The SOC 2 attestation is not the end of the questionnaire
A newly-attested SOC 2 Type II does not stop the questionnaires. Buyers still ask the same 200 questions, and what that tells us about how enterprise trust is actually built.
A founder I know finished the company’s first SOC 2 Type II last month. She emailed me on a Friday with a reasonable question: now that the attestation is done, will the questionnaires stop?
They will not. That is the short answer. The longer answer is that the SOC 2 does not do what first-time founders hope it does, and understanding why is useful for how to position a vendor and how to structure the security-response function.
What a SOC 2 actually signals
A SOC 2 Type II is an attestation from a third-party auditor that a vendor’s controls operated as described over a reporting period — usually 12 months, sometimes six for a bridge report. The auditor tests a sample of transactions across the period against the trust-services criteria. The output is a report. The report has meaningful weight. It is not the whole picture.
Three things a SOC 2 is not:
It is not a statement about every current control. The report describes the controls tested during the audit period. Any control added or changed after the period is not in the report. Six months after the attestation, the report is describing a snapshot that may no longer match the current environment.
It is not a statement about buyer-specific questions. The report answers the auditor’s questions, not the buyer’s. A bank buyer’s list of questions about separation of duties, or a healthcare buyer’s list of PHI-handling specifics, are not in the SOC 2 report regardless of how good the attestation is.
It is not a statement about controls a specific buyer cares most about. Different buyers weight different controls. A buyer whose security team is primarily concerned about supply-chain attack surface will ask questions the SOC 2 does not cover in the depth they need, even if the SOC 2 covers vendor management at all.
Any of those three would be enough to explain why questionnaires continue after attestation. All three together explain why the reduction is marginal.
The volume data
We measured this specifically. Across our fleet, vendors who completed their first SOC 2 Type II saw questionnaire volume drop by roughly 12% in the following year. Not zero — twelve percent. The drop was concentrated in one sub-category: buyers who previously sent a full custom questionnaire and who now accept “please send us your SOC 2 report plus this 30-question supplement.” The supplement is usually written on the buyer side to cover gaps the SOC 2 does not address.
Vendors with subsequent SOC 2 Type II reports saw smaller additional reductions — a further 3% to 5% per year for the first three years, then flat. A SOC 2 is not a one-time permission slip. It is an ongoing credential that makes each questionnaire slightly shorter, not that replaces the questionnaire.
Safe Security’s broader industry data matches this. The headline of “500+ questionnaires per year” applies to mid-market vendors with existing attestations; the attestations are not suppressing the volume meaningfully.
Why buyers ask the same 200 questions anyway
Three reasons, none of them about the SOC 2 being insufficient.
The buyer’s vendor-risk process is a regulatory artifact. A bank’s vendor-risk questions are driven by NY DFS 23 NYCRR 500 or OCC guidance or the FFIEC handbook, not by whether the vendor has a SOC 2. The buyer has to ask those questions to satisfy their own regulator, independent of what the vendor has already attested to.
The buyer’s legal team needs a written representation in their own file. A SOC 2 report is a third-party attestation, not a representation from the vendor. The buyer’s legal team wants the vendor on the record with written answers to specific questions in a document that goes into the vendor file. The form of the representation matters, not just the substance.
The buyer wants to confirm nothing has drifted. A SOC 2 is a snapshot. The questionnaire answered this week confirms that the snapshot still holds. Six months into a SOC 2 cycle, the buyer is partly checking whether the controls described in the audit are still operating.
I do not think any of this is wasted work. I think it is structurally required work. It is also a source of the fatigue that Monday’s opinion piece called out, and the reason the 80/20 retrieval pillar matters.
What this means for vendor positioning
Two practical readings for founders.
Do not promise the sales team that the SOC 2 will stop questionnaires. A 12% reduction is not the pitch that got them to green-light the $80K audit spend. Tell them the SOC 2 unblocks buyers who require one, shortens individual questionnaires modestly, and is a prerequisite for specific market segments (health systems, banks). It does not eliminate the questionnaire function.
Build the KB assuming questionnaires will continue indefinitely. If your mental model is “we will have a questionnaire function for the next 18 months and then the SOC 2 will carry the load,” you will under-invest in the KB. The KB is going to be the load-bearing representation-of-truth for as long as the company exists. Invest accordingly.
The thing I keep telling first-time founders: the SOC 2 is a ticket to the conversation, not the end of the conversation. The conversation is a long one, and the KB is how you keep the long conversation coherent. For the ingest side — how to turn the SOC 2 PDF itself into the KB blocks the conversation runs on — Tuesday’s how-it-works post is the next piece in the thread.