Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Vendor SOC 1, 2 or 3 – Understanding the Differences

4 min read
Featured Image

If you’re a regulated organization, you likely already understand that you should be asking many of your vendors for a SOC reportespecially your critical or high risk vendors.  

Have you noticed that some vendors give you a SOC 1, others give you a SOC 2 and sometimes a vendor will give you both? A few may even give you a SOC 3. There is a big difference between the various types of SOC reports and the differences are not obvious to the uninitiated. 

Differences Between SOC 1, 2 and 3


Brief SOC Background

The SAS 70 was replaced by an SSAE 16 – Statement on Standards for Attestation Engagements (SSAE) No. 16. Let’s be clear. We’re talking about the original definition of a SAS 70, not what it evolved into over the approximate 20 years it was in place in the market. The old SAS 70 and the SSAE 16 were very similar but the SSAE 16 had a few upgrades like an attestation by a company’s management confirming the described controls are in place and functional.

In May 2017, the SSAE 16 was superseded by the SSAE 18. The SSAE 18 provides the guidelines for SOC reporting and requires your vendor to outline their vendor’s functions being provided by the subservice organization and the assumed controls that have been put in place (your fourth parties).

A SOC 1

A SOC 1 addresses internal controls that are relevant to a company’s internal control over financial reportingBy definition, a SOC 1 is designed to review a vendor’s financial and accounting controls. In other words, how well do they keep their books? 

Additionally, there are two different types of SOC 1 reports – a SOC 1 Type I and a SOC 2 Type II. The difference? A Type I report audits controls as of a point in time (a single date). A Type II report covers controls that were in place and operating for a period of time. A Type II report is always better than a Type I because it tests control effectiveness over a period of time. A type I report, often times, does not test controls.

A SOC 2

Most of the time, the SOC 2 is probably the report you really want. It’s most definitely the report you want from an IT type vendor. Unfortunately, because of the evolution of the old SAS 70 over the years, many folks erroneously believe that a SOC 2 report is the next level up from a SOC 1 and this couldn’t further from the truth. One is apples the other is oranges.   

A SOC 2 report is an examination on a service organization's controls over one or more of the following five (5) Trust Services Criteria (TSC):

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

A SOC 2 is the only audit (and report) that defines a consistent set of criteria specifically around the products/services that a company provides (to you). If you want a measure of how your vendor provides a secure, available, confidential and private solution, there’s only one way to get that assurance: ask for a copy of their independently audited SOC 2 report. 

And just like the SOC 1, SOC 2s come in two different flavors, too. A Type I affirms controls are in place. A Type II confirms the controls are in place and are actually working. So, yes, SOC 2 Type II is the best representation of how well a vendor is doing when it comes to managing and safe-guarding your data. However, keep in mind as you review that the controls are created by the vendor and tested by an auditor or CPA firm. 

A SOC 3

Once again, don’t be fooled into believing that if a SOC 2 Type II is highly valuable that a SOC 3 must be the greatest of all SOC reports. It’s not. 

From this author’s perspective, I’d much rather have a SOC 2 Type II any day of the week over a SOC 3. While the SOC 3 is likely to have some of the components of a SOC 2, it’s not going to be as comprehensive.

Why? It’s designed to be made available publicly (without the requirement of an NDA) so by nature it’s less detailed/less technical and, therefore, will not contain the same level of otherwise critical information (to you) that a SOC 2 Type II contains. Basically, it’s a high-level summary of a SOC audit that comes with a seal of approval a vendor can post on their website. 

A SOC 3 can be used for the initial early upfront due diligence phase of a vendor until you have determined if they are a serious prospect. 

Request and Analyze SOC Reports on Your Vendors

In the end a SOC report is an invaluable report to request to verify your vendor has sufficient controls in place and that the controls are operating effectively. Analyzing a SOC report – whether it be a SOC 1, 2 or 3 – assists greatly with ongoing monitoring and ensuring compliance with regulatory expectations.

Dive deeper into the importance of SOC Reports and how to review them. Download the eBook.

vendor soc report

 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo