← All posts

SOC 2 Type II: what it actually means for your firm's vendors

James Liu · 2024-08-12

Every B2B SaaS vendor lists "SOC 2" somewhere on their website. The logo has become so ubiquitous that it has stopped meaning what it should. If your firm is evaluating vendors that touch client data, here's how to read past the logo.

Type I vs Type II

A SOC 2 Type I report attests that a vendor has designed security controls at a point in time. It's a snapshot. A SOC 2 Type II report attests that those controls have operated effectively over a period — typically 6 to 12 months. Type II is what you want. A Type I report from a year ago is closer to a marketing artifact than evidence of operational security.

What to look for in the report

Five things, in order of importance:

1. Scope. Which Trust Services Criteria are covered? Security is the only mandatory one. Confidentiality, Availability, Processing Integrity, and Privacy are optional. A SOC 2 covering only Security tells you less than one covering Security + Confidentiality + Privacy.
2. Audit period. Look at the "as of" or "for the period" line. If it's older than 12 months, you should ask why.
3. Auditor. Big Four and specialized firms (Schellman, A-LIGN, Coalfire, KirkpatrickPrice) carry weight. Boutique firms can be fine — but check that they're licensed CPAs.
4. Exceptions. Section 4 of the report lists control failures during the audit period. Read these. Vendors who proactively explain them are typically more trustworthy than vendors who hide them.
5. Sub-services. Many SOC 2 reports "carve out" cloud providers (AWS, GCP, Azure). That's standard. But check whether the carved-out services are themselves SOC 2'd.

Common misreadings

• "We're SOC 2 compliant" with no Type II report on hand
• A Type II report from over a year ago, with no current-cycle update
• A "letter of attestation" instead of a full report (this is not the same thing)
• Carved-out sub-services that aren't themselves under independent audit

A 10-minute vendor review checklist

If you're under time pressure, ask these five questions and stop there:

1. Is your most recent SOC 2 Type II less than 12 months old?
2. Which Trust Services Criteria does it cover?
3. What were the noted exceptions, and how were they remediated?
4. Are your key sub-processors independently audited?
5. When does your next audit period close?

SOC 2 is a starting point. It tells you a vendor has been audited. It does not tell you they are competent. Pair it with a security questionnaire that includes scenario-based questions and you'll learn more in 30 minutes than from any audit report.

Written by James Liu. Have feedback? Reach out at hello@verifypg.com.