SOC Certification for Your Professional Services Business: What You Need to Know, Part Two

By: John Erickson – CEO of Credit Service Intl. – Content Editor of R.O. Hammer Companies

In this three-part blog series, we are discussing 1) What SOC certification is and its benefits, 2) the costs and time commitment involved in SOC certification, and 3) how to prepare for the SOC certification process.. 

In our first blog post, we discussed what SOC certification is and its benefits. Now, let’s dive into the details of our second point: What cost and time commitment are involved in SOC certification?

What Cost and Time Commitment Are Involved in SOC Certification?

The cost of SOC certification can vary widely depending on the size and complexity of your organization, as well by the type of SOC report you ultimately choose. 

How “hands-on” your team intends to be throughout the process and your current level of preparedness are large factors in determining the expense of the certification. How well documented your policies and procedures currently are, and the vendor partners you currently have in place, can significantly increase or decrease the cost associated with achieving certification, as well.

Typical costs for the certification process have a broad range and can include:

• Consultant fees: $5,000 to $50,000

• Auditor fees: $10,000 to $100,000

There is no way around the fact that achieving SOC certification is a large investment. 

Keep in mind that it is hard to create a one-size-fits-all budget that works for every organization. 

If your professional services business is smaller and in good shape with your policies, procedures, and documentation, plan for a conservative minimum budget in the $20,000 range. Again, some businesses may require a smaller investment and others a significantly higher one. 

The best way to zero in on the cost of certification for your business is to engage with other professionals in your industry. Ask lots of questions. One of the largest factors associated with certification will be the SOC vendor you choose to partner with to complete the process–more on this below. Different vendors will also have different payment options, and in most cases, the bulk of your vendor costs are not due until after the report is completed. 

Renewal Costs

It is also critical to do some strategic planning for an ongoing budget both to maintain the systems that have been implemented in the initial certification and to renew the certification annually. A certified organization must undergo a new audit and recertify within 12 months of the previous audit's issuance date. In most cases, however, the cost of renewal is significantly less than the initial certification. Though this will vary from organization to organization, plan to spend around 50 - 75 percent of the amount required for the initial certification. 

It is important to remember that an investment in SOC certification inevitably will pay for itself in the form of increased compliance and decreased risk, improvements to internal processes and structure, and additional business opportunities.

Pro Tip: While the monetary cost of achieving SOC certification requires significant considerations, don't forget to account for the cost of internal resource allocation. If yours is a smaller business, be sure to work out which members of your team will be assisting with the certification and audit process, and make sure proper bandwidth is available for everyone involved. Bear in mind that depending on your level of policy and procedure documentation, certification may require input from multiple departments and a variety of people throughout your business. There are, of course, white glove options available from a number of vendors who can largely handle the bulk of the preparation and implementation process for achieving certification, but these options are costly. These options can also hinder the team development achieved in completing the certification process together, which creates significant value in itself.

How to Choose the Right Vendor for Your Certification

As SOC certification for the professional services business industry becomes more commonplace, a growing number of vendors are available to assist your organization.

Here’s a list of key considerations when selecting a SOC auditor or consulting firm. 

1. Experience: This is critical. While you can achieve certification with a vendor that does not have experience with your industry, working with one that understands the mechanics of your business and has industry knowledge (or at a minimum an understanding of industry language) will significantly expedite the certification process. This will also likely translate into cost savings and a reduction in your time commitment to achieve the assurance.

2. Request a Referral: One of the best ways to find an SOC vendor specific to your industry and need, is to reach out to a competitor that has already achieved certification. Most professional services businesses that have achieved certification tend to wear it like a badge of honor, and a quick Google search of competitors in a targeted area will give you some options to seek a referral. If you are a member of a trade association, it can be another valuable resource for preferred and/or experienced vendors in your industry.

