additional money, which is never appreciated in a world where budgets can be tight.  Secondly, the assessors may be unable to anticipate some very predictable pitfalls if they don’t understand the system beforehand, including not requesting the correct evidence or not anticipating certain controls being in scope and therefore underestimating the amount of time spent in conversations during the assessment.
    • Projects that are properly scoped also generally get assessors that are a better fit for the environment.  Assessors, like anyone else, have strengths and weaknesses based off environments they’ve had extra experience assessing or additional trainings they’ve taken.  If the environment is difficult to understand or would benefit from having a more technical assessor on it, scoping is the perfect place to mention this so that the assessment firm can put the correct people on the assessment.
  • Not talking about how the assessment will actually function
    • Talking about timelines is easy; keeping to them is the hard part.  Asking firms how they’re going to receive evidence is an essential part of the audit, because it can add difficulty and friction to the assessment, which can cause deadlines to be missed.
    • For a SOC 2 report, evidence is the most important thing, and the assessor will be asking for a lot of it, even if Security is the only TSC in scope.  How does the assessor intend to receive the evidence?  If there is a specific tool, how does it work?  Tech demos can and should be utilized to ask questions prior to signing the contract. Some products have automated integrations, such as Coalfire’s Compliance Essentials tool, which can facilitate evidence gathering in products that already exist in the environment, such as Jira. Getting these set up can drastically streamline the audit process.
    • For a SOC 2 audit, giving the assessors full access might be convenient, but isn’t recommended.  For one, the access provisioning process is generally more complicated than expected—oftentimes it causes delays in the timeline simply because the access wasn’t granted in the expected timeframe.  Secondly, if an assessor sees an exception inside of the scope, even if it’s not a selected sample, that must be called out on the report.  Therefore, limiting the amount that the assessor can see is recommended, unless the company is very sure of how effective their processes are running.
  • Making unrealistic timeline promises
    • Everyone wants a quick audit, but the reality is that on average, SOC 2 reports take two to three months from kickoff to draft issuance.  Part of this is the AICPA requirements for review processes, which take an average of 3-4 weeks to complete.  This generally entails a technical review process, quality assurance, and then the signer’s review for the report opinion.
    • These review processes unfortunately take time, and are essential to a complete report. Because the final deliverable is a large, 30+ page report, skipping any of these processes could result in an inaccurate or unprofessional-looking report with typos or mistakes.
    • If there is a hard deadline to receiving the report, the assessment firm should be notified prior to signing if possible, so that they can confirm whether or not it is possible with the current staffing they have and the amount of time review processes take.  These timelines can usually be accommodated, but they will often come with contingencies: all evidence must be submitted by a certain date and any follow-up questions should be quickly responded to in order to avoid delays.

Coalfire performs over 500 SOC audits annually with an experienced team filled with different experiences and strengths.  Regardless of the industry, systems involved, or complexity, we can help advise on next steps in your SOC assessment journey.  If you have questions, contact us or learn more about Coalfire Assessment services.