How to Read a Vendor SOC 2 Report: What Actually Matters and What to Ignore

A SOC 2 Type II report has four primary sections. Understanding which sections are auditor-produced and which are vendor-produced is essential for interpreting the document correctly.

Section 1: Management's Description of the System This section is written by the vendor, not the auditor. It describes the system in scope, the infrastructure, the data flows, the people and processes, and the controls the vendor claims to operate. Read it skeptically -- it is a marketing-quality description of the control environment as the vendor sees it. The auditor's job in Section 3 is to test whether this description is accurate.

Section 2: Auditor's Opinion This is the most-read section and the least informative for practitioners. The opinion is typically one to two paragraphs stating whether the system description was fairly presented and whether the controls operated effectively. Look for the word 'unqualified' -- that is the clean bill of health. Any qualification language requires investigation. Also note the audit period dates: these define the window the tests covered.

Section 3: Description of Tests of Controls and Results This is the section most reviewers skip and the one that contains all the risk signal. For each control tested, you see: the control description, the test procedure the auditor performed, the sample size, and the result. Exception rows are buried in this section. Allocate 80% of your review time here.

Section 4: Additional Information / Vendor Response Vendor responses to exceptions noted in Section 3, along with remediation commitments and timelines. Read this alongside Section 3: an exception with a documented, completed remediation is very different from one with a vague future commitment.

Carve-out vs. Inclusive subservice organization method: The report's introduction or the auditor's opinion will state which method applies. Carve-out means subservice organizations are excluded from the audit scope -- you need their SOC 2 reports separately. Inclusive means the auditor tested the relevant controls at the subservice organization as part of this engagement.

Before reading anything else, verify that the audit scope covers the systems and data that matter for your use case.

What to check in scope:

1. Which products or services are in scope? Vendors often audit a subset of their product line. If you use a feature or product that is explicitly excluded from scope, the SOC 2 provides no assurance for your specific use case. The system description in Section 1 should name the in-scope services.

2. Which Trust Service Categories (TSCs) are included?

   • Security (CC): Logical and physical access, change management, risk assessment, incident response. This is the baseline and should be in every vendor's SOC 2.
   • Availability (A): System uptime and performance commitments. Required if SLA matters.
   • Confidentiality (C): Protection of confidential information. Required for data you consider confidential.
   • Processing Integrity (PI): Complete, accurate, timely processing. Required for financial or critical transaction processing.
   • Privacy (P): Collection, use, retention, disclosure, and disposal of personal information. Required for any vendor processing personal data.

3. Red flag -- scope mismatch: A vendor that processes sensitive personal data (health records, financial records, PII) but only has the Security TSC in scope has not been audited on how they handle that data's privacy. The Security category addresses access controls, not data handling practices.

4. Which data center locations or cloud regions are in scope? If your data is processed in a region not covered by the audit, the controls for that region have not been tested.

Section 3 is typically the longest section of the report, organized by control. Each control has a row showing the auditor's test and result. Exceptions are disclosed inline, usually with language like 'exception noted,' 'the control did not operate,' or 'for X of Y items tested, the required documentation was not present.'

How to find exceptions efficiently: Search (Ctrl+F) the PDF for: 'exception,' 'deviation,' 'did not operate,' 'no evidence,' 'not performed,' 'not completed.'

What each exception row contains:

• The control being tested (e.g., CC6.1: Logical access is restricted to authorized users)
• The test the auditor performed (e.g., 'For a sample of 25 user accounts, inspected access provisioning records to determine whether access requests were approved by a manager before access was granted')
• The result (e.g., 'For 3 of 25 items tested, no manager approval was documented prior to access being provisioned')

Severity assessment framework:

Request prior year reports: If the vendor has a prior SOC 2, request it and compare the exceptions. A control that failed in two consecutive audit periods indicates a systemic process problem, not a one-time gap.

Sample exception language and interpretation: 'For 4 of 25 items tested, access reviews were not completed within the required 90-day period.' This means the vendor's access review process is not operating on schedule. Ask: what is the current review cadence? Who owns it? Was any unauthorized access found during the late review period?

CUECs are the section of the SOC 2 report most frequently missed by vendor risk teams and the one with direct compliance implications for your organization.

Where to find them: CUECs are typically listed in an appendix at the end of Section 1, labeled 'Complementary User Entity Controls' or 'User Entity Control Considerations.' Some reports embed them in individual control descriptions.

Common CUECs across vendor types:

How to operationalize CUECs:

1. Extract every CUEC from the report into a spreadsheet
2. Assign an internal control owner for each
3. Map each CUEC to your existing controls or create a new control requirement
4. Add CUEC compliance to your vendor review checklist
5. Document CUEC status in your GRC system

Non-compliance with CUECs is not a vendor finding -- it is your finding. If you have not implemented the CUECs and an incident occurs, the vendor's SOC 2 attestation does not transfer the risk to them.

When a vendor uses the carve-out method for subservice organizations, those third parties are outside the audit scope. The report will typically state something like: 'The services provided by AWS are carved out from the scope of this examination. The description and the scope of this examination do not include the controls of AWS.'

Finding carve-outs in the report: Search for 'carved out,' 'carve-out,' 'subservice organization,' or 'user entity.' The auditor's opinion will reference which method applies.

Building your transitive third-party inventory:

For each carved-out subservice organization:

1. Identify whether they handle your data (directly or indirectly)
2. Request their SOC 2 Type II report or SOC 3 summary report
3. If they are a major cloud provider (AWS, Azure, GCP): their SOC 2 reports are publicly available at their compliance portals
4. If they are a smaller subservice organization: request directly through the vendor or ask for confirmation that the subservice organization has its own SOC 2

Inclusive method (preferred): If the vendor uses the inclusive method, their auditor extended testing to relevant controls at the subservice organization. This is a stronger assurance posture but still requires you to verify which subservice organizations are included and which are excluded.

Risk when a critical subservice organization is carved out: If your vendor processes all data on AWS and AWS is carved out, you have an unaudited gap in the infrastructure that hosts your data. The mitigation is obtaining AWS's SOC 2 report (publicly available at aws.amazon.com/compliance/soc-faqs/) and confirming the relevant services and regions are in scope.

After completing your review, send a structured follow-up to document your assessment and get vendor responses on record.

Template:

Subject: SOC 2 Type II Review Follow-Up -- [Your Company] / [Vendor]

We completed our review of your SOC 2 Type II report covering [audit period]. We have the following questions:

1. Exception -- Control CC6.1 (Access Provisioning): Your report notes that for 3 of 25 samples, access provisioning records did not include manager approval prior to access being granted. Please describe the current approval process, the owner, and whether this control has been updated since the audit period end date.

2. Subservice Organization -- AWS (Carve-Out): Your report uses the carve-out method for AWS infrastructure. Can you provide AWS's most recent SOC 2 Type II report, or confirm the specific AWS services in use and point us to their publicly available SOC 2 documentation?

3. Complementary User Entity Control 3: This control requires us to review our users' access to your platform on at least a quarterly basis. Please confirm: (a) the format and method you use to deliver access reports to customers, (b) the frequency at which access reports are available, and (c) whether this is included in our current contract tier.

We are targeting completion of our vendor risk review by [date]. Please respond by [date].

Document vendor responses and store them alongside the SOC 2 report in your vendor risk file. Unresponsive vendors should be escalated through procurement or legal before contract renewal.