Of course not, that was just part of the story to draw the picture. Where it might be required to pay for some consultant that will help with initial setup.

But maybe not go full attestation mode right away - but also tricky to find one.

I think this stuff is highly folkloric and that any startup that picked a reasonable high-touch auditor and talked to some friends about their experiences could get through a Type 1 with virtually no effort (outside of their bizops team, who the auditors will definitely harass).