In relation to SOC reporting, management at your vendor states what the system is at a high level and attests to what management has written in the System Description and Control Environment. This is required to be in a SOC report. The auditor then expresses an opinion on whether or not management’s assertion is accurate.
You should expect that issues or exceptions that have come to management’s attention can result in management’s assertion letter being modified. Look for “except for” or other exclusionary language that was added by management to the letter. It’s not always about what is in the SOC audit. It can many times be about what isn’t included in the audit.