SOC 1 & 2 Pricing Components

GCPA utilizes a fixed-fee approach, which means clients pay one fee that includes travel, out-of-pocket expense, and administrative, technology, printing, and mailing expenses.

GCPA also offers a three-year pricing lock with the option to end the agreement at any time. (Note: All current fees must be paid, including but not limited to fees for partial work before the engagement is completed.) Our three–year quote includes a 10–15% discount after the first year to account for efficiencies realized after the initial work is performed in the first year through familiarity with the client’s environment. After the first year, we need to only update controls and test plans versus developing new and/or customized plans each year. Therefore, we pass savings to our clients.

The following is a general guide to the GCPA pricing model. Since specific client and market situations drive the pricing model, pricing could differ for each engagement.


Pre-Readiness Assessment

SOC 1 (SSAE 16) Report

SOC 2 Report *

Level I:

$2,500 - $4,000

$10,000 - $17,000

$12,000 - $20,000

Level II:

$4,000 - $8,000

$17,000 - $25,000

$20,000 - $30,000

Level III:

$8,000 - $12,000

$25,000 - $40,000

$30,000 - $50,000

* - SOC 2 audit report pricing is based on the number of principles being tested. There are five principles including Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Level I Audits: Service organization with 1 information technology platform environment (operating system), 1 business process being reviewed, and/or less than 30 identified control objectives.

Level II Audits: Service organization with 2 information technology platform environments (operating systems), 1 – 2 business processes being reviewed, 30 – 45 identified control objectives and/or multiple facility locations.

Level III Audits: Service organizations with 3 or more information technology platform environments (operating systems), 2 or more business processes being reviewed, 46 or more identified control objectives and/or 3 or more facility locations.

Gray CPA, PLLC All Rights Reserved