SOC 2 has never been more widely adopted. Or more uneven in quality. As buyer expectations rise and low-cost auditors flood the market, the gap between SOC 2’s intended value and its actual use is widening.

To unpack what’s really happening, we sat down with our President and Co-Founder Eva Pittas and Audit Managing Partner Leith Khanafseh to discuss the commoditization of SOC 2, its impact on enterprise trust, and what the future looks like for SOC 2. 

Here are the six biggest insights from that conversation.

SOC 2 has been commoditized—but only at the low end of the market

There was no hesitation when we asked whether SOC 2 has become a commodity. 

Yes, I do believe that over the last decade it has become a commodity. There's been this proliferation of audit firms that have effectively made it more of a check-the-box exercise vs a real demonstration of a strong security and compliance posture. - Eva Pittas, President and Chief Customer Officer, Thoropass

But Leith drew an important distinction, that technically all information security audits and certificates to an extent have been commoditized. What security leaders need to understand is this commoditization is at the low end of the market. That part of the market has never really delivered value or real assurance to begin with. While lower quality providers do churn out “SOC 2-in-a-box” offerings, reputable firms still produce reports that materially influence enterprise trust and diligence.

Enterprises can instantly distinguish a real SOC 2 from a rubber-stamp one

One theme came through clearly: buyers, especially large enterprises, know the difference between quality reports and one where the auditor was just checking the boxes.

Enterprise security teams can instantly distinguish between a check the boxes report and a report that reflects real testing, real judgment, and an understanding of cloud architecture... there is still enormous value in those audits. - Leith Khanafseh, Audit Managing Partner, Thoropass

Eva added from her experience leading vendor risk at Citi, pointing out that in a larger enterprise or organization, someone is actually reading these reports and expecting alignment to their requirements. The quality of the report is extremely critical. And today, she warned, poor-quality reports can quietly knock vendors out of consideration.

You're definitely either putting the deal at risk or you're getting DQ'd before you even know it... You get disqualified immediately because your organization clearly has a very low quality bar when it comes to security. - Eva Pittas, President and Chief Customer Officer, Thoropass

For mid-market companies selling into enterprise environments, a SOC 2 that lacks rigor can be worse than no SOC 2 at all. It signals that there is no cultural value for security within your organization. 

“Rubber-stamp” audits erode trust and reveal deeper cultural security gaps

Rubber-stamp audits are everywhere. But for the organizations using them, they don’t always realize how visibility it signals that your organization doesn’t actually prioritize security or compliance. Some auditors will essentially copy and paste reports, so that it looks like you’ve done all the work on paper, but any auditor can see that none of it applies to your specific organization at all. 

A weak SOC 2 doesn’t just reflect on the auditor—it reflects on the organization presenting it. Buyers infer cultural maturity (or lack thereof) from the rigor behind the attestation.

Automation can strengthen SOC 2, but only if paired with human judgment

Both Eva and Leith emphasized that automation is reshaping the compliance landscape, but they were clear about its limits.The technical pieces can be automated, but the operational humans. Responsible automation enhances (rather than replaces) the auditor. 

Automation should replace repetitive audit mechanics, but it shouldn't replace the auditor or the auditor's brain. A well-balanced approach pairs machine efficiency with human skepticism. - Leith Khanafseh, Audit Managing Partner, Thoropass

And both agreed that continuous evidence verification will soon be seen as more trustworthy than one-day-a-year manual checks.

SOC 2 must evolve or risk becoming outdated

Another problem with SOC 2 in today's compliance world is that it reviews the past, not the present. A SOC 2 report looks back over a period of time, but the best predictor of future success is what a company is doing today, right now. Technology has advanced with the current look we’re able to have at an organization’s security posture. SOC 2 has not kept up with this. 

In the future, it might be updated to reflect an organization’s current landscape. But without that, SOC 2 may lose relevance and be at jeopardy. One way smart organizations are overcoming this is by pairing it with other attestations, like HITRUST certification. Other frameworks and attestations can help you prove your security posture in areas where SOC 2 may be falling short. Taking a multi-framework approach helps show your commitment to your overall security posture.

The way that companies can avoid low-quality checkbox audits and overly manual, expensive processes, will come down to your audit partner. Your partner needs to be involved throughout the year to give you guidance, not just at the end when it comes time for your audit. A credible SOC 2—or any audit—isn’t produced in a 60-day audit window. It’s built through an ongoing relationship that prioritizes rigor, independence, and strategic alignment.

The auditor should really understand your company. Where you're selling, where you're going. You want to be able to look around the corner and build for the future, not just for today. The audit partner you're looking for should be right there with you throughout the year whenever you need guidance, helping you stay ready for your next audit. - Eva Pittas, President and Chief Customer Officer, Thoropass.

SOC 2 can still drive trust when pursued properly

SOC 2 itself isn’t the problem. The inconsistency of audit quality and audit players is. With the proliferation of lower quality audit partners, it’s important to be more careful about who you’re selecting when it comes to audits. This doesn’t only apply to SOC 2. You’ll want an audit partner who has been peer reviewed by the AICPA themselves and has received a strong rating. There are red flags to watch out for and questions you should ask all of your audit partners before making a decision. 

Check out our Cybersecurity audit & assurance buyer’s guide to learn more about finding the audit partner that’s right for your org.