Does SOC 2 Audit Require Including Contractors Only Performing QA Activities?

If we only hire contractors that are conducting QA but are not building or running our systems, would we need to include them in our SOC 2 audit?

· Sorted by Oldest

If we only hire contractors that are conducting QA but are not building or running our systems, would we need to include them in our SOC 2 audit?

· Sorted by Oldest

Jacob G.
·
·
hey elias! good question. i would be curious first if these contractors have access any environment that contains real customer data or connects to any of your production infrastructure? If yes, they'd likely need to be in scope for at least some personnel controls like policy acknowledgment and a confidentiality agreement. If they're truly working in an isolated sandbox with no real data, you can scope them out; you'd just want to document that reasoning for your auditor. even if they're scoped out, auditors sometimes still want to see that contractors go through some baseline onboarding (like policy acknowledgment) just to show the company has consistent contractor management practices (as a best practice though, best to check with auditor too, for official confirmation)

Jacob G.
·
·
hey elias! good question. i would be curious first if these contractors have access any environment that contains real customer data or connects to any of your production infrastructure? If yes, they'd likely need to be in scope for at least some personnel controls like policy acknowledgment and a confidentiality agreement. If they're truly working in an isolated sandbox with no real data, you can scope them out; you'd just want to document that reasoning for your auditor. even if they're scoped out, auditors sometimes still want to see that contractors go through some baseline onboarding (like policy acknowledgment) just to show the company has consistent contractor management practices (as a best practice though, best to check with auditor too, for official confirmation)