Why is inquiry alone never enough in a SOC 2 audit?

A SOC 2 is an examination engagement. The auditor is signing an opinion on whether your controls actually operate. So the bar for what counts as evidence is set by the standard, not by what looks convincing on a screen.

Before I get to the correction, I want to be fair about how we got here. A few years ago a founder had two real options. Hire a traditional CPA firm and pay a lot, or collect evidence by hand. The compliance platforms changed that. They connect to your stack, watch your controls continuously, and organize the mess into something an auditor can read. That was a genuine advance. The platform is not the problem. What people believe about the platform is.

What the standard actually requires

Under AT-C 205, the AICPA's examination standard, inquiry alone does not provide sufficient appropriate evidence. Asking your team how access reviews work, then writing down their answer, is not an audit. The auditor has to perform at least one other procedure. Inspect a record. Observe the control happening. Reperform it. Recalculate. Confirm with an outside party.

For a SOC 2 the subject matter is internal control, so the auditor is required to test controls, not just describe them. Inquiry is the starting point. It tells you where to look. It is never the proof.

If you only remember one thing: a question answered is a lead, not a finding. The same logic is why inquiry plus a screenshot is rarely the whole story, and why a real first-time audit surfaces things nobody expected.

The evidence reliability ladder

Not all evidence is equal, and the standards rank it. The PCAOB's audit evidence standard, AS 1105, states the principle plainly: evidence the auditor obtains directly is more reliable than evidence obtained indirectly. Original records beat copies. Evidence from a source independent of the company beats evidence handed over by the company.

Now think about a green pass/fail tile on a compliance dashboard. That tile is the platform's rendering of an underlying record. It has been normalized, summarized, and handed to the auditor. Useful for organizing the work. But on the reliability ladder it sits below the auditor inspecting the underlying record itself.

The tile is not worthless. It is just not the top of the ladder, and an examination opinion has to rest closer to the top.

The part the model has to answer for

Here is where the standard gets pointed. AT-C 205 requires the auditor to evaluate the reliability, accuracy, and completeness of information used as evidence, including information produced by the entity or its tooling. The auditor cannot accept it at face value. That is not optional language.

So consider the structure of a model where the auditor never independently pulls a single piece of evidence and relies entirely on what a platform displays. If that displayed evidence were ever staged, backdated, or incomplete, an auditor looking only at the tile would have no way to know. That is the whole point of the reliability requirement. In my view, relying one hundred percent on tool-produced evidence with no independent verification is in tension with what AT-C 205 requires.

The standard also says what happens when you cannot get there. Where sufficient appropriate evidence cannot be independently obtained, that is a scope limitation. A scope limitation forces a qualified opinion, a disclaimer, or withdrawal. It does not get waved through.

This is not an accusation aimed at any one firm. It is what the standard demands, and the consequence of a model that skips the independent step. The profession is alive to it. The Journal of Accountancy has written that promises of fast and easy threaten SOC credibility, and that leaning too heavily on third-party platforms without applying the judgment the standards require produces engagements that are not performed in accordance with professional standards.

The auditor carries the risk

An opinion that is not supported by sufficient appropriate evidence is real professional exposure for the auditor. It is the kind of thing peer review and a state board look at. And it makes the report worthless to the customer relying on it, which defeats the only reason the report exists. The exposure sits with the person who signs, not the platform that rendered the tile. That is also why it pays to verify the person who will sign is a licensed CPA before you trust the output.

As a system-level illustration, the reported 2026 episode involving Delve is instructive. According to reporting, an investigation reportedly found 493 of 494 examined SOC 2 reports were nearly identical, down to the same grammatical errors. Delve has denied the allegations and they remain unproven and contested. I am not chaining that to any platform. I am pointing at one thing: a model that does not independently test can produce reports that say everything and prove nothing.

What AI done right looks like

The answer is not trust the tile. The answer is the auditor directing and inspecting the raw source evidence.

This is where AI actually helps, and where quality goes up rather than down. With an AI agent running in your own terminal, the literal command output, the IAM credential report, the encryption config, the access log, can come straight from the source system. The CPA inspects that. It sits higher on the reliability ladder than any normalized tile, because nothing repackaged it on the way over. The agent collapses the integration busywork that the platform model was built to solve, which is why your terminal plus an agent makes the connector moat obsolete.

Be clear about the division of labor. AI collects and organizes. The CPA designs the procedures, applies the skepticism, judges whether the evidence is sufficient and appropriate, and signs. AI does not replace the judgment. It removes the busywork so the judgment gets more of my attention, not less. Quality is the entire point.

A real auditor pulling and inspecting the real evidence. That is the bar. Inquiry was only ever the doorway.