SOC 2 GRC Compliance Cost Small Business

Blog  /  SOC 2 & Compliance Cost

SOC Reports Third-Party Risk Vendor Due Diligence vCISO
Blog / SOC Reports & Vendor Risk
Third-Party Risk · Series Hub

The SOC Report You Never Read: How “Checkbox” Vendor Reviews Become Six-Figure Mistakes

A business owner asks a critical vendor for a SOC 2 report. A 90-page PDF arrives. It has an accounting firm’s logo, the word “unqualified,” and a lot of tables. The owner drops it into a folder labeled “Compliance — Done” and moves on.

Eighteen months later, that vendor is breached. Customer data is exposed, regulators send letters, and the owner’s lawyer asks a simple question: “You reviewed their security. What did the report say?”

Here’s the uncomfortable truth: the warning was often already in the report — in a section nobody opened. Requesting a SOC report “for name’s sake” feels like due diligence. It isn’t. It’s a signature on a document you never read.

What you’ll get from this guide: the five things that separate a SOC report used as protection from one used as paperwork — explained without jargon, so any owner can spot trouble in about 20 minutes. This is the hub of a full DARS series; each risk below gets its own deep dive, and a free interactive tool to check any report you’re handed.


Why do companies request SOC reports “for name’s sake”?

Direct answer

Most organizations request a vendor’s SOC report to check a procurement box, then file it unread. That creates a false sense of security — the report exists, so the risk feels handled. But an unread report catches nothing, and vendor breaches are now the fastest-growing way attackers get into companies they never directly targeted.

The checkbox habit is colliding with a hard trend. In the 2025 Verizon Data Breach Investigations Report, the share of breaches involving a third party doubled to 30%, up from 15% the year before (Verizon, April 23, 2025). Separately, SecurityScorecard’s 2025 Global Third-Party Breach Report found 35.5% of all 2024 breaches were third-party related — a number the firm calls “conservative” — and that 41.4% of ransomware attacks now begin through a third party (SecurityScorecard, March 26, 2025).

Translation: your vendors are now one of the most likely doors an attacker walks through. A SOC report is your best early look at whether that door is locked — if you actually read it.

Third-party involvement in breaches Third-party involvement in breaches doubled from 15 percent in 2023 to 30 percent in 2024; 35.5 percent of all 2024 breaches were third-party related and 41.4 percent of ransomware attacks begin through a third party. THIRD-PARTY BREACH INVOLVEMENT 15% 2023 30% 2024 doubled in one year 35.5% of all 2024 breaches were third-party related (called “conservative”) 41.4% of ransomware attacks begin through a third party
Third-party involvement in breaches doubled in a single year. Sources: Verizon 2025 DBIR; SecurityScorecard 2025 Global Third-Party Breach Report.

Type I or Type II — did you get a photo or a movie?

Direct answer

A SOC 2 Type I report tests whether controls were designed correctly on a single day — a photo. A SOC 2 Type II tests whether those controls actually worked over a period of months — a movie. If you accepted a Type I thinking it proved ongoing security, you have a snapshot of a promise, not evidence it was kept.

This is the single most common mix-up, and vendors rarely correct it. A Type I is cheaper and faster to obtain, so an early-stage vendor may hand you one and hope you don’t notice the difference. For anything touching your sensitive data, Type II is the standard you want (Meditology, “How to Read a SOC 2 Report”).

Two related traps hide right next to this one:

  • The report is stale. A SOC 2 covers a past window — often ending months before it lands on your desk. If a report is more than a year old, it’s describing a company that may no longer exist in its current form.
  • The “bridge letter” bluff. Vendors often supply a bridge letter (also called a gap letter) to cover the time since the report period ended. Useful — but remember it’s written by the vendor and involves no new testing by the auditor (Meditology). It’s a promise, not proof.
Type I proves a control existed once; Type II proves it kept working. Know which one you’re holding.
SOC 2 Type ISOC 2 Type II
What it testsControl design at a point in timeControl design and operating effectiveness
Time coveredA single day (a “photo”)A period, usually 3–12 months (a “movie”)
What it provesControls existControls actually worked
Use for critical vendors?Weak evidencePreferred standard
Type I photo versus Type II movie Type I is a single framed photo taken on one day; Type II is a film strip of many frames representing months of evidence. TYPE I — ONE DAY a snapshot Controls were designed vs. TYPE II — MONTHS OF EVIDENCE Controls kept working
Type I proves a control existed once; Type II proves it kept working — over months, not a moment.

