When compliance teams talk about the cost of their annual SOC 2 audit, they usually mean the auditor fee. At the mid-market level, a SOC 2 Type II audit engagement typically runs somewhere between $25,000 and $75,000 depending on scope, the number of systems in scope, and the audit firm. That number is real and it's significant. But it's the one cost that most teams have already budgeted for and understand.
The cost that consistently surprises people isn't the auditor fee. It's the internal labor required to prepare the evidence package that the auditor evaluates.
The anatomy of evidence collection labor
In a typical mid-market SaaS company approaching a SOC 2 Type II audit, evidence collection runs across several distinct workstreams. Each one pulls time from people who have other jobs.
Access control evidence requires pulling user lists from every system in scope — identity provider, cloud infrastructure accounts, source code repositories, production application roles, data platforms. For a 40-person engineering organization using Okta, AWS (typically two or three accounts), GitHub, and a data warehouse, this alone can take several days. The lists need to be cross-referenced: does every user in AWS appear in Okta? Are all production-access users still active employees? Have any admin privileges been granted outside the documented authorization workflow?
Change management evidence requires demonstrating that changes to production systems followed an approved process — typically that every production deployment was linked to a reviewed and approved change ticket, that emergency changes were documented, and that the change log covers the full 12-month observation period. For teams using Jira or Linear as their change management system, this usually means exporting ticket data, filtering for production changes, and manually verifying that each change has the required approval trail.
Vendor management evidence requires documenting that every third-party vendor with access to customer data has been assessed for risk, has a signed BAA or DPA if applicable, and appears on an active vendor register. For a SaaS company running on AWS and using five to fifteen SaaS tools with data access, this list is longer than most compliance teams expect, and the documentation is rarely centralized.
Incident and vulnerability evidence requires compiling logs of security incidents and vulnerability scan results across the observation period, demonstrating that incidents were triaged, that critical vulnerabilities were remediated within policy timelines, and that the security testing program operated continuously. This pulls time from the security engineering team — people who are typically not the same people responsible for the compliance program.
Where the two weeks go
Consider a specific scenario: a 60-person SaaS company in the Philadelphia area, running on AWS with three accounts, using Okta for identity, GitHub for source code, and Jira for change management. They have a security team of two and a compliance function of one part-time compliance manager who also handles vendor contracts.
In the six weeks before their annual audit fieldwork, evidence collection proceeds roughly like this. The compliance manager spends the first week preparing a list of all systems in scope and determining what evidence is needed for each. In week two, she starts pulling exports: Okta user list, AWS IAM roles and policies per account, GitHub organization members, Jira change tickets from the past year. By the end of week two, she has raw data but none of it is in the format the auditor expects. The Okta export is a CSV with 90 columns she doesn't need. The AWS IAM export covers one account but not the other two. The GitHub export doesn't include the user status field she needs to show employee offboarding was handled correctly.
By week three, she's asking the engineering team to help. The senior DevOps engineer spends three days helping her pull the correct data from AWS CLI and formatting it properly. A backend engineer spends a day and a half pulling GitHub data using the API because the standard GitHub export doesn't include what the auditor wants. Collectively, the engineering team contributes approximately 40 hours across a two-week window — hours pulled from sprint work.
This pattern is common. The 60-80% of audit prep time often cited in compliance operations literature refers specifically to evidence collection and formatting — not to the audit itself. The auditor's hours are mostly fixed. The internal hours are the variable that scales with organizational complexity and the maturity of the evidence collection process.
The indirect costs that don't appear in any budget line
Beyond the direct labor cost, manual evidence collection carries several indirect costs that don't appear in budget line items but are real nonetheless.
Engineering context switching is one. When a senior DevOps engineer is interrupted for three days to help with compliance evidence collection, the cost isn't just those 24 hours. It's the re-acquisition cost when she returns to the infrastructure work she was doing. It's the sprint delay. It's the opportunity cost of what didn't get built or maintained. In organizations where engineering time is the primary constraint on product progress, this is not a trivial cost.
Evidence quality risk is another. When evidence is collected manually, under time pressure, by people who are not primarily compliance professionals, mistakes happen. Fields are misread. Exports are incomplete. The wrong snapshot date is used. These errors don't always surface during audit fieldwork — sometimes they surface as audit findings. And an audit finding that could have been a clean control becomes a management response explaining why the evidence was inadequate, which is a worse outcome than the underlying gap it was meant to cover.
Audit timeline compression is a third. When evidence collection takes longer than planned — which it usually does — the time available for review and remediation before audit fieldwork shrinks. Teams that should have six weeks to address identified gaps often have two. Control gaps found during evidence review become remediation sprints that happen simultaneously with final evidence preparation.
What changes when evidence collection is automated
Automated evidence collection — meaning systems that connect directly to production environments via read-only API and continuously pull control state data — doesn't eliminate the auditor fee. It doesn't change the scope of the audit or the observation period requirements. What it eliminates is the manual labor component of evidence collection and the quality risk that comes with manual collection under deadline pressure.
When control state data is being pulled automatically, timestamped, and stored continuously throughout the observation period, the evidence package at audit time is not something you assemble — it's something you export. The evidence is already there, already formatted, already timestamped. The engineering team is not involved. The two weeks of engineering time are recovered.
We're not suggesting that compliance automation replaces compliance expertise. Understanding what controls to implement, how to interpret your risk appetite against the AICPA Trust Service Criteria, how to structure your vendor risk program — none of that is automated. The compliance manager's time is better spent on those questions than on formatting CSV exports from Okta.
The audit fee is the cost you see in the contract. The evidence collection labor is the cost you feel every year. For teams that have been through two or three SOC 2 Type II audit cycles and are starting to see the pattern, the question worth asking is whether that internal labor cost is a fixed feature of your compliance program or an architecture problem you can solve.
A note on measuring the actual number
If you want to measure your own evidence collection cost before making any tooling decisions, the simplest approach is a time-tracking exercise across one audit cycle. Log all hours spent by every person — compliance team, engineering team, security team — on evidence collection, formatting, review, and remediation before audit fieldwork begins. Multiply by fully-loaded hourly cost. Add the cost of delays to engineering work caused by the interruptions.
Most teams that do this exercise arrive at a number significantly higher than they expected. The cost is real. The question is whether it's the best use of the people who currently spend it.