Uncategorized

SOC 2 Audit in 2026: Type 1 vs Type 2, Timeline, Cost, and the Trust Services Criteria

By chrisomo

A SOC 2 audit is an independent examination of a service organization’s controls against the AICPA Trust Services Criteria, and in 2026 it has become the de facto trust signal for any SaaS vendor selling into mid-market or enterprise accounts. Buyers ask for the report before they sign the order form, procurement teams refuse to onboard vendors without one, and security questionnaires increasingly default to “send us your SOC 2 Type 2.” This guide covers what a SOC 2 audit actually tests, the difference between Type 1 and Type 2, the realistic 2026 cost ranges, the four phases of fieldwork, and how SOC 2 stacks up against SOC 1, SOC 3, and ISO 27001.

What is a SOC 2 audit?

A SOC 2 audit is a System and Organization Controls examination performed by a licensed CPA firm under AICPA attestation standards. The auditor evaluates whether a service organization’s controls meet the Trust Services Criteria set out in AICPA TSP Section 100, “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.” The engagement is governed by SSAE 18 (Statement on Standards for Attestation Engagements No. 18), specifically AT-C Section 105 (Concepts Common to All Attestation Engagements) and AT-C Section 205 (Assertion-Based Examination Engagements).

The output is a SOC 2 report. The report contains the auditor’s opinion, management’s description of the system, and, in a Type 2 report, the auditor’s tests of controls and the results of those tests. The report is restricted-use under paragraph .59 of AT-C 205, meaning it can only be distributed to management, current and prospective customers, and other parties with sufficient knowledge of the system to understand the testing.

SOC 2 is not a certification. It is an attestation. There is no SOC 2 badge issued by AICPA, no registry of compliant companies, and no expiration sticker. What exists is a dated CPA opinion letter on a defined set of controls over a defined period. Buyers who treat SOC 2 as a pass/fail certification miss the actual question: what scope, what period, what exceptions, and what opinion.

Why a SOC 2 audit matters in 2026

The business reason is procurement. Enterprise security questionnaires from Fortune 500 buyers, federal agencies, and regulated industries (banks, hospitals, insurers) routinely require a SOC 2 Type 2 report before a vendor can move from pilot to paid contract. Cyber insurance underwriters increasingly ask the same. A startup without a SOC 2 can still sell to small businesses, but the addressable market above $50 million in annual revenue narrows sharply without one.

The regulatory reason is overlapping compliance. SOC 2 controls map cleanly to ISO 27001, NIST CSF 2.0, HIPAA Security Rule, and PCI DSS 4.0. A company that builds its control environment to satisfy the AICPA TSC can use the same evidence base to demonstrate compliance with multiple frameworks. This is why SOC 2 has become the default “starting point” rather than the endpoint.

The investor reason is due diligence. Private equity and venture capital diligence checklists in 2026 list SOC 2 alongside financial statements and ARR cohort analysis. A SOC 2 in good standing reduces buyer-side IT diligence costs and accelerates close timelines, particularly in SaaS roll-ups where post-close integration depends on the target’s control hygiene being credible from day one.

What does a SOC 2 audit actually test?

The auditor tests the service organization’s controls against the criteria in the TSC categories that are in scope. Security is the mandatory category. The other four (Availability, Processing Integrity, Confidentiality, Privacy) are elective and only included when the service organization commits to them in its system description.

The Security category, also called the Common Criteria, contains 9 common criteria series labeled CC1 through CC9. CC1 covers the control environment. CC2 covers communication and information. CC3 covers risk assessment. CC4 covers monitoring activities. CC5 covers control activities. CC6 covers logical and physical access controls. CC7 covers system operations. CC8 covers change management. CC9 covers risk mitigation. Each series contains multiple specific points of focus, and the auditor selects the controls the service organization has designed to meet each.

The Availability category adds criteria around capacity management, environmental protections, and recovery procedures. The Processing Integrity category covers completeness, validity, accuracy, timeliness, and authorization of system processing. The Confidentiality category covers protection of information designated as confidential by contract. The Privacy category aligns with the AICPA Generally Accepted Privacy Principles and covers notice, choice, collection, use, retention, disclosure, access, and quality of personal information.

A worked example. A B2B SaaS company chooses Security and Availability as in-scope categories because its master services agreement promises 99.95% uptime. The auditor tests, among many other items: that new employees complete security awareness training within 30 days of hire (CC1.4), that access to production systems requires multi-factor authentication (CC6.1), that quarterly access reviews are completed and documented (CC6.3), that change tickets are approved before deployment (CC8.1), that incident response runbooks are tested annually (A1.2), and that backup restoration is verified at least quarterly (A1.3). For a Type 2 engagement covering a 6-month period, the auditor will sample evidence across the entire window, not just a snapshot.