Does the report actually cover the service you bought?

Direct answer

A clean SOC report only covers the systems, services, and criteria the vendor chose to include. Owners routinely accept a report that looks official but covers a different product, a different entity, or a narrower promise than the service they’re actually paying for. A pristine report for the wrong scope protects no one.

This is where “for name’s sake” does the most damage, because the mismatch is invisible unless you look. Watch for four scope traps:

1. Wrong report type entirely.

A SOC 3 looks legitimate but is essentially a marketing summary — it omits the controls tested by the service auditor and the detailed results of those tests, so you can’t actually assess risk from it (Linford & Co, “SOC 2 vs SOC 3”). A SOC 1, meanwhile, only covers controls relevant to financial reporting — not security. Confirm you’re holding a SOC 2 Type II before anything else.

SOC 1, 2, and 3 answer three different questions. Only one tells you whether your data is safe.
SOC 1SOC 2SOC 3
AnswersWill this vendor’s controls affect our books?Can this vendor protect our data?(Public summary of the SOC 2)
Measured againstManagement’s financial control objectives (ICFR)Trust Services Criteria: Security (always) + optional Availability, Confidentiality, Processing Integrity, PrivacySame exam as SOC 2, short-form
Right forPayroll, billing, claims, transaction/revenue processingSaaS, cloud, IT, healthcare data platformsA trust badge, not a risk decision
AudienceYour financial auditorsYour security / vendor-risk teamThe general public

Note: For SOC 2, only Security (the Common Criteria) is mandatory; the other four criteria are included only if the vendor opts in — so confirm the ones you rely on are actually in scope (see trap #2).

2. Only “Security” was tested.

SOC 2 has five Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, and Privacy — but only Security is mandatory (Secureframe, “Trust Services Criteria”). If you hired a vendor for uptime but the report excludes Availability, or you handed them regulated data but Confidentiality and Privacy were left out, the report never tested the thing you’re relying on.

3. The data-center-instead-of-company swap.

A favorite: the vendor hands you their cloud provider’s SOC 2 rather than their own. As nContracts puts it, the problem is when a vendor gives you a SOC 2 report for its cloud data center instead of for its company (nContracts). That report says nothing about the vendor’s own employees, access controls, or incident response — the people who actually touch your data.

4. The right company, the wrong product.

Large vendors run many products on one report. Confirm the specific module or service you use appears in the system description — not just the flagship product in the marketing deck.

What you bought versus what the report covers Two overlapping circles: the service you contracted and what the SOC report actually covers only partially overlap, leaving an amber blind spot. Service you contracted What the report covers YOUR BLIND SPOT
The dangerous space is the gap between what you pay for and what the auditor actually examined.

What the auditor’s opinion and exceptions really tell you

Direct answer

Every SOC report opens with the auditor’s opinion and lists any exceptions — controls that failed during testing. A qualified opinion means the auditor found real problems. Exceptions reveal where controls broke and whether it mattered. Skipping these two sections is like skimming a home inspection and ignoring the part about the foundation.

Start with the opinion letter in Section 1. An unqualified opinion means controls performed as intended; a qualified opinion carries a “Basis for Qualified Opinion” paragraph naming what fell short (Meditology). Many owners never reach this page.

Then read the exceptions in the testing section — and judge context, not just count:

  • Minor and isolated — e.g., one employee missed a training deadline — is usually fine.
  • Systemic — e.g., 13 out of 20 sampled infrastructure changes were not approved before implementation — is a flashing red light (Meditology).

Here’s the counterintuitive part: zero exceptions can be more worrying than a few. As Rippling’s analysts note, a single well-documented exception — with a root cause, remediation action, and timeline — is better evidence of a mature security program than a hundred pages of unqualified controls (Rippling). A flawless report can mean the testing was shallow.

