SOC Type 2 compliance only suggests they have a sit in audit once a year. Basically the produced a lot of paperwork and it doesn't mean that they evidenced stuff honestly to the auditors.
Auditors audit for one year. They make sure all the processes and controls are hit and used as expected. I am wondering why the audit firm is not made accountable when these hacks happen.
