SOC 1 & 2 Pricing Components

GCPA utilizes a fixed-fee approach, which means clients pay one fee that includes travel, out-of-pocket expense, and administrative, technology, printing, and mailing expenses. The fee pricing below does not include travel fees as these fees differ from client to client. The travel fees are added later based on location. This approach puts the onus on GCPA to control our costs.

GCPA also offers a three-year pricing lock with the option to end the agreement at any time. (Note: All current fees must be paid, including but not limited to fees for partial work before the engagement is completed.) Our three–year quote includes a 10–15% discount after the first year to account forefficiencies realized after the initial work is performed in the first year through familiarity with the client’s environment. After the first year, we need to only update controls and test plans versus developing new and/or customized plans each year. Therefore, we pass savings to our clients.

The following is a general guide to the GCPA pricing model. Since specific client and market situations drive the pricing model, pricing could differ for each engagement.


Pre-Readiness Assessment

SOC 1 (SSAE 16) Report

SOC 2 Report*

Level I:

$2,500 - $5,000

$14,000 - $20,000

$16,000 - $22,000

Level II:

$5,000 - $10,000

$20,000 - $28,000

$22,000 - $32,000

Level III:

$10,000 - $14,000

$28,000 - $50,000

$32,000 - $60,000

* - SOC 2 audit report pricing is based on the number of principles being tested. There are five principles that include Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Level I Audits: Service organization with 1 information technology platform environment (operating system), 1 business process being reviewed, and/or less than 20 identified control objectives with 10-99 control activities.

Level II Audits: Service organization with 2 information technology platform environments (operating systems), 1 – 2 business processes being reviewed, 20 – 30 identified control objectives, 100+ control activitites, and/or multiple facility locations.

Level III Audits: Service organizations with 3 or more information technology platform environments (operating systems), 2 or more business processes being reviewed, 46 or more identified control objectives and/or 3 or more facility locations.

Gray CPA, PLLC All Rights Reserved