Finally, read management’s response to each exception. A vague “this has since been remediated” with no root cause, timeline, or evidence is spin — not a fix (Keiter CPA).

Three things to find in a SOC report A mock report page with three callouts: the opinion word, the exception, and management's response. Opinion word qualified or unqualified? The exception minor or systemic? Management response real fix or spin?
Three things to find in five minutes: the opinion word, the exceptions, and whether management actually fixed them.

The controls the auditor never tested — and quietly left to you

Direct answer

Two categories of controls sit outside what the auditor tested: Complementary User Entity Controls (CUECs) — security tasks the report assumes you will perform — and carved-out subservice providers, whole infrastructure layers the audit deliberately excluded. Miss these, and you’ve accepted responsibility (and risk) you didn’t know existed.

CUECs are your homework. These are controls the vendor’s security depends on you to run — things like promptly disabling former employees’ accounts or managing admin access on your side. The auditor does not test them (Meditology). If the report lists ten CUECs and you’re doing none of them, the vendor’s controls have holes you punched.

Carve-outs hide entire layers. Vendors run on providers like AWS or Azure, and they can “carve out” those providers from the audit. As Rippling bluntly puts it: if a vendor runs on AWS and AWS is carved out, the audit does not cover the infrastructure layer (Rippling) — no networking, compute, storage, or physical security. You’re trusting a layer nobody in that report examined.

How a SOC report divides responsibility three ways A shared-responsibility stack: controls the vendor tests, controls carved out to a subservice provider like AWS that are not tested, and complementary user entity controls that are your job. Vendor tests these Their own people, access controls, incident response TESTED ✓ Carved out — not tested The subservice provider (e.g., AWS): compute, storage, physical NOT TESTED Your job — CUECs Disabling ex-employees, managing admin access on your side ON YOU
A SOC report quietly divides responsibility three ways. Only one of those thirds was actually tested for you.

🚩 Five more traps most owners miss

Beyond the big five, keep this shortlist handy — each becomes its own deep dive later in this series:

  • 1. Who signed it? A report is only as good as the CPA firm behind it. A firm not enrolled in the AICPA Peer Review Program — one of the primary mechanisms that protects the integrity of the SOC reporting framework — or one that promises “fast” audits with boilerplate control language is a red flag. Tellingly, if the audit looks frictionless, that’s a warning, not a comfort (CompliancePoint).
  • 2. Fourth-party sprawl. Your vendor’s report covers their controls — but their subcontractors (and their subcontractors) may be where your data actually lives. The chain of reliance keeps going; most reviews stop at link one.
  • 3. “Certified” is a myth. SOC 2 is not a certification and not a HIPAA/PCI/GDPR pass. It’s an auditor’s opinion about controls the vendor chose, over a window that has already closed.
  • 4. Compliance expires. Even a current Type II describes a period that has ended. Nothing proves the vendor stayed compliant afterward — which is exactly when breaches tend to happen. Continuous monitoring, not an annual PDF, is the real answer.
  • 5. The report is confidential. SOC 2 is a restricted-use document. If a vendor emails it around freely, ask how seriously they treat their obligations.

How to review a SOC report in 20 minutes

Direct answer

You don’t need to be an auditor. In about 20 minutes you can catch 80% of the problems by checking seven things: report type, scope match, the opinion, the exceptions, the CUECs, the carve-outs, and the dates. Here’s the scan.