SOC 2 Type 1 vs Type 2: which one do you need?

The distinction is point-in-time versus period-of-time. A Type 1 report opines on whether controls were suitably designed as of a specific date. A Type 2 report opines on whether controls were suitably designed and operating effectively throughout an observation period.

Type 1 is faster, cheaper, and weaker. The auditor inspects policies, observes systems, and concludes that the controls, as designed, would be expected to achieve the criteria if they operated as described. There is no testing of whether the controls actually ran day after day during a real time window. Type 1 reports are useful as a stepping stone or a stopgap when a buyer needs evidence quickly and is willing to accept the limitation.

Type 2 is the report enterprise buyers actually want. The observation period runs from 3 to 12 months, with 6 months being the most common first-year window and 12 months the standard for subsequent years. The auditor pulls samples across the period, tests evidence, and concludes on operating effectiveness. A clean Type 2 report carries an unqualified opinion. A report with control failures carries a qualified opinion, with the exceptions described in the test results section.

The typical path for a first-time SOC 2 issuer is: complete a readiness assessment, issue a Type 1 to cover the gap, then begin a Type 2 observation period of 3 to 6 months immediately following the Type 1 date. The Type 2 report is issued 2 to 4 weeks after the observation period closes. From a procurement standpoint, the company is “SOC 2 compliant” once the Type 1 lands, and “SOC 2 Type 2 compliant” once the first Type 2 lands.

How much does a SOC 2 audit cost in 2026?

SOC 2 fees are not standardized. They scale with the number of in-scope TSC categories, the number of in-scope systems and locations, the number of controls in the description, the maturity of the existing control environment, and the auditor’s billing rate. The ranges below reflect typical 2026 market pricing from licensed CPA firms in the United States.

A SOC 2 Type 1 for a single-product SaaS company with Security category only, fewer than 50 controls, and a single AWS or GCP environment runs $20,000 to $35,000 in audit fees. Add Availability and Confidentiality and the range moves to $30,000 to $50,000. The audit fee does not include the cost of readiness work, which is typically a separate engagement priced at $10,000 to $40,000 or handled by a compliance automation platform such as Vanta, Drata, Secureframe, or Thoropass.

A SOC 2 Type 2 for the same single-product company with Security category only and a 6-month observation period runs $40,000 to $75,000 in audit fees. With multiple TSC categories, multiple production environments, and a 12-month observation period the range moves to $75,000 to $150,000. Larger multi-product organizations with complex sub-service organization carve-outs and 200+ controls can see Type 2 fees of $150,000 to $300,000+.

Two cost drivers buyers underestimate. First, sub-service organizations. If the service organization relies on a third party (a cloud provider, a managed security service, a payment processor) and elects to carve that party out of its description, the auditor still has to test the complementary user entity controls and the complementary sub-service organization controls. Each carve-out adds testing time. Second, exceptions. A control that fails testing leads to additional procedures, root cause analysis, and remediation testing, all of which add fees outside the original scope.

SOC 1 vs SOC 2 vs SOC 3 vs ISO 27001 (comparison)

The four most-confused frameworks in vendor security questionnaires. The distinctions matter because asking for the wrong one wastes time on both sides of the table.

Practical rule. If a customer’s auditor is asking the question, they probably want SOC 1. If a customer’s security team is asking, they want SOC 2. If a marketing page needs to claim certification, the company needs SOC 3 (and probably has SOC 2 already). If the deal is European, Japanese, or Australian, ISO 27001 may carry more weight than SOC 2. Many companies hold both. A SOC 2 Type 2 plus an ISO 27001 certificate is the modern enterprise-ready posture.

The four phases of a SOC 2 audit

SOC 2 engagements follow a predictable sequence, regardless of which CPA firm is engaged. The naming differs slightly across firms but the substance is the same.

Phase 1: Scoping. The service organization and the auditor agree on which TSC categories are in scope, which systems and locations are in scope, which sub-service organizations are inclusive versus carved out, and what observation period the Type 2 will cover. The output is an engagement letter, a system description outline, and a control matrix. This phase typically takes 2 to 6 weeks.

Phase 2: Readiness assessment. Not technically part of the SOC 2 audit, but the standard precursor. The auditor (or a separate firm) walks through the in-scope controls, identifies gaps, and produces a remediation plan. This is the single most expensive phase for first-time issuers because it surfaces the gap between “what we say we do” and “what we actually have evidence of.” Readiness work runs 4 to 12 weeks. Companies that work with compliance automation platforms compress this phase by pre-populating evidence from connected systems.

