If your vendor (i.e. ABC Company) sends a SOC 2 report for who they use (i.e. Amazon Web Services), and ABC Company does not complete a SOC 2 report themselves, what steps do you take to ensure they have adequate controls in place?