Comment by whatinthenote

It feels like I'm screaming into the void, but compliance work is bad is because people make it so.

Willfully paying for a service that offers SOC 2 reports at 1/5th the usual rate and delivers them in days instead of months and deluding themselves (and others) that it's a proper audit.

Taking cookie cutter policies/controls jamming it into your org without any awareness whatsoever. Acting surprised when employees complain about draconian rules and the audit process is a pain because you wanted to take the shortcut.

Why can't people just do it the proper way the first time? Pay for a reputable auditing firm, write your own policies and implement controls that map to the actual organization, do a gap assessment with the auditing firm so that both parties is aligned on expectations, and spend the necessary time to undergo the audit. Getting it should be a milestone if you actually take it seriously and have a modicum of professionalism.

In my eyes, audits should be a trust exercise. You trust that your organization is organized in a way that meets standards (by doing the work) and the auditors trust that you aren't faking your evidence. As someone who has to regularly vet countless new software purchases, SOC 2 actually serves a role. Does anyone have a better idea of getting third party validation of how another company operates? Like sending them tons of questionnaires is the solution?

All this just breaks that trust by facilitating certification mills. Another example of fraud stemming from a country that churns out fake degrees, fake papers, fake conferences, and fake references.