Pro Tip: Developing competitor relationships, especially in niche industries such as professional services can have a significant impact on advancing your goals and expediting the growth of your business. Sharing ideas and leveraging vendors can save you a remarkable amount of time and money. Chances are, many of your competitors are experiencing the same challenges, needs, issues, and headaches. When developed appropriately through trust and respect, these relationships can be invaluable. In most cases, competitors will quickly recognize the value of the relationship for themselves, as well. Be sure to make a formal offer to assist and/or collaborate (bring value) early in all initial conversations. Seeking a vendor referral is a great way to break the ice when making a cold approach to a competitor.

3. The Right SOC Vendor Can Explain Process: If you have not previously had exposure to the SOC process, understanding where to start can be one of the biggest challenges. The right vendor will be able to give you a clear picture of what you need to plan for and how to prepare–from the start. Some vendors might be unwilling to dive into the process until you have executed an engagement letter. This can be frustrating. These firms are typically set up to service large, and often sophisticated, organizations that have significant experience with SOC and other assurance certifications. While these firms have a place in the market, if you are starting your initial certification, finding a vendor that will not only help you achieve your goal but also educate you along the way is key.

4. Be Upfront about Your Budget: If you are new to the SOC process, be upfront about it. Ask lots of questions. The right SOC vendor should be able to help you assess where you are in terms of preparedness for beginning the process and give you a clear picture of their pricing model based on that conversation. Vendor billing models can vary. Here are the most common options:

• Billing at an Hourly Rate: Firms charge a flat hourly rate for time invested in each phase of the process. Typically, an hourly rate is set for the entire certification process, but based on the firm, the client organization, and the particular scenario, some firms may also offer variable rates for the preparation versus audit phases of the process. This may depend on the firm’s internal structure, as well as the level of associates you are working with during each phase of the process.

• Flat Rate Fee Model: Vendors using this model will offer a flat fee, generally per month, per phase, or, in some cases, for the entire certification.

After an initial assessment of your readiness to begin, your vendor will put together a pricing proposal for your organization. Remember every organization is different, and the certification process is not an entirely universal process. Once you have had an opportunity to review their assessment and pricing, be sure to ask about the benefits of engaging in a flat rate vs. hourly fee-based structure. Even if the vendor is suggesting only one option. As you gain a better understanding of the certification process preparation requirements for your organization, you should be better able to work out what your team is capable of accomplishing internally on your own. Discussing multiple options with a potential vendor will allow you to make a more informed business decision, that will hopefully result in both efficiencies and cost savings.

5. The Right SOC Vendor Will Give You Actionable Next Steps: While a good SOC vendor will give you guidance on what the process looks like, a great one will give you actionable next steps. Oftentimes, this can be in the form of a checklist of items to be completed before they start billing. Remember: Your vendor is running a business, as well, and it is in the vendor’s best interest to make sure you are organized so they can get to work. Knowing what you can complete ahead of time can generate cost reductions as well as provide a clearer picture of the time and resources that will be required to complete your certification.

6. Align Your Budget and Vendor: SOC vendors don’t work for free, but many are honest, hardworking professionals who are, above all, reasonable people. If you have a reasonable budget, the chances are that you can find a vendor in your price range that can help you achieve your goals. Consider that a lower budget may require a longer search to find the right vendor fit, more time to complete your certification, and a greater investment of effort to work through portions of the process on your own, but it can be done. Make sure you are properly valuing your team’s (and your own) time when preparing your budget, and don't discount the educational value that can come from enlisting the right SOC vendor, even if it comes at a slightly higher price.

7. Review and Execute an Agreement

If you are seriously considering achieving SOC certification for your organization: 1) Congratulations! You have made a smart decision, and 2) You probably operate with a level of business sophistication that does not require my advice in seeking counsel to review any contracts associated with a time and monetary commitment such as this.

SOC Certification is a large investment, with lots of moving parts. It is prudent to make sure you fully understand the full scope, and cost, of your vendor’s commitment.  Especially if you have a set budget. Changing firms midstream will not only delay your path to certification but can also be costly.

Finding qualified counsel to review any agreements or scope of work documents to ensure that everyone is on the same page and that you are getting the quality of certification you need in return for your investment is a crucial step in this process.

What’s Next?

Be sure to check out the first and third installments of this blog post series to learn what SOC certification is and what its benefits are, as well as how to prepare for the SOC certification process.