Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Experienced Auditor's Perspective on Vendor Cybersecurity, SOC Reports, and Best Practices

3 min read
Featured Image

Recently, as part of our Venminder Thought Leadership series, I had the opportunity to speak with Mike Morris at Porter Keadle Moore (PKM). In this series we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends, and more.
Mike is a systems partner at PKM. Since joining PKM in 1999, he's overseen projects including Sarbanes-Oxley IT404 testing, FDIC Improvement Act testing, network vulnerability and penetration testing, stock reporting and IT general controls for data processing companies, financial institutions and insurance companies. You can listen to the full interview here.

During our time, we covered:

  • Best practices for managing risk
  • Addressing today's cybersecurity threats and risks
  • Top areas of concern for a SOC audit report
  • And more...

The Highlights

Right away Mike enlightened me with his thoughts on how organizations are doing as a whole regarding third-party risk management. If we’re using a grading system, he’d give the majority of organizations a C+ average based on his experience working with clients.

He has found that time management seems to be a difficult issue for a lot of organizations which, in turn, has brought a lot of room for improvement in their third-party risk departments. With that setting the stage, I thought it’d be a good idea to learn what Mike sees as some of the best practices that organizations can implement to help manage risk effectively.

Best Practices for Managing Risk

Here are two best practices that Mike shared with me:
1. Analyze the business risks and the impact of each vendor to the organization
2. Follow the regulatory guidelines

I’d have to agree with his recommendations. Doing these two things will help to satisfy regulators. Regulators are looking to see that you’re not just managing the guidance, but also continue to evolve and improve your program.

Cybersecurity – Today’s Threats and Risks

In Mike’s opinion, he sees organizations struggling greatly in this area. He shared that cybersecurity is an area that we need to focus on continuously improving, and remember, when an organization is hacked it is often times a security hack through their vendor. You rarely hear the vendor’s name brought up in discussions or by the media. It’s your organization that is often impacted by reputation risk.

Understanding the gaps and controls in cyber resiliency and cyber security at the third party vendor level is critical. He left us with these words to think about regarding cybersecurity – “trust or verify and understand what they, the vendor, are doing”.

SOC Audit Reports – What You Need to Know

Mike has an extensive SOC audit background, so I thought it’d be great to get his perspective and better understand the top areas of a SOC audit report that organizations should pay close attention to. He shared the following areas of concern regarding SOC reports:

  • Understanding any change management issues and the impact (e.g., around application changes, the way controls function)
  • Understanding subservice organizations (your fourth parties)
    • Identifying the subservice organizations
    • Analyzing risk posed to your organization by the subservice organization
    • Monitoring subservice organizations effectively

Luckily, with the introduction of the SSAE 18 in May 2017, monitoring fourth parties has become increasingly easier.

Address Third-Party Risk

Mike concludes with sharing compassion and an understanding as to how tough third-party risk management can be. However, he knows the regulatory requirements are not going away anytime soon. He says, “with regulation or not, third party risk and cybersecurity are areas that are going to continue to cause risk or pose risk to organizations, and we need to make sure we're addressing those.”

On behalf of Venminder, I would like to thank Mike and Porter Keadle Moore for participation in this thought leadership interview. It was very insightful, and I think our audience has gained a ton of great perspective.

Want to learn how to properly review and analyze a SOC report? Download our eBook now where we will help you do just that.

vendor soc report

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo