Vanta, Drata, Thoropass, or None of the Above?

An Unbiased Guide to SOC 2 Automation Software

By Kate Williams, IT Security & Compliance Partner

As the number of SOC 2 reports has increased, so has the number of SOC 2 Compliance Automation Software Companies. In many ways the rise of SOC automation software companies brought efficiency to an otherwise painful process, but not without some significant drawbacks. Systems like Vanta, Drata, and Laika can be incredibly powerful for larger organizations that have to comply with multiple compliance frameworks. In our opinion, the jury is still out for startups on whether the spend is worthwhile. Companies also need to be aware of these SOC 2 compliance automation software red flags:

Auditor Exclusivity

The goal of SOC 2 is to create a credible report to build trust with your customers and prospects. Unfortunately, some compliance automation software companies are incentivized to partner with cheap audit firms, so they keep more of your compliance budget. You have the right to choose your audit firm – an audit firm that can drop their SOC 2 audit fees to $5,000 using an automation platform was never going to provide much value anyways. Good software does not lead to a good SOC Report, a good SOC auditor does.

Claims to Fully "Automate” Readiness

The point of SOC 2 Readiness is to create a custom set of controls designed to meet SOC 2 requirements efficiently given a company’s size, industry, and IT systems. Software companies are designed for scalability, not customization, leading to unnecessary policies and requirements that waste time.

Biased Information

If you Google “SOC 2”, the top results will be SOC automation companies, like Vanta, Drata, and Laika. This means most companies learn how to be SOC 2 certified from a software company, not from a SOC auditor.

  • Effective way to streamline evidence collection, especially for larger organizations
  • SOC 2 auditors leverage the platform to generate evidence for the report
  • Continuous auditing to spot issues early
  • Templates can shorten the time to create policies and procedures
  • Many support multiple frameworks, making it easy to see how compliant you are across frameworks
  • Data storage and audit logging creates and centralizes evidence automatically
  • Less additional evidence requests and manual retesting of controls
  • Real-time alerts for issues that could threaten compliance
  • Only save time with evidence collection if the software integrates with the systems you use
  • Some platforms are incentivized to partner with cheap audit firms, so they keep more of your compliance budget
  • Overreliance can create an information security program that doesn’t reflect your organization
  • Software companies are designed to be scalable, not overly customizable, applying a “cookie cutter approach” to SOC 2.
  • Many SOC audit firms on the platforms lack credibility
  • Creates another system that you have to use and manage
  • Forces the use of systems and applications based on available integrations, not cost or preference

At ML&R, we work with clients that use automation software and those that don’t. We have invested in technology that makes uploading evidence and mapping controls across frameworks easy. If you’re considering a SOC compliance automation software, reach out to us for unbiased feedback on whether the software is a worthwhile investment based on your compliance program and requirements.

Kate Williams, CPA, CISA - IT Security & Compliance Partner
Financial Tips Delivered Directly to Your Inbox

Our newsletters offer articles on accounting, tax, and financial issues. Please subscribe to our newsletter to stay up to date on the latest accounting news, tips, and firm news.


Contact us