A vendor sends you a SOC 2 report. What should you actually check?
Short answer
A SOC 2 report only assures you if you actually read it: confirm it's the right type (Type II tests operating effectiveness over time, Type I only design at a point), check the scope and which Trust Services Criteria it covers, that the period is current and has no gap, what opinion the auditor gave (unqualified vs qualified), and review the noted exceptions plus the complementary user-entity controls (CUECs) you're responsible for. Merely confirming the report exists — or judging it by its cover logo or page count — tells you nothing about the vendor's actual control effectiveness or your residual obligations.
A SOC 2 report is a third-party assurance artifact — but receiving one assures you of nothing on its own. The value is entirely in reading it critically, because a report can exist and still reveal serious problems, scope gaps, or obligations that land on you.
What to actually check
Type: A Type II report tests whether controls operated effectively over a period (usually 6–12 months); a Type I only describes the design at a single point. Type II is far stronger assurance. Scope: Which Trust Services Criteria are covered — Security is baseline, but did they include Availability, Confidentiality, Processing Integrity, or Privacy if those matter to your use? Does the scope cover the actual service you consume? Period: Is it current, and is there a gap between the report's end date and now (a bridge letter may be needed)? Opinion: Did the auditor give an unqualified ("clean") opinion, or a qualified one flagging deficiencies? Exceptions: Read the testing exceptions — controls that failed during the period. CUECs: Crucially, review the complementary user-entity controls — things the report assumes you will do (e.g., manage your own user access, configure encryption) for the vendor's controls to be effective.
Why the wrong answers fail
"Just that the report exists" is the trap: possession is not assurance, and treating receipt as sufficient is how risk slips through. "The logo on the cover" and "the total page count" are non-signals — they say nothing about control design, operating effectiveness, scope, or your residual obligations. A thick report with a qualified opinion is worse than a short clean one.
The judgment being probed
The interviewer wants someone who treats third-party risk as active diligence, not box-ticking. A senior answer names the Type I vs II distinction, ties scope to how you actually use the vendor, takes exceptions and the auditor opinion seriously, and — the tell of real experience — flags CUECs, because a vendor's controls only protect you if you operate your half. Reading the report, not collecting it, is the control.
Likely follow-ups
- What's the difference between a SOC 2 Type I and Type II, and why does it matter to you?
- What are complementary user-entity controls, and what happens if you ignore them?
- How do you handle a report with a qualified opinion or a coverage gap before your contract started?