Back to blog
Security

What a SOC 2 Type II audit actually proves

Compliance badges get thrown around loosely. Here is what our audit covers, what it does not, and the questions to ask any vendor.

Marcus Lee

April 15, 2026 · 9 min read

What a SOC 2 Type II audit actually proves

A SOC 2 Type II report is one of the most cited and least understood artifacts in vendor security. Here is how to read one.

Type I vs. Type II

Type I describes controls at a point in time. Type II tests that those controls operated effectively over a period — usually several months. Type II is the one that means something.

  • Check the trust service criteria in scope, not just the logo.
  • Read the auditor exceptions — that is where the truth lives.
  • Confirm the observation period is recent and continuous.

A badge is marketing. The report is evidence. Always ask for the report.

Marcus Lee