Speaking as someone who went through this process at a large financial firm, you're off by at least an order of magnitude. You need a SOC1 audit of each product you plan to use, which is likely quite a few if you want to take full advantage. The big players should eventually be able to offer that for free once they've been through the process but, at least relatively recently, it was only true today if your cloud budget was tend of millions. That aside, you'll still need an audit of your usage of the cloud (i.e. how you deploy to it and handle movement of data back and forth). That'll always be on your dime.
No. At the end of the day, the customer pays, because I charge more for bullshit. They need an SOC to use my cloud product it cost me 150k USD to get an audit from a big-four for a single site in 2016. Maybe it’s a little more today, but it’s not an order-of-magnitude.
I’m assuming you already adhere to the relevant standards. Obviously if you’re cutting corners getting up to snuff is going to cost a lot more than a hundy.
A Big 4 can't conduct a proper SOC audit without access to the cloud providers internal controls/processes. That's the problematic/expensive part since it requires a bunch of time from the cloud provider, which they will also likely want to bill for.
As someone currently dealing with SOC in preparation for the company I work for going public, I will also confirm it is a giant bean-counting pain in the butt.
