Questions to ask before hiring a SOC 2 auditor
A focused set of questions surfaces fit, competence, and cost surprises before you sign. Use these to vet licensure, experience, staffing, process, and exception handling with any candidate firm.
Licensure and peer review status
Start with the non-negotiables: a SOC 2 report can only be issued by a licensed CPA firm, so ask for the firm's CPA license details and verify them through the relevant state board of accountancy. Next, ask for the firm's most recent AICPA peer review result and the date it was performed, since CPA firms undergo external peer review roughly every three years on a Pass, Pass with Deficiencies, or Fail scale. A clean 'Pass' with no deficiencies is the baseline you should expect, and the outcome is verifiable in the AICPA's public peer review file. If a firm is evasive about either its license or its peer review, treat that as a serious warning sign. These two checks alone screen out a surprising number of unqualified providers.
Relevant experience and references
Volume and relevance both matter, so ask how many SOC 2 engagements the firm completed in the past year and how many were for companies in your industry and of your size. A firm that audits dozens of SaaS companies will anticipate your control environment far better than a generalist accounting practice doing its first few. Request two or three client references you can actually contact, and when you speak with them, ask whether the audit ran on schedule, how responsive the team was, and whether any exceptions were handled fairly. Industry fit also affects scoping judgment, since a healthcare or fintech auditor will understand the adjacent obligations your buyers care about. References are where polished sales claims meet reality, so do not skip them.
Who staffs the engagement and how it runs
Ask specifically who will lead your engagement, what their credentials are, and whether they remain your point of contact throughout rather than handing off to junior staff after the sales call. A healthy team usually blends CPA licensure with technical certifications such as CISA or CISSP and real cloud experience, because SOC 2 testing spans both accounting rigor and technical controls. Clarify the timeline from kickoff to delivered report, the expected cadence of check-ins, and how the firm prefers to communicate during fieldwork. Confirm whether the firm has worked with whatever GRC platform you use, since an auditor fluent in your tool can pull evidence directly and avoid duplicative requests. Knowing the staffing model up front prevents the common surprise of a relationship that degrades once the contract is signed.
Evidence handling and exceptions
Probe how the firm gathers and tests evidence, because this drives most of the day-to-day workload on your side. Ask whether they accept evidence directly from your automation platform, what file formats and access they expect, and how they sample controls over the audit period. Critically, ask how they handle exceptions: a good auditor explains that a finding does not automatically doom the report, and that depending on severity the result may still be a clean opinion, a qualified opinion, or a documented exception with management's response. Understanding their philosophy on exceptions tells you whether they are a pragmatic partner or a box-checker who will surprise you late in fieldwork. You want a firm that flags issues early enough to address rather than springing them at report time.
Fees, inclusions, and what the report covers
Because SOC 2 pricing is always quote-based and never published as a fixed rate, ask precisely what the fee includes and what would trigger additional charges. Confirm whether the quote covers the full report or just fieldwork, whether a readiness assessment or bridge letter is included or billed separately, and what subsequent annual examinations are likely to cost. Clarify which Trust Services Criteria the engagement covers, since adding categories beyond Security expands scope and price. Ask whether the price assumes a Type 1 or Type 2 report and what audit period the Type 2 will span, as these materially change the work. Getting the inclusions in writing before you sign is the single best defense against mid-engagement cost surprises and scope creep.