Seven-point SOC report review A seven-step checklist: report type, scope match, the opinion, exceptions, CUECs, carve-outs, and dates, with a call to action to check any report free. The 20-minute scan SEVEN THINGS · ANY OWNER CAN CHECK 1 Type & report — is it a SOC 2 Type II (not Type I, SOC 1, or SOC 3)? 2 Scope match — the specific service, entity, and criteria you rely on? 3 The opinion — unqualified? If not, read “Basis for Qualified Opinion.” 4 Exceptions — any systemic failures? Real fix or spin in the response? 5 CUECs — the ones that apply to you. Are you actually doing them? 6 Carve-outs — which providers were excluded? Comfortable trusting them? 7 Dates — is the period recent, and does a bridge letter cover the gap?
The 20-minute scan — or let our free SOC Report Reality Check run it with you.
  1. Type & report: Confirm it’s a SOC 2 Type II (not Type I, SOC 1, or SOC 3).
  2. Scope match: Does the system description name the specific service and entity you actually use — and the criteria (Availability, Confidentiality, Privacy) you care about?
  3. The opinion: Is it unqualified? If qualified, read the “Basis for Qualified Opinion.”
  4. Exceptions: Any systemic failures? Read management’s response — real fix or spin?
  5. CUECs: List the ones that apply to you. Are you actually doing them?
  6. Carve-outs: Which providers were excluded? Are you comfortable trusting untested layers?
  7. Dates: Is the period recent, and is any bridge letter covering the gap?
Free Tool · No Signup

Run your next vendor report through the SOC Report Reality Check

Answer a few plain-English questions and get an instant, color-coded risk score plus a personalized “what to fix” summary — across SOC 1, SOC 2, and SOC 3.

🔒 Runs entirely in your browser. No signup; your answers never leave your device.

Check any report free →

Don’t just file it. Read it — or have it read.

A SOC report is a warranty you have to actually open. Filed unread, it’s a liability with a logo. Read well, it’s one of the cheapest risk controls you own.

Here’s how to put this to work today

1. Run your riskiest vendor’s report through the free SOC Report Reality Check — instant score, plain-English fixes, nothing stored.

2. Follow the series for the deep dive on each risk above — no jargon, just what owners need to decide.

3. Book a 30-minute vendor-risk consult with DARS LLC. Bring your riskiest vendor’s report; we’ll read it with you and tell you exactly where you’re exposed.

Start with the free tool Schedule a consult

Looking ahead: 2026–2027 raises the stakes

Two forces are about to make the “for name’s sake” habit far more expensive. AI vendors are entering supply chains faster than assurance frameworks can keep up — many process sensitive data with SOC scopes that don’t yet address model or data-handling risk. And fourth-party sprawl is compounding: every vendor you add inherits their vendors’ exposure. With third-party breach involvement having doubled in a single year (Verizon 2025 DBIR) and vulnerability exploitation up 34%, the margin for unread reports is gone.

The good news: reading a SOC report properly isn’t hard — it’s just rarely done. Do it, and you’re already ahead of most of the companies that will make headlines next year.

The DARS team helps business owners turn vendor paperwork into real protection. Start with the free tool, or reach out — we read SOC reports for a living so you don’t have to guess.

Data Gap Disclosures

The “18-month later breach” opening is an illustrative composite scenario, not a cited case.

The claim that AI-vendor SOC scopes “don’t yet address model / data-handling risk” is a forward-looking synthesis (2026–2027), not a measured statistic.

SecurityScorecard’s 35.5% and Verizon’s 30% use different methodologies and samples; they are presented as complementary signals, not the same measurement.

Sources
  • Verizon 2025 Data Breach Investigations Report (Apr 23, 2025) — verizon.com
  • SecurityScorecard 2025 Global Third-Party Breach Report (Mar 26, 2025) — securityscorecard.com
  • Meditology — How to Read a SOC 2 Report from a Vendor Management Perspective — meditologyservices.com
  • Rippling — The Gaps Tell You More Than the Controls — rippling.com
  • Linford & Co — SOC 2 vs SOC 3 — linfordco.com
  • Secureframe — Trust Services Criteria — secureframe.com
  • nContracts — Vendor Due Diligence SOC 2 Report Mistake — ncontracts.com
  • CompliancePoint — SOC 2 Report Quality — compliancepoint.com
  • Keiter CPA — Management Responses to Testing Exceptions — keitercpa.com
  • Venminder — The Risk of Not Reviewing Your Vendor’s SOC Report — venminder.com
By Ashwameth Ravilla · DARS LLC · All citations verified August 2026

Comments

Loading comments…

Leave a Comment

Comments are moderated and typically approved within 1 business day. Your email is never published or shared.