When you begin your initial due diligence or regular monitoring of a vendor, one of the first things to do is to request all their SOC reports. You also need to ask for the SOC reports for any critical subservice organizations (fourth parties). This includes both SOC 1 and SOC 2 reports.
State of Third Party Risk Management 2018
Our survey of over 100 companies shows the need that comprehensive and in-depth risk management has never been greater. From program maturity to examiner expectations and more, this paper is packed full of useful information.