When is a SOC 2 audit necessary?

hchang · Jul 15, 2021

A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with. We provide mobile app and web products and use third party vendors (like AWS) for hosting and data storage. The quality consultants we are using insist that we do not need a SOC 2 audit and if anything, to write a letter attesting to the controls that we do have in place. Based on what I've read, more and more companies are requesting this type of report even if they are not the data center operator. Does anyone have experience with this and what are your thoughts?

mihzago · Jul 16, 2021

Yes, increasingly more companies insist on SOC 2 reports or equivalent because everyone seems familiar with this one and it’s becoming almost a standard requirement.
It’s not mandatory, but they request them because your own self-certification means virtually nothing.

Guest · Monday at 10:09 AM

hchang said:

If you have certification to ISO 27001, and the customer doesn't know that, offer them that as an alternative (you posted in an ISO 27001 forum). Otherwise, it's a simple case of how much revenue this (potential) customer might bring to your organization and complying with their request - your sales people should be able to tell you.

hchang · Monday at 11:21 AM

Thank you for the responses thus far, it sounds like SOC 2 is minimum entry to play. Are there any start ups out there who have gone through a SOC 2 audit and willing to share their experience?

Thread starter	Similar threads	Forum	Replies	Date
M	How To Include Substance of Concern (SOC) Free Into TS16949 Internal Audit Plan	IATF 16949 - Automotive Quality Systems Standard	1	Nov 2, 2007
D	Substance of concern (SOC) management procedure wanted	Reliability Analysis - Predictions, Testing and Standards	3	Sep 6, 2019
K	Soc. of Manuf. Engineers (SME)/Assoc. for Manuf. Excellence (AME) Lean Certification	Professional Certifications and Degrees	4	Mar 17, 2008
I	Could IMDS Represent the SoC Free Test Report?	RoHS, REACH, ELV, IMDS and Restricted Substances	6	Nov 19, 2007
I	Must 'SoC free' test be carried out by the third party labs (such as Intertek,etc)?	IATF 16949 - Automotive Quality Systems Standard	1	Nov 18, 2007
B	Gamma Quarterly Audit	Medical Device and FDA Regulations and Standards News	0	Wednesday at 5:03 PM
A	Anxiety - ISO Re-registration Audit	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	26	Wednesday at 11:51 AM
	Auditor MDR (Presub audit) finding	EU Medical Device Regulations	2	Tuesday at 11:10 AM
Q	Easy CARs for Internal Audit	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	14	Monday at 8:14 PM
D	Question and advice for a supplier self audit questionnaire	ISO 13485:2016 - Medical Device Quality Management Systems	6	Monday at 10:42 AM
S	Quarterly Dose Audit	Medical Device and FDA Regulations and Standards News	5	Jul 16, 2021
J	NCR- Failure of contract review process - NADCAP audit	AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements	6	Jul 15, 2021
D	Special IATF audit of sub-supplier	IATF 16949 - Automotive Quality Systems Standard	5	Jul 14, 2021
A	Internal audit plan and processes for ISO 14001:2015	ISO 14001:2015 Specific Discussions	3	Jul 2, 2021
D	Question on using audit checklist ISO 13485:2016	ISO 13485:2016 - Medical Device Quality Management Systems	12	Jul 1, 2021
C	API Q1 internal audit report	Internal Auditing	3	Jun 25, 2021
P	Filled in F48/F49 for internal audit ISO 17025:2017	Internal Auditing	1	Jun 23, 2021
A	IRIS audit - Discussion about Special Processes	General Auditing Discussions	11	Jun 22, 2021
J	Internal audit random sampling methodology	Internal Auditing	2	Jun 21, 2021
D	Major NC from last audit not fixed not sure how to fix	General Auditing Discussions	9	Jun 17, 2021
X	Sample SOC2 audit report (or a redacted one)	IEC 27001 - Information Security Management Systems (ISMS)	0	Jun 14, 2021
D	Lead time to schedule an ISO 13485 audit	General Auditing Discussions	2	Jun 10, 2021
G	Organizing internal audit program for an Integrated QHSE Management System	Internal Auditing	13	Jun 10, 2021
S	Does anyone have a checklist to prepare for ISO 13485, Stage I audit?	ISO 13485:2016 - Medical Device Quality Management Systems	1	Jun 7, 2021
W	How do you phrase your internal audit questions?	Internal Auditing	3	Jun 2, 2021
Z	Steps to take before an MDSAP audit for Canada	Canada Medical Device Regulations	2	May 21, 2021
V	Csv, excel format - audit trail file of HPLC system ( Empower, openlab, EZchrom or any other )	Qualification and Validation (including 21 CFR Part 11)	0	May 20, 2021
G	Not accepting a non conformity during an audit	General Auditing Discussions	11	May 16, 2021
K	IATF audit day requirements table 5.2	IATF 16949 - Automotive Quality Systems Standard	6	May 13, 2021
Q	ISO 9001/IATF 16949 Audit Finding Question - Document Retention	IATF 16949 - Automotive Quality Systems Standard	11	May 7, 2021
M	IATF - Internal Audit 3 year span	Internal Auditing	4	May 7, 2021
Q	Audit report template ISO 9001/14001	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	13	Apr 23, 2021
Q	ISO 9001-2015 Internal audit finding	Internal Auditing	12	Apr 17, 2021
	How to understand this words that the planning of internal audit shall take into consideration the results of previous audits?	Oil and Gas Industry Standards and Regulations	10	Apr 16, 2021
P	Audit check for IT company (ISO 9001)	ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards	7	Apr 14, 2021
D	Supplier audit	Medical Device and FDA Regulations and Standards News	2	Apr 13, 2021
M	Go Live With New ERP System before Recertification Audit	General Auditing Discussions	6	Apr 13, 2021
A	Add MDSAP to Internal Audit Schedule	Medical Device Related Regulations	0	Apr 5, 2021
A	Define timeline for Major and Miner Audit finding	General Auditing Discussions	4	Apr 5, 2021
J	IATF 16949 Internal Audit question - Auditor's responsibility	Internal Auditing	6	Apr 2, 2021
A	API Monogram audit review process	Oil and Gas Industry Standards and Regulations	4	Mar 24, 2021
S	IATF 16949 Internal Audit Example	IATF 16949 - Automotive Quality Systems Standard	13	Mar 22, 2021
B	Remote IATF 16949 audit preparation	General Auditing Discussions	10	Mar 22, 2021
M	AS9100D Registrar pre-audit requirements	AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements	15	Mar 15, 2021
I	Do I need to sign off my annual audit calendar?	Internal Auditing	2	Mar 14, 2021
R	AS9100D internal audit checklist or ISO 9001 2015 to AS9100 D	AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements	2	Mar 11, 2021
M	Nice and simple invitation email to an audit kickoff meeting	Internal Auditing	1	Mar 9, 2021
M	IATF 16949 - Audit of Remote Location/Support Site and IT	IATF 16949 - Automotive Quality Systems Standard	4	Mar 4, 2021
Q	IATF audit - Root Cause Analysis results	IATF 16949 - Automotive Quality Systems Standard	5	Mar 3, 2021
Q	Self-assessment audit information	Quality Management System (QMS) Manuals	6	Feb 26, 2021

When is a SOC 2 audit necessary?

hchang

Registered

mihzago

Guest

Starting to get Involved

hchang

Registered

Similar threads