Phase 3: Fieldwork. The auditor tests controls. For a Type 1, fieldwork concentrates on design: policy review, system walkthroughs, observation of configurations, and inquiry of personnel. For a Type 2, fieldwork samples evidence across the observation period: tickets, log entries, change records, access reviews, training completions, and incident records. Fieldwork on a Type 2 typically runs 4 to 8 weeks depending on the size of the population.

Phase 4: Report issuance. The auditor drafts the report, the service organization reviews it, exceptions and management responses are finalized, and the report is signed and dated. The dated report is what gets shared with customers. The auditor cannot issue a report dated earlier than the date evidence was completed. Report issuance runs 2 to 4 weeks after fieldwork closes.

The top SOC 2 firms in 2026

The SOC 2 issuer market in 2026 is concentrated at the top, fragmented in the middle, and crowded at the bottom. The firms below issue the vast majority of SOC 2 reports for high-growth SaaS and mid-market service organizations.

A-LIGN. The largest single-issuer SOC 2 firm by report volume. Owned by Warburg Pincus since November 2021. Strong technology, financial services, and government client base. Operates A-SCEND, a proprietary audit management platform that integrates with Vanta, Drata, Secureframe, and Thoropass.

Coalfire. Cyber-first audit and advisory firm. Owned by Apax Partners since 2020. Particularly strong in FedRAMP and HITRUST in addition to SOC 2. Common choice for SaaS companies pursuing federal market access.

Schellman. CPA firm focused exclusively on attestation and certification services. Independent. One of the few SOC 2 issuers that also holds an ISO 17021 accreditation for ISO 27001 certification, allowing a single firm to issue both reports.

Sensiba (formerly Sensiba San Filippo). West Coast regional CPA firm with a national SOC 2 practice. Strong in mid-market technology and life sciences. Member of Allinial Global network.

BDO USA. Top-tier global accounting network. Broad cross-service capability including SOC 2 alongside financial statement audit, tax, and advisory. Standard choice for service organizations that already have BDO as their financial auditor.

Grant Thornton. Top-tier global accounting network. Similar profile to BDO USA. Strong in financial services, government, and not-for-profit verticals. Now PE-backed following the New Mountain Capital majority recapitalization completed in 2024.

Big 4 firms (Deloitte, EY, KPMG, PwC) issue SOC 2 reports, primarily as a cross-service to financial statement audit clients. Fees from Big 4 firms typically run 2x to 3x mid-tier specialist rates. The trade-off is brand recognition with enterprise buyers in financial services and pharma.

Recent changes affecting SOC 2 in 2025 and 2026

Three developments matter for SOC 2 issuers in 2026.

The 2022 revision of the Trust Services Criteria. The AICPA Assurance Services Executive Committee revised TSP Section 100 effective for reports issued December 15, 2022 and after. The revision incorporated supplemental points of focus and aligned the Privacy category more closely with modern data protection expectations. By 2026 the 2022 revision is fully bedded in; new issuers should ensure their auditor is using the most current version of the criteria.

SSAE 22. SSAE 22 was issued by the AICPA Auditing Standards Board and is effective for reports for periods ending on or after December 15, 2024. SSAE 22 amends several attestation standards, including AT-C 105 and AT-C 205, and clarifies the auditor’s responsibilities related to materiality, fraud considerations in attestation engagements, and reporting on subject matter information. For SOC 2 engagements in 2026, expect updated engagement letters, refreshed audit procedures around fraud risk, and slightly expanded report language. The substance of what gets tested is unchanged. The documentation around it has thickened.

Compliance automation platform consolidation. Vanta, Drata, Secureframe, and Thoropass have absorbed most of the readiness market for first-time SOC 2 issuers. The platforms connect to AWS, GCP, Azure, GitHub, Okta, Jira, and 100+ other systems, automatically collect evidence, and pre-populate auditor request lists. Auditors increasingly accept evidence directly from these platforms via integrations. The result: readiness timelines have compressed from 6 months to 4 to 8 weeks for well-architected SaaS companies, and audit fees on Type 1 engagements have moved toward the lower end of the historical range.

Common pitfalls in SOC 2 audits

The same mistakes recur across first-time SOC 2 issuers.

Scope creep. Including more TSC categories than the business actually commits to. Privacy in particular is a heavy lift; many SaaS companies include it because a sales-driven CISO thought it would sound better, then spend the next quarter trying to design controls around data subject access requests they have never actually received.

