Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


SSAE 18: The Full Overview for Vendor Management

4 min read
Featured Image

The purpose for the creation of the SSAE 18, in May 2017, was to clarify the auditing standards and to reduce duplication