7 myths about SOC 2 compliance

Understand what your company needs to achieve SOC 2 compliance and keep your customer data protected.

November 25, 2022

A graphic of an orange gradient background.

While an increasing number of companies are seeing the need for SOC 2 compliance, there’s still a lot of confusion about the process. Do all companies need to be SOC 2 compliant? What type of information will the report include? 

This article aims to clear the confusion and debunk the biggest myths about the SOC 2 compliance process. 

1. SOC 2 is a certification 

Of all the SOC 2 myths out there, this is one of the most prevalent.  

SOC 2 is not a certification, but a report on a company’s compliance efforts.  

Once a SOC 2 audit is complete, the auditor will issue the company a report with an analysis of whether its operations are SOC 2 compliant.  

Since an auditor can only determine a company’s compliance over the audit assessment period, it’s recommended to get your SOC 2 audit on an annual basis. 

Compliance is assessed according to the following five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. Of the five criteria, however, security is the only required TSC to meet SOC 2 compliance. 

2. Auditors want to find issues  

It’s a popular opinion that auditors are only looking for issues within your company. 

However, while audits by nature examine every operational detail, companies and auditors want the same thing — to ensure the security of customer data. A secure company benefits everyone, and most auditors want companies to pass their audit. 

That said, you shouldn’t hire any auditor without a thorough vetting process. You will work extensively with this individual and trust them with important company details. Select an auditor who aligns with your work ethic and understands your specific needs. 

3. SOC 2 is not worth the cost 

Today’s clients are increasingly invested in a company’s data privacy and protection measures. Before even considering a purchase, it’s common for clients to request a SOC 2 report as evidence of security compliance. 

Aside from facilitating client sales, SOC 2 compliance serves as a competitive advantage and builds trust in your company’s reputation.  

While it can be difficult to quantify the exact value of SOC 2 compliance, an annual report demonstrates your company’s effort to protect personal data and can effectively bring in new business. 

4. SOC 2 is a checklist of required controls 

Rather than a checklist of defined controls, SOC 2 audits are based on general objectives or criteria that gives companies more flexibility in how they choose to achieve compliance. 

For instance, a company’s customer support training can meet both the availability and confidentiality criteria.  

An auditor’s control list depends on the specific company and the controls they put in place to meet their determined objectives.  

5. SOC 2 only covers technical processes 

While many SOC 2 criteria fall under technical and software-related processes, they are not the only areas covered by the audit. 

SOC 2 also encompasses COSO, a framework that includes the following components:  

  • Control environment  
  • Risk assessment  
  • Information and communication  
  • Existing control activities  
  • Monitoring activities 

SOC 2 is a comprehensive examination that looks at a company’s overall infrastructure to determine a complete and trusted governance structure. 

6. Companies can use their service provider’s SOC 2 report 

All companies need to go through their own audit to get a SOC 2 report. Even if their software applications are hosted by another company that’s SOC 2 compliant, such as AWS or Microsoft Azure, every company is responsible for their own compliance.  

The shared responsibility model recognizes that different companies implement their own set of controls and will therefore need to secure their own SOC 2 report.  

7. A SOC 2 report can be done in a few weeks 

A company can only begin a SOC 2 audit after its controls have been implemented for at least a few weeks. Furthermore, an auditor can take several months to review all systems and create a report. 

While the total audit duration depends on several factors, it’s unlikely a SOC 2 report will be ready in less than a month. 

It takes time to build a reliable security program, as well as document the entire company’s procedures and policies needed for SOC 2 compliance. 

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.      


You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more