Vague system descriptions. The system description is the service organization’s responsibility, not the auditor’s. Vague language (“the company maintains appropriate controls”) gives the auditor nothing to test. Precise language (“access to production databases requires Okta SSO with hardware token MFA and is reviewed quarterly by the Director of Security”) gives the auditor something testable.

Missing evidence for the observation period. Type 2 fails when controls operated but no one documented them. Quarterly access reviews that happened but produced no signed-off review evidence. Change tickets that were approved verbally and never recorded in Jira. Incident response runbooks that were exercised but produced no after-action report. The fix is to instrument the control so it cannot run without leaving evidence.

Carve-out confusion. When a sub-service organization is carved out, the service organization must define complementary user entity controls (CUECs) and complementary sub-service organization controls (CSOCs). Skipping or mishandling these creates qualified opinions even when the core controls operate cleanly.

Treating the report as a marketing asset. SOC 2 Type 2 reports are restricted use. They cannot be posted on a public website. Public marketing requires a SOC 3 or a trust center that gates access. Multiple companies have received cease-and-desist communications from auditors after posting full SOC 2 reports on landing pages.

For deeper coverage of how auditors design and execute the underlying control testing, see our companion guide on internal controls testing, which walks through design versus operating effectiveness, sample sizes by control frequency, and the SAS 145 risk-based approach. For broader context on auditor responsibilities under PCAOB standards, see our explainer on PCAOB AS 1000 general responsibilities. For a market view on the audit firms competing for SOC 2 mandates and what private equity ownership has done to the mid-tier, see our analysis of the best PE-backed audit firms.

Frequently asked questions

How long is a SOC 2 report valid?

SOC 2 reports do not have a formal expiration date. In practice, buyers treat a report as fresh for 12 months from the report date. After 12 months, expect renewal questions and requests for a current bridge letter. The standard cadence is one Type 2 report per year covering a 12-month observation period.

What is a bridge letter?

A bridge letter (also called a gap letter) is a representation from management stating that no material changes to controls have occurred between the end of the last audit period and the current date. Bridge letters are typically issued by management, not the auditor, and they extend the procurement-useful life of a SOC 2 report by 3 to 6 months while the next audit cycle runs.

Can a SOC 2 audit be done remotely?

Yes. The vast majority of SOC 2 audits in 2026 are performed remotely with screen-shared system walkthroughs, sample testing through compliance automation platforms, and video calls for personnel inquiries. On-site work is now rare except for data center physical security testing when physical infrastructure is in scope.

Does SOC 2 require penetration testing?

Not directly. The TSC do not mandate annual penetration testing. However, CC4.1 (monitoring) and CC7.1 (system operations) are commonly satisfied by evidence of an annual third-party penetration test, and most buyers ask for one separately. In practice, companies pursuing SOC 2 also commission an annual pen test.

What is the difference between a qualified and unqualified opinion?

An unqualified opinion is a clean opinion: the auditor concludes the description is fairly presented and the controls were suitably designed and operating effectively. A qualified opinion identifies specific exceptions, typically one or more controls that failed testing during the observation period. A qualified opinion does not invalidate the report, but it does require disclosure to customers and may prompt remediation commitments.

Can a startup do SOC 2 before it has revenue?

Yes, but the cost-benefit changes. A pre-revenue startup pursuing SOC 2 Type 1 with Security only and full use of a compliance automation platform can complete the full cycle for $30,000 to $50,000 inclusive of platform fees and audit fees. The trigger is usually a first enterprise pilot conditional on a SOC 2 report.

What is a SOC 2+ report?

A SOC 2+ report layers additional criteria onto a standard SOC 2. Common combinations are SOC 2 + HIPAA, SOC 2 + HITRUST, and SOC 2 + ISO 27001. The auditor maps the additional criteria to the TSC and includes them in the testing. The trade-off is one combined report instead of two reports, with somewhat higher fees and a more complex matrix.

Can a customer’s auditor reuse my SOC 2 report?

Yes. That is the original purpose of a SOC 2 report. A customer’s financial statement auditor (the user auditor) can rely on the testing performed in the SOC 2 to evaluate controls at the service organization, provided the report covers the relevant criteria and time period. This is why SOC 2 reports must be made available to customer auditors under the restricted-use provisions of SSAE 18.

What happens if a control fails during the Type 2 period?

The exception is documented in the auditor’s tests of controls section, with a description of the exception, the cause where determinable, and management’s response. Management typically describes remediation steps taken. The opinion is then either unqualified with described exceptions (most common) or qualified if the exceptions are material.