When is a SOC 2 audit necessary?

hchang · Jul 15, 2021

A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with. We provide mobile app and web products and use third party vendors (like AWS) for hosting and data storage. The quality consultants we are using insist that we do not need a SOC 2 audit and if anything, to write a letter attesting to the controls that we do have in place. Based on what I've read, more and more companies are requesting this type of report even if they are not the data center operator. Does anyone have experience with this and what are your thoughts?

mihzago · Jul 16, 2021

Yes, increasingly more companies insist on SOC 2 reports or equivalent because everyone seems familiar with this one and it’s becoming almost a standard requirement.
It’s not mandatory, but they request them because your own self-certification means virtually nothing.

Guest · Jul 19, 2021

hchang said:

If you have certification to ISO 27001, and the customer doesn't know that, offer them that as an alternative (you posted in an ISO 27001 forum). Otherwise, it's a simple case of how much revenue this (potential) customer might bring to your organization and complying with their request - your sales people should be able to tell you.

hchang · Jul 19, 2021

Thank you for the responses thus far, it sounds like SOC 2 is minimum entry to play. Are there any start ups out there who have gone through a SOC 2 audit and willing to share their experience?

Thread starter	Similar threads	Forum	Replies	Date
M	How To Include Substance of Concern (SOC) Free Into TS16949 Internal Audit Plan	IATF 16949 - Automotive Quality Systems Standard	1	Nov 2, 2007
D	Substance of concern (SOC) management procedure wanted	Reliability Analysis - Predictions, Testing and Standards	3	Sep 6, 2019
K	Soc. of Manuf. Engineers (SME)/Assoc. for Manuf. Excellence (AME) Lean Certification	Professional Certifications and Degrees	4	Mar 17, 2008
I	Could IMDS Represent the SoC Free Test Report?	RoHS, REACH, ELV, IMDS and Restricted Substances	6	Nov 19, 2007
I	Must 'SoC free' test be carried out by the third party labs (such as Intertek,etc)?	IATF 16949 - Automotive Quality Systems Standard	1	Nov 18, 2007
M	How to answer ISO9001:2015 audit finding of old revisions of documents being used?	Document Control Systems, Procedures, Forms and Templates	5	Yesterday at 9:03 AM
B	UKRP to what level should you audit Class I Technical Documentation?	UK Medical Device Regulations	0	Monday at 10:10 AM
I	Audit is tomorrow but I refused to participate	Misc. Quality Assurance and Business Systems Related Topics	11	Sunday at 7:35 AM
I	ISO 17025:2017 / ANAB 3125 - Articulating / Communicating Risks vis-a-vis Audit Findings	ISO 17025 related Discussions	2	Sunday at 7:05 AM
D	Verify Audit Trail of SaaS system	Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations)	3	Thursday at 5:42 AM
D	Re-labeler - audit the supplier	EU Medical Device Regulations	2	Sep 9, 2021
J	Outsourced Internal Audit requirements for Aerospace Suppliers	AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements	21	Aug 19, 2021
A	PPAP question for audit	APQP and PPAP	16	Aug 16, 2021
D	Number of people to be interviewed during an internal audit?	Internal Auditing	6	Aug 13, 2021
B	Gamma Quarterly Audit	Medical Device and FDA Regulations and Standards News	1	Jul 21, 2021
A	Anxiety - ISO Re-registration Audit	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	69	Jul 21, 2021
	Auditor MDR (Presub audit) finding	EU Medical Device Regulations	2	Jul 20, 2021
Q	Easy CARs for Internal Audit	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	14	Jul 19, 2021
D	Question and advice for a supplier self audit questionnaire	ISO 13485:2016 - Medical Device Quality Management Systems	6	Jul 19, 2021
S	Quarterly Dose Audit	Medical Device and FDA Regulations and Standards News	5	Jul 16, 2021
J	NCR- Failure of contract review process - NADCAP audit	AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements	6	Jul 15, 2021
D	Special IATF audit of sub-supplier	IATF 16949 - Automotive Quality Systems Standard	18	Jul 14, 2021
A	Internal audit plan and processes for ISO 14001:2015	ISO 14001:2015 Specific Discussions	3	Jul 2, 2021
D	Question on using audit checklist ISO 13485:2016	ISO 13485:2016 - Medical Device Quality Management Systems	20	Jul 1, 2021
C	API Q1 internal audit report	Internal Auditing	3	Jun 25, 2021
P	Filled in F48/F49 for internal audit ISO 17025:2017	Internal Auditing	2	Jun 23, 2021
A	IRIS audit - Discussion about Special Processes	General Auditing Discussions	11	Jun 22, 2021
J	Internal audit random sampling methodology	Internal Auditing	2	Jun 21, 2021
D	Major NC from last audit not fixed not sure how to fix	General Auditing Discussions	10	Jun 17, 2021
X	Sample SOC2 audit report (or a redacted one)	IEC 27001 - Information Security Management Systems (ISMS)	0	Jun 14, 2021
D	Lead time to schedule an ISO 13485 audit	General Auditing Discussions	2	Jun 10, 2021
G	Organizing internal audit program for an Integrated QHSE Management System	Internal Auditing	13	Jun 10, 2021
S	Does anyone have a checklist to prepare for ISO 13485, Stage I audit?	ISO 13485:2016 - Medical Device Quality Management Systems	1	Jun 7, 2021
W	How do you phrase your internal audit questions?	Internal Auditing	3	Jun 2, 2021
Z	Steps to take before an MDSAP audit for Canada	Canada Medical Device Regulations	2	May 21, 2021
V	Csv, excel format - audit trail file of HPLC system ( Empower, openlab, EZchrom or any other )	Qualification and Validation (including 21 CFR Part 11)	0	May 20, 2021
G	Not accepting a non conformity during an audit	General Auditing Discussions	11	May 16, 2021
K	IATF audit day requirements table 5.2	IATF 16949 - Automotive Quality Systems Standard	6	May 13, 2021
Q	ISO 9001/IATF 16949 Audit Finding Question - Document Retention	IATF 16949 - Automotive Quality Systems Standard	11	May 7, 2021
M	IATF - Internal Audit 3 year span	Internal Auditing	4	May 7, 2021
Q	Audit report template ISO 9001/14001	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	13	Apr 23, 2021
Q	ISO 9001-2015 Internal audit finding	Internal Auditing	14	Apr 17, 2021
	How to understand this words that the planning of internal audit shall take into consideration the results of previous audits?	Oil and Gas Industry Standards and Regulations	10	Apr 16, 2021
P	Audit check for IT company (ISO 9001)	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	7	Apr 14, 2021
D	Supplier audit	Medical Device and FDA Regulations and Standards News	2	Apr 13, 2021
M	Go Live With New ERP System before Recertification Audit	General Auditing Discussions	6	Apr 13, 2021
A	Add MDSAP to Internal Audit Schedule	Medical Device Related Regulations	0	Apr 5, 2021
A	Define timeline for Major and Miner Audit finding	General Auditing Discussions	4	Apr 5, 2021
J	IATF 16949 Internal Audit question - Auditor's responsibility	Internal Auditing	6	Apr 2, 2021
A	API Monogram audit review process	Oil and Gas Industry Standards and Regulations	5	Mar 24, 2021

When is a SOC 2 audit necessary?

hchang

Registered

mihzago

Guest

On Holiday

hchang

Registered

Similar threads