SOC 2 · IT Outsourcing

SOC 2 for Vietnamese IT outsourcing companies

When US customers actually require it, what the scope covers for outsourcing, and a realistic roadmap to get started.

By pTrackly Compliance Team · Updated July 2026 · AICPA SOC 2

When a US customer actually asks for SOC 2

Not every deal raises this question. With small US startups or SMBs, the topic rarely comes up. But with enterprise and fintech, four specific situations arise:

01
Vendor security questionnaire

Procurement sends an 80-150 question questionnaire. One of the first items: "Do you have a SOC 2 Type II report?" Answering no does not kill the deal immediately, but the security team escalates and asks for compensating controls.

02
MSA with explicit SOC 2 clause

The customer's Master Service Agreement states: "Service Provider shall maintain SOC 2 Type II compliance and provide an annual report upon request." Signing that MSA means you have committed to the report.

03
Deal blocked at security review

Technical scoping is done, commercial terms are agreed, then the customer's CISO steps in. They request evidence of access controls and incident response. Without a SOC 2 report, you submit individual policy documents. That process takes weeks.

04
Enterprise RFP with mandatory requirement

The RFP lists a SOC 2 Type II report as a mandatory requirement. Without the report, the submission is eliminated at qualification before technical evaluation.

If you have not run into any of the above, SOC 2 is not an immediate priority. Once your pipeline starts including US enterprise deals, that is the time to run a gap assessment.

What SOC 2 covers for an outsourcing company

For a software outsourcing or BPO company, SOC 2 scope typically covers the software development environment: access to source code and production systems, employee account management (onboarding, offboarding, least privilege), how client data is handled during development and testing, incident response procedures for breaches or unauthorized access, and logging and monitoring of internal systems. The auditor evaluates whether these controls are properly designed (Type I) or operating effectively over a period of time (Type II). There are no headcount or revenue thresholds: scope is defined by agreement between you and the auditor.

SOC 2 versus ISO 27001 for outsourcing

Aspect SOC 2 ISO 27001
Who requires it US enterprise and fintech Japan, EU, Singapore, global enterprise
Output type Audit report (not a certificate) International certificate
Control overlap 60-70% of controls overlap
Time to first credential Type I: 3-6 months Certificate: 6-18 months
Annual audit cost Ask 2-3 CPA firms to compare Varies by CB and company size
Note: If your company already holds ISO 27001, most of the controls required for SOC 2 are already in place. Gaps typically sit in evidence collection processes and the observation period, not in rebuilding from scratch.

Roadmap: getting SOC 2 as an outsourcing company

Months 1-2
Gap assessment and readiness review

Define scope, select Trust Service Criteria (Security is required, Availability and Confidentiality depend on customer requirements). Assess existing controls and document gaps.

Months 2-4
Control implementation

Four main control areas to build out: access management (MFA, least privilege, periodic access review), logging and monitoring, incident response procedure with runbook and tested exercises, HR security (onboarding checklist, background check policy, offboarding revocation).

Months 4-5
Type I audit

A CPA firm examines the design of controls at a specific point in time. The Type I report shows controls are suitably designed. Some customers accept Type I while waiting for Type II.

Months 5-11
Observation period and evidence collection

Controls must operate consistently for at least 6 months. During this period, collect evidence continuously: access logs, change management records, incident reports, vendor review records. This is the most execution-intensive phase.

Months 12-15
Type II audit

The CPA firm evaluates both the design and the operating effectiveness of controls throughout the observation period. The result is the SOC 2 Type II report that US enterprise customers require.

Cost reality: what to know before budgeting

Readiness assessments through consultants in the US market typically fall between $5,000 and $20,000, depending on scope and the number of controls being reviewed. Local Vietnamese consultants may charge substantially different rates.

Actual audit fees vary widely by scope and the CPA firm you select. There is no reliable total cost figure to give here because the range across cases is too broad. The most practical approach is to contact 2-3 AICPA-licensed CPA firms directly, describe your specific scope (number of systems, headcount in scope, selected TSC), and compare quotes before planning your budget.

Beyond audit fees, factor in: compliance tooling costs (if using a platform to automate evidence), internal staff time for control implementation and evidence collection, and remediation costs if the gap assessment uncovers significant infrastructure issues.

Frequently asked questions

Do US customers actually require SOC 2?

Not all of them, but US enterprise and fintech buyers frequently require it. The clearest signal is a vendor security questionnaire or Master Service Agreement with a SOC 2 clause. Startups and SMBs rarely require it.

Does a 50-person outsourcing company need SOC 2?

It depends on the customer, not the company size. If a large US customer requires a SOC 2 report, a 50-person shop still needs it to keep the contract. If all customers are startups or SMBs, you likely do not need it.

SOC 2 or ISO 27001 for outsourcing?

ISO 27001 is the better fit if you have customers in Japan, EU, or Singapore. SOC 2 is better if customers are primarily in the US. Many large Vietnamese outsourcing companies do both because they serve both markets.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo