If SOC2 relies on competent auditors (and you're right, it does), than it is an ineffective standard (and it mostly is).