The Auditor's Dilemma: Why Trust Is Being Commoditized and What Comes Next
SOC 2 reports look identical whether they were done with care or checked off in a spreadsheet. That's not a client education problem. It's a structural one.
A few months ago, I started asking audit firm partners a question I expected to be easy: "How do your clients know the quality of their last SOC 2 audit?"
The answers surprised me. Not because they were wrong but because they were all the same. Some variation of: "They don't, really. They trust us."
That's the auditor's dilemma in one sentence. The entire value of an audit depends on trust but the profession has no standard way to demonstrate it.
"Trust us." That's not a value proposition. That's a prayer.”
How We Got Here
SOC 2 was designed as a trust mechanism. A Type II report is supposed to tell a customer: we examined how this company controls its systems over time, and here is what we found. It is meant to be a signal of rigor.
But here's the problem: every SOC 2 report looks the same on the outside.
A report produced by a three-person firm using spreadsheets and a shared folder looks structurally identical to one produced by a 50-person practice with a formal quality management program. Same cover page. Same criteria. Same unqualified opinion unless something went badly wrong.
Clients can't tell the difference. And increasingly, auditors can't prove the difference.
The result is that trust, which should be the currency of the audit profession, is being commoditized. Clients shop on price. The market has drifted toward treating compliance as a completion exercise and the tools, the pricing pressure, and the buyer expectations have all reinforced that drift together. The firms that are actually doing the work right, carefully, consistently, in alignment with AICPA standards but have no systematic way to show that they’re different.
The AICPA Is Paying Attention
This isn't just a business problem. The AICPA's own peer review data tells a version of the same story. Peer review deficiencies are more common than the profession likes to acknowledge, including at firms with strong reputations. And the feedback loop is broken, peer review catches quality failures years after the engagements closed. By then, the client has already moved on. The damage is already done.
The AICPA's Quality Management Standards (SQMS No. 1), which took effect in December 2025, represent the profession's most significant attempt in years to address this at a systemic level. The standard requires firms to design and implement a system of quality management, not just a quality control checklist, but a documented, monitored, and continuously improved approach to how engagements are run.
What SQMS No. 1 does not provide is a way for firms to demonstrate their quality to clients. It governs how firms manage quality internally. The external signal, the thing a client can point to and say "I know this audit was done well", still doesn't exist.
SQMS No. 1 tells firms how to manage quality. It doesn't tell clients how to see it.
Three Forces Making This Worse
The commoditization of audit trust isn't a single problem. It's the product of three forces working together:
1. Scope is often set before the auditor arrives.
By the time many engagements begin, a tool has already been configured, controls have already been mapped, and client expectations about scope have already been set. The auditor inherits a framework built around compliance completion. Their judgment about what the scope should actually include has been preempted before the first conversation.
2. Efficiency has replaced rigor as the auditor's value proposition.
When every tool in the market and increasingly, how auditors talk about themselves leads with speed and cost, the message clients receive is that audits are a commodity. Get it done fast. Get it done cheap. The firms that care about quality have been outselling themselves on price without meaning to.
3. There's no artifact that proves quality at engagement close.
When an audit finishes, the client receives a report. That report documents findings. What it doesn't document is the quality of the process that produced it, the consistency of evidence review, the rigor of the exception handling, the standard against which judgment calls were made. That information exists in the auditor's work papers. It is never surfaced to the client.
What Comes Next
The auditors I've spoken with - more than 25+ firms over the past several months are aware of this tension. They talk about it as a peer problem at first: "Other firms are cutting corners." But when you push, they acknowledge their own version of it: "We don't have a great way to show clients what separates us from the firm that charges half our rate."
That's an honest problem. And it's solvable.
The profession has moved from paper to digital, from local filing cabinets to cloud platforms, from manual controls to automated evidence collection. The next shift, one that I think is already underway is from claimed quality to measurable quality. From "trust us" to "here's what the data says."
That shift requires two things: a way to capture quality signals during an engagement, and a standard against which those signals can be scored. Neither of those things is complicated in concept. They are just not yet built into how the industry works.
When they are, when an audit closes with a way to close the loop on quality at the engagement level, not in a peer review three years later but at close, something a firm can point to and a client can understand - the commoditization problem doesn’t disappear overnight. But the firms doing the work right will finally have a way to prove it.
The firms doing the work right deserve a way to prove it. We're not there yet. But we're close.
A Question Worth Sitting With
If a client asked you tomorrow, "How do I know this audit was done well?" what would you show them?
I've been asking that question in a lot of rooms lately. The conversation that follows is always worth having.
Explore the auditor-first audit system we’re building with Audora
