The conversation around cybersecurity compliance has changed. Fast-growing SaaS companies are no longer treating SOC 2 as a simple procurement checkbox. Buyers are asking harder questions. Security reviews are deeper. Enterprise clients expect evidence, not promises.
That shift is one reason Raymond Cheng, Founder and CEO of Decrypt Compliance, believes the role of SOC 2 audit firms is evolving in real time.
And honestly, it needed to.
For years, many technology companies approached compliance with frustration. Founders often described audits as rigid, slow, and disconnected from how modern engineering teams actually operate. Security leaders were expected to pause product momentum just to satisfy documentation requests that sometimes felt outdated before the audit even ended.
Raymond Cheng saw both sides of that experience firsthand.
Before launching Decrypt Compliance, Cheng led and participated in more than 50 technology audits while working at EY, supporting Fortune 50 organizations including Alphabet. Later, his in-house leadership roles at Salesforce and Tencent exposed another reality — what compliance looks like from inside fast-moving technology companies where timelines, deployments, customer commitments, and operational complexity rarely slow down for auditors.
That perspective became the foundation behind Decrypt Compliance, a Silicon Valley-based cybersecurity audit firm focused on helping SaaS businesses approach SOC 2 and other frameworks with more clarity and less operational friction.
“We kept seeing companies treated like templates,” said Raymond Cheng. “But startups, AI platforms, enterprise SaaS businesses, and growing cloud-native teams don’t all carry the same risks. Good audits should reflect operational reality, not just generic checklists.”
It is a point many security leaders quietly agree with.
The pressure on SaaS companies has intensified over the past few years. Procurement teams now routinely ask for SOC 2 reports before vendor onboarding discussions even move forward. Some organizations lose deals simply because compliance readiness is delayed. Others overbuild controls that create unnecessary operational burden.
Somewhere in the middle is where most companies actually need to be.
Decrypt Compliance positions itself differently from traditional SOC 2 audit firms by focusing on what the company calls “right-sized assurance.” The idea is relatively simple: align controls to actual business risks, customer expectations, and company maturity instead of forcing organizations into oversized compliance programs that drain engineering time.
That approach appears to be resonating.
The firm has now worked with more than 100 clients across B2B SaaS and related technology sectors. Its services include SOC 2 audits, ISO 27001, ISO 27701, ISO 42001, and HITRUST assessments, often through coordinated audit workflows intended to reduce duplicated effort across frameworks.
And that matters more than people think.
Security teams are increasingly stretched across AI governance, privacy requirements, vendor risk reviews, cloud infrastructure oversight, and expanding regulatory expectations. Compliance can easily become fragmented if audit partners fail to understand the underlying technology environments companies actually operate.
Cheng believes technical literacy inside audit firms is becoming non-negotiable.
“CISOs want auditors who understand cloud architecture, DevOps workflows, automation pipelines, and modern SaaS environments,” Cheng explained in a recent industry discussion. “They don’t want theoretical conversations disconnected from operational systems.”
That philosophy also shapes Decrypt Compliance’s internal hiring and credential standards. The firm includes professionals with backgrounds spanning Big Four consulting, cloud technology environments, governance risk management, and enterprise cybersecurity operations.
Cheng himself holds several respected industry credentials, including CPA, CISSP, CISA, CIPP/E, and CITP designations. He currently serves on the AICPA Technology Strategic Advisory Group and the AICPA CITP Credential Committee.
In 2025, Forbes recognized Cheng on its inaugural Best-In-State CPAs list, citing expertise, innovation, and professional leadership within technology assurance. Earlier, the American Institute of Certified Public Accountants honored him with its Technology Advisory Standing Ovation recognition for contributions to technology assurance and compliance innovation.
Still, Cheng tends to speak less about awards and more about process quality.
That comes through clearly in how Decrypt Compliance describes its audit philosophy.
The firm emphasizes responsiveness, operational practicality, and what it calls “credible assurance.” Internally, the company rejects what Cheng refers to as “rubber stamp audits,” where assessments focus more on speed than actual confidence in security posture.
There is a subtle but important distinction there.
A growing number of buyers are becoming more sophisticated in how they review SOC 2 reports. Procurement and third-party risk teams increasingly evaluate scope design, testing depth, carve-outs, and exceptions rather than simply checking whether a report exists.
In other words, not all SOC 2 reports carry equal credibility anymore.
This trend has pushed many SaaS companies to reconsider which SOC 2 audit firms they partner with, particularly as enterprise customers place greater attention on audit quality and long-term defensibility.
Decrypt Compliance says its model was built around that exact challenge.
Rather than positioning audits as isolated events, the company encourages organizations to treat compliance as part of broader customer trust strategy. Readiness assessments, implementation guidance, and certification support are intended to align with long-term operational maturity rather than temporary audit preparation.
That idea of “trust as infrastructure” appears often in Cheng’s public commentary.
It also reflects broader market changes. SaaS buyers increasingly expect vendors to demonstrate mature governance around privacy, AI systems, cybersecurity controls, and third-party risk. As frameworks continue expanding, many companies are searching for audit firms capable of guiding multiple overlapping compliance obligations without creating duplicated workstreams.
Decrypt Compliance has increasingly focused on integrated assessment models for that reason.
According to the firm, clients pursuing SOC 2 frequently expand into ISO 27001, privacy certifications, or AI governance frameworks as procurement expectations mature. Coordinating those audits through aligned control structures can significantly reduce operational burden.
For engineering-heavy SaaS companies, efficiency matters.
A lot.
Cheng often discusses the operational fatigue that growing startups experience during poorly managed audits. Excessive evidence requests, disconnected timelines, and repetitive interviews can quietly impact product velocity and internal morale.
“Compliance should support growth,” Cheng noted in a recent company discussion. “It shouldn’t create unnecessary friction that slows good teams down.”
The company’s founder-led structure also differentiates it from larger audit organizations where clients sometimes experience rotating engagement teams or fragmented communication across departments.
Decrypt Compliance states that its leadership remains closely involved throughout engagements, particularly for emerging technology companies navigating first-time audits or expanding enterprise sales motions.
That hands-on involvement has become increasingly valuable for AI-focused SaaS businesses entering regulated procurement environments.
AI governance itself is rapidly becoming part of compliance conversations. Cheng has written extensively about ISO 42001 and the broader future of AI assurance, arguing that organizations need realistic governance models that balance innovation with accountability.
The intersection between AI systems and cybersecurity assurance is still developing. But many in the industry believe demand for specialized audit expertise will continue growing as regulators and enterprise customers seek stronger oversight around AI operations and data usage.
Decrypt Compliance appears positioned directly inside that transition.
The company continues expanding its presence among SaaS businesses seeking SOC 2 audit services while also investing in broader technology assurance capabilities tied to privacy, AI governance, and cloud security maturity.
For Cheng, though, the underlying mission remains relatively straightforward.
“Trust between businesses is essential for innovation,” he said. “The role of a good audit firm is to help organizations prove that trust in a way that is credible, efficient, and grounded in reality.”
In a compliance market often criticized for unnecessary complexity, that message feels refreshingly direct.
And perhaps that is exactly why more SaaS companies are paying attention.
Media Contact
Raymond Cheng
Decrypt Compliance
San Jose, California, United States
Email: info@decrypt.cpa
Website: Decrypt Compliance
Login with Google
Add Comment