Why the Report Alone Is Not Enough
When a vendor provides a SOC 2 Type II report, it is tempting to treat that as the evidence collection step complete. The report is a significant document produced by an independent audit firm; it covers a defined audit period; it evaluates whether the vendor's controls were operating effectively across the coverage period. What more could you need?
Several things, as it turns out.
First, the scope of a SOC 2 report is defined by the vendor. The Trust Services Criteria covered — Security, Availability, Confidentiality, Processing Integrity, Privacy — are selected by the vendor, not prescribed by the standard. A vendor whose report covers only the Security criterion (CC1-CC9) may have no independent attestation for Availability or Confidentiality, which may be the criteria most relevant to your risk assessment for that vendor. Reading the scope section of every report you receive is not optional.
Second, the SOC 2 report is retrospective. It covers a period that ended on the report date, which is typically 60-90 days before you receive it. The report tells you that controls were operating effectively during the audit period; it says nothing about whether those controls are still in place today. A vendor who had a significant infrastructure change, an acquisition, or a security incident after the audit period end date will have a clean current report and a potentially changed current posture.
Third, and most importantly, the SOC 2 report evaluates the vendor's controls on their side of the shared responsibility model. It does not evaluate whether your organization has correctly implemented its side — whether you have configured the vendor's service securely, whether access is properly scoped and reviewed, whether data shared with the vendor is classified appropriately. Many of the most significant incidents involving cloud service providers occur on the customer's side of the shared responsibility line, not the provider's.
What to Request Beyond the Type II Report
The management assertion and bridge letter
When a report's audit period ended more than six months ago, request a bridge letter (also called a gap letter or representation letter). This is a written attestation from vendor management confirming that no material changes to the control environment occurred between the report period end and the current date. Bridge letters are not independently verified, so they are a weaker evidence form than the underlying report — but they are the standard mechanism for addressing the staleness problem and are appropriate to request for any vendor in your Tier 1 or Tier 2 population whose most recent report is more than six months old.
The System Description (Section 3)
Section 3 of a SOC 2 report contains the system description — the vendor's own narrative of their system boundaries, infrastructure, and the controls in scope. This section is critical for understanding whether the audit scope covers the specific systems and data processing activities that are relevant to your relationship. A vendor who provides services through a subsidiary or through a specific product line may have a report that covers only part of their overall system. Reviewing the system description tells you whether the in-scope system includes the components you actually use.
Exception findings and vendor responses
The test of controls section of a SOC 2 Type II report documents the auditor's testing procedures and results. When tests identify deviations — controls that were not operating effectively during the period — they appear as exceptions in this section. Many security teams receive SOC 2 reports and scan them for an overall opinion ("unqualified" or "qualified") without reading the exception findings. Exceptions in material control areas — access management, change management, incident response — are findings that warrant follow-up even when the overall opinion is unqualified.
The vendor's management response to exceptions is also informative. A thoughtful response that describes the root cause and remediation is a positive signal; a perfunctory "we have addressed this" without substance is a signal to probe further. Asking the vendor directly about the status of remediation for significant exceptions from their most recent report is an appropriate evidence collection step.
Sub-service organization reports
Many SOC 2 reports use the "carve-out method" for sub-service organizations — meaning the report explicitly excludes from scope the controls operated by the vendor's cloud infrastructure provider, data center, or other sub-service organization. The carve-out is disclosed in the report, along with the complementary user entity controls that the vendor's customers (including you) are responsible for.
When a vendor's report carves out a material sub-service organization, your evidence collection should include obtaining the sub-service organization's SOC 2 report. If the vendor's entire infrastructure runs on a carve-out sub-service provider, and that provider's report is unavailable or has material exceptions, the vendor's clean report provides less assurance than it appears to.
Verifying Current Control Status
Beyond the report artifacts, evidence collection for active Tier 1 vendors should include current-state verification for controls that are most likely to drift between audits. This does not require a full assessment cycle — it requires targeted questions with evidence requirements.
Consider a growing financial technology company using a vendor for payment processing with SOC 2 Type II coverage. The report is eleven months old, and in the intervening period, the vendor has completed a significant platform migration announced in their product communications. In this situation, relying solely on the prior SOC 2 report for controls assurance is inadequate. The appropriate current-state verification is requesting: a bridge letter covering the period since report end, confirmation that the new platform is within the scope of the next report (which should be in progress), and specific confirmation that the controls on which you most depend — encryption in transit and at rest, access management, availability commitments — remain in place on the migrated platform.
Organizing Evidence Collection at Portfolio Scale
Managing SOC 2 evidence collection across 40-80 vendors requires a systematic approach to report expiration tracking and renewal requests. Reports are typically valid for 12 months from the audit period end date; bridge letters extend that by six months. For a vendor portfolio of meaningful size, report expirations are occurring continuously throughout the year, and manual tracking against a spreadsheet is error-prone.
The evidence management workflow should include: a tracked expiration date for each vendor's most recent report, automated reminders to request renewals at 90 days before expiration, a log of bridge letters received and their stated coverage period, and documentation of any exceptions reviewed and the disposition decision for each material finding. This documentation is what auditors examining your TPRM program will ask for — not just "do you collect SOC 2 reports?" but "how do you track their currency and what do you do when exceptions are found?"
We are not saying that every vendor in your portfolio requires the same level of SOC 2 evidence scrutiny. For Tier 3 vendors, confirming that a SOC 2 report exists and is current may be sufficient. For Tier 1 critical vendors, the full evidence package — current report, sub-service organization reports where applicable, bridge letter, exception review documentation — is the appropriate standard. Calibrate evidence collection depth to vendor criticality, and document the calibration rationale so it is auditable.
For evidence collection in the context of a broader vendor assessment workflow, the evidence library concepts in our response automation article apply in reverse: the same library that helps your team respond to incoming questionnaires can be used to systematically store and retrieve vendor-provided evidence artifacts.