When is a SOC 2 audit necessary?

[hchang]

A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with. We provide mobile app and web products and use third party vendors (like AWS) for hosting and data storage. The quality consultants we are using insist that we do not need a SOC 2 audit and if anything, to write a letter attesting to the controls that we do have in place. Based on what I've read, more and more companies are requesting this type of report even if they are not the data center operator. Does anyone have experience with this and what are your thoughts?

 

[mihzago]

Yes, increasingly more companies insist on SOC 2 reports or equivalent because everyone seems familiar with this one and it’s becoming almost a standard requirement.
It’s not mandatory, but they request them because your own self-certification means virtually nothing.

 

[Guest]

A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with.

If you have certification to ISO 27001, and the customer doesn't know that, offer them that as an alternative (you posted in an ISO 27001 forum). Otherwise, it's a simple case of how much revenue this (potential) customer might bring to your organization and complying with their request - your sales people should be able to tell you.

 

[hchang]

Thank you for the responses thus far, it sounds like SOC 2 is minimum entry to play. Are there any start ups out there who have gone through a SOC 2 audit and willing to share their experience?

 

[hchang]

Thank you for the responses thus far, it sounds like SOC 2 is minimum entry to play. Are there any start ups out there who have gone through a SOC 2 audit and willing to share their experience?

Following up on my own post (I know...). Four months later, including after going through due diligence, vetting firms, and the approval procedures, we have completed our first SOC 2 Type 1 journey. There are several software vendors now who offer tools for monitoring and getting through/preparing for SOC audits, we went the old school route of hiring a CPA firm.

 

[Jim Wynne]

Following up on my own post (I know...). Four months later, including after going through due diligence, vetting firms, and the approval procedures, we have completed our first SOC 2 Type 1 journey. There are several software vendors now who offer tools for monitoring and getting through/preparing for SOC audits, we went the old school route of hiring a CPA firm.

Thanks for coming back with the update!