Why can't an auditor just take your word?
- AICPA standards ask the auditor to go check for themselves: inspect a record, watch the control happen, or redo it. Just asking a question and writing down the answer is not an audit.
- Evidence the auditor pulls straight from the source system carries more weight than a green checkmark on a dashboard that the auditor was simply handed.
- Signing off only on what a platform displays, without checking any of it independently, sits at odds with what the audit standard (AT-C 205) asks for.
A SOC 2 is an examination engagement, which is just the formal name for the audit where a CPA signs an opinion. The opinion says whether your controls actually work. So the bar for what counts as evidence is set by the standard, not by what looks convincing on a screen.
Before I get to the part people get wrong, I want to be fair about how we got here. A few years ago a founder had two real options. Hire a traditional CPA firm and pay a lot, or collect evidence by hand. The compliance platforms changed that. They connect to your stack, watch your controls continuously, and organize the mess into something an auditor can read. That was a genuine advance, and I have a lot of respect for it. The platform is not the problem. What people assume the platform does for them is where the confusion creeps in.
What the standard actually asks for
The AICPA's examination standard, AT-C 205, says that inquiry on its own is not enough. Inquiry just means asking. So asking your team how access reviews work and writing down their answer does not, by itself, count. The auditor has to do at least one more thing: inspect a record, watch the control happen, redo it, recalculate a number, or confirm it with an outside party.
For a SOC 2 the thing being examined is your internal controls, so the auditor is expected to test those controls, not just describe them. Asking the question is the starting point. It tells you where to look. It is never the proof on its own.
If you only remember one thing: a question answered is a lead, not a finding. That is the same reason inquiry plus a screenshot is rarely the whole story, and why a real first-time audit tends to surface things nobody expected.
Some evidence is stronger than other evidence
Not all evidence is equal, and the standards rank it. The audit-evidence standard from the PCAOB (the board that oversees public-company auditors), AS 1105, puts it plainly: evidence the auditor gets directly is more reliable than evidence that reaches them secondhand. Original records beat copies. Evidence from a source independent of the company beats evidence the company hands over about itself.
Now picture a green pass/fail checkmark on a compliance dashboard. That checkmark is the platform's tidy summary of some underlying record. It has been cleaned up, condensed, and handed to the auditor. That is genuinely useful for organizing the work. But on the reliability ladder it sits below the auditor going and inspecting the underlying record itself.
| Evidence | Where it sits |
|---|---|
| Auditor pulls the raw config or log straight from the source system | Highest |
| Auditor inspects the original record the platform pulled in | High |
| A cleaned-up pass/fail checkmark the auditor was simply handed | Lower |
| The client tells the auditor the control works | Lowest (asking alone) |
The checkmark is not worthless. It is just not the top of the ladder, and an audit opinion has to rest closer to the top.
The piece a display-only model leaves open
Here is the part the standard is firm about. AT-C 205 asks the auditor to check the reliability, accuracy, and completeness of any information used as evidence, including information produced by the company or by its own tools. The auditor cannot just take it at face value. That is not optional.
So think through what it means if the auditor never independently pulls a single piece of evidence and leans entirely on what a platform displays. If that displayed evidence were ever staged, backdated, or incomplete, an auditor looking only at the checkmark would have no way to know. That is exactly what the reliability requirement is there to catch. In my view, relying one hundred percent on tool-produced evidence, with no independent check, sits at odds with what AT-C 205 asks for.
The standard also covers what to do when the auditor can't get there. When sufficient, dependable evidence cannot be obtained independently, that is called a scope limitation, meaning there is part of the picture the auditor simply could not verify. A scope limitation forces the auditor to either flag the gap in the opinion (a qualified opinion), decline to give an opinion at all (a disclaimer), or step away from the engagement. It does not get quietly waved through.
None of this is an accusation about any one firm. It is what the standard asks for, and the natural consequence of a model that skips the independent step. The profession is paying attention to it too. The Journal of Accountancy has written that promises of fast and easy threaten SOC credibility, and that leaning too heavily on third-party platforms without applying the judgment the standards call for can produce engagements that were not really performed to professional standards.
The auditor carries the risk
An opinion that is not backed by enough dependable evidence is a real problem for the auditor who signed it. It is the kind of thing peer review and a state board take seriously. And it makes the report useless to the customer relying on it, which defeats the only reason the report exists. The exposure sits with the people who sign, not the platform that rendered the checkmark. That is also why it pays to verify the person who will lead and stand behind the audit is a licensed CPA before you trust the output.
As a system-level illustration, the reported 2026 episode involving the company Delve is instructive. According to reporting, an investigation reportedly found 493 of 494 examined SOC 2 reports were nearly identical, down to the same grammatical errors. Delve has denied the allegations, which remain unproven and contested. I am not tying that to any platform. I am pointing at one thing only: a model that does not independently test can produce reports that say everything and prove nothing.
What AI done right looks like
The answer is not trust the checkmark. The answer is the auditor directing and inspecting the raw source evidence.
This is where AI actually helps, and where quality goes up rather than down. With an AI agent running in your own terminal, the literal command output, the IAM credential report, the encryption config, the access log, can come straight from the source system. The CPA inspects that. It sits higher on the reliability ladder than any cleaned-up checkmark, because nothing repackaged it on the way over. The agent clears away the integration busywork the platform model was built to solve, which is why your terminal plus an agent makes the connector moat obsolete.
Let me be clear about the division of labor. AI collects and organizes. The CPA designs the procedures, brings the professional skepticism, judges whether the evidence is enough and the right kind, and signs off. AI does not replace that judgment. It clears away the busywork so the judgment gets more of my attention, not less. Quality is the entire point.
A real auditor pulling and inspecting the real evidence. That is the bar. Asking the question was only ever the doorway.
Frequently asked questions
Is asking the team enough for a SOC 2 audit?
What kinds of evidence does a SOC 2 auditor have to obtain?
Can a SOC 2 auditor just rely on a compliance platform's evidence?
Is a screenshot valid SOC 2 audit evidence?
What happens if an auditor cannot independently verify the evidence?
Keep reading
Will AI make SOC 2 prep tools obsolete?
AI agents can now do the prep work a compliance subscription used to sell. What gets cheap, and what doesn't.
Can a once-a-year audit keep up with AI?
Snapshots and samples were workarounds for the cost of looking. AI collapsed that cost. What independent verification looks like next.
Does the name on your SOC 2 report matter?
The famous logo is a stand-in for what the report will not show you. Here is how to read past it.
What does a SOC 2 mock exam catch?
A real auditor runs the real procedures early, so you fix gaps in days.
Sources
- AT-C 205 governs examination engagements; inquiry alone does not provide sufficient appropriate evidence, the auditor must perform corroborating procedures and evaluate the reliability of information used as evidence, and an inability to obtain sufficient appropriate evidence is a scope limitation leading to a qualified or disclaimed opinion or withdrawal.
- Audit evidence obtained directly by the auditor is more reliable than evidence obtained indirectly; original documents are more reliable than copies; the reliability hierarchy of audit evidence.
- CPAs warn that promises of fast and easy SOC engagements threaten SOC credibility, and that leaning too heavily on third-party platforms without applying the judgment the standards require produces engagements not performed in accordance with professional standards.
- Business arrangements with SOC tool providers can create ethics and independence threats, including pressure to subordinate judgment, for the service auditor.