Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

How, Why and When to Request a SOC Report from Your Vendors

3 min read
Featured Image

Requesting a SOC report from your vendor is an important step to validate that the proper controls are in place at that company, and if not, to give you the opportunity to request your vendor strengthen those controls. The SOC audit report helps you better understand how the vendor is performing against those controls by giving you a deeper overview. Not only is it an industry best practice to request the audit report, but also a regulatory requirement per guidance such as the FFIEC IT Examination Handbook.

The How

You know that you need to obtain the SOC report from your vendor but just exactly how do you go about requesting the information?

Here are a few ways:

  1. Engage your first line of defense. For an established vendor, you can have your vendor relationship management team, also known as the first line of defense, reach out directly to the vendor via phone or email to request and obtain the documentation. They are typically the day-to-day contact that the vendor interacts with.

  2. Be proactive by including it in your contract. A proactive approach is to include the requirement of a SOC report review in your vendor contract language with an ongoing monitoring timeline in place.  

  3. Outsource if needed. Another option is to outsource these requests to a third party with a team of experts on staff, such as CISSPs (Certified Information Systems Security Professionals), who can handle the document collection and SOC analysis for your organization.

The Why

So, why should you request the SOC audit report from your vendor? Ideally, it should assist you in discovering any operational disconnects between what you want the vendor to do compared to what they are actually doing. The report can help identify any operational gaps, perhaps related to unauthorized or inappropriate access or data loss prevention or serve as confirmation that the controls in place are sufficient.

Another reason a SOC report review adds value to your vendor vetting and monitoring process is that it outlines controls that your organization needs to implement as well to assist the vendor in accomplishing some of the controls, these are called complimentary user entity controls. Your organization is the user entity.

The When


Here is a brief overview and when you should request different report types:

  • SOC 1 – This report is designed to review a vendor’s internal controls as they relate to financial reporting. A SOC 1 Type 1 will cover the controls in place at a single point of time. A SOC 1 Type 2 will cover the controls in place over a period of time. A Type 2 report is preferred when available.

  • SOC 2 – This report is an examination on the vendor’s controls over a selection of the 5 Trust Services Criteria (e.g., Security, Processing Integrity, Availability, Confidentiality and Privacy). One of the trust services criteria can be covered or it can cover all five. Since these reports are specifically targeted towards information security and system availability request the report to help you determine if the proper controls are in place to protect your organization’s information. This report can also be a Type 1 or a Type 2.

  • SOC 3 – This is a high-level summarization of the SOC 2 report therefore it’s not as comprehensive. This report is good to request when initially vetting a vendor but should not replace a SOC 1 or SOC 2.

  • SSAE 18 – This report accompanies the SOC 1 and requires your vendor to outline their vendor’s functions being provided by the subservice organization and the assumed controls that have been put in place (your fourth parties). Request this report to better understand your fourth party’s operations and procedures, like when the fourth party has access to non-public personal information (NPPI) or your customer’s information.

Requesting and obtaining the correct SOC report from a vendor is a very important due diligence component across organizations. The process can be streamlined greatly when it’s clearly understood how and why you should be requesting these.

Do you know how to review a SOC report once you receive one? Download our guide now to learn how to properly analyze a vendor SOC report to mitigate third party risk.

vendor soc report

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo