When is a SOC 2 audit necessary?

#1
A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with. We provide mobile app and web products and use third party vendors (like AWS) for hosting and data storage. The quality consultants we are using insist that we do not need a SOC 2 audit and if anything, to write a letter attesting to the controls that we do have in place. Based on what I've read, more and more companies are requesting this type of report even if they are not the data center operator. Does anyone have experience with this and what are your thoughts?
 
Elsmar Forum Sponsor

mihzago

Trusted Information Resource
#2
Yes, increasingly more companies insist on SOC 2 reports or equivalent because everyone seems familiar with this one and it’s becoming almost a standard requirement.
It’s not mandatory, but they request them because your own self-certification means virtually nothing.
 
#3
A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with.
If you have certification to ISO 27001, and the customer doesn't know that, offer them that as an alternative (you posted in an ISO 27001 forum). Otherwise, it's a simple case of how much revenue this (potential) customer might bring to your organization and complying with their request - your sales people should be able to tell you.
 
#4
Thank you for the responses thus far, it sounds like SOC 2 is minimum entry to play. Are there any start ups out there who have gone through a SOC 2 audit and willing to share their experience?
 
#5
Thank you for the responses thus far, it sounds like SOC 2 is minimum entry to play. Are there any start ups out there who have gone through a SOC 2 audit and willing to share their experience?
Following up on my own post (I know...). Four months later, including after going through due diligence, vetting firms, and the approval procedures, we have completed our first SOC 2 Type 1 journey. There are several software vendors now who offer tools for monitoring and getting through/preparing for SOC audits, we went the old school route of hiring a CPA firm.
 

Jim Wynne

Leader
Admin
#6
Following up on my own post (I know...). Four months later, including after going through due diligence, vetting firms, and the approval procedures, we have completed our first SOC 2 Type 1 journey. There are several software vendors now who offer tools for monitoring and getting through/preparing for SOC audits, we went the old school route of hiring a CPA firm.
Thanks for coming back with the update!
 
Thread starter Similar threads Forum Replies Date
M How To Include Substance of Concern (SOC) Free Into TS16949 Internal Audit Plan IATF 16949 - Automotive Quality Systems Standard 1
D Substance of concern (SOC) management procedure wanted Reliability Analysis - Predictions, Testing and Standards 3
K Soc. of Manuf. Engineers (SME)/Assoc. for Manuf. Excellence (AME) Lean Certification Professional Certifications and Degrees 4
I Could IMDS Represent the SoC Free Test Report? RoHS, REACH, ELV, IMDS and Restricted Substances 6
I Must 'SoC free' test be carried out by the third party labs (such as Intertek,etc)? IATF 16949 - Automotive Quality Systems Standard 1
Ed Panek Audit Protocol? Simultaneous surveillance and recertification audits. ISO 13485:2016 - Medical Device Quality Management Systems 11
D Is a lost calibrated tool an non-conformance for an audit? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 58
D IATF16949 external audit plan IATF 16949 - Automotive Quality Systems Standard 3
B 8.5.1.1 Control Plan - question audit NC IATF 16949 - Automotive Quality Systems Standard 5
D ISO 9001:2015 Recertification Audit Timing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
Mr Roo Discovered dishonesty after performing an internal audit General Auditing Discussions 4
Q 10.3 Continual improvement - How to audit it? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
H Audit Checklist for European Authorized Representative EU Medical Device Regulations 0
Q Product audit assessment IATF 16949 - Automotive Quality Systems Standard 3
S Customer audit report review and approval ISO 13485:2016 - Medical Device Quality Management Systems 3
Moncia Integrated QMS and audit Other ISO and International Standards and European Regulations 5
G Audit & Agreements for "Test Laboratory" Supplier? US Medical Device Regulations 4
J New QMS Auditor - seeking opportunities to gain audit experience Career and Occupation Discussions 3
M IATF external audit NC closure IATF 16949 - Automotive Quality Systems Standard 4
W IATF 9.2.2.1 Internal Audit how to determine risk IATF 16949 - Automotive Quality Systems Standard 12
M Multiple time zones in the Audit Trail Qualification and Validation (including 21 CFR Part 11) 7
X Looking for 17025 auditor to perform internal audit on IT software testing laboratory ISO 17025 related Discussions 3
A API Q1 9th Edition Surveillance Audit - Quality Policy Oil and Gas Industry Standards and Regulations 2
S Audit Finding - Design History File (DHF) Index: few (3 to 4) reports not identified ISO 13485:2016 - Medical Device Quality Management Systems 3
xfngrs 3 year audit cycle IATF 16949 IATF 16949 - Automotive Quality Systems Standard 9
Q NACE Code 25.6 no reduction in CB audit days? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
J 9001 Internal Audit of Client Onboarding process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
H Streamlining audit response and corrective action processes ISO 13485:2016 - Medical Device Quality Management Systems 9
Q Corrective Action Notification - Registration Audit ISO 13485:2016 - Medical Device Quality Management Systems 12
chris1price Irradiation site for dose audit Other Medical Device Related Standards 2
PQ Systems 5 Ways to Reduce Stress on Your Next Audit Using GAGEpack Software 0
PQ Systems Audit Prep – Time for a System Health Check Using GAGEpack Software 0
N API Q1 Audit Surveillance - Questions Oil and Gas Industry Standards and Regulations 2
A Alternative to on site audit in China EU Medical Device Regulations 2
J Help to understand and response to API AAR during the re-certification audit Oil and Gas Industry Standards and Regulations 17
B Internal audit checklist Internal Auditing 5
V Internal Audit Software IATF 16949 - Automotive Quality Systems Standard 5
J Internal Audit Schedule IATF Internal Auditing 4
Mikey324 External calibration - Finding in our 3rd party audit General Measurement Device and Calibration Topics 58
C ISO 14001 Internal Audit - Opportunity for Improvement ISO 14001:2015 Specific Discussions 2
P Does FDA require certification for quality system internal audit for auditor? Qualification and Validation (including 21 CFR Part 11) 1
J Stage 2 audit initial cert, few data points ISO 13485:2016 - Medical Device Quality Management Systems 4
S Corrections not allowed during audit ISO 13485:2016 - Medical Device Quality Management Systems 7
P Looking to outsource Internal Audit - MDSAP competent auditor needed Other Medical Device Regulations World-Wide 9
R GFE Audit - Violation? GFE Location Controls AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
D Help Me. Non conformitty in External Audit IATF 16949 - Automotive Quality Systems Standard 13
M How to answer ISO9001:2015 audit finding of old revisions of documents being used? Document Control Systems, Procedures, Forms and Templates 8
B UKRP to what level should you audit Class I Technical Documentation? UK Medical Device Regulations 0
I Audit is tomorrow but I refused to participate Misc. Quality Assurance and Business Systems Related Topics 16
I ISO 17025:2017 / ANAB 3125 - Articulating / Communicating Risks vis-a-vis Audit Findings ISO 17025 related Discussions 2

Similar threads

Top Bottom