I have direct experience telling a soc2 auditor that the approval control for installing applications on “endpoints” was a message to a slack channel that was assumed approved.

To satisfy the audit they looked at an app that was installed on a laptop that was not part of our base image from the previous 6 months and a screenshot of the message where the user “asked” to install it.

You can literally get a soc auditor to write up whatever you want as a control and if they don’t explain that and encourage it you should find a new auditor.

>No one who has ever actually had to do SOC2 compliance

while i find tptacek's opinions very strong on the subject, you would be extremely mistaken to think those opinions were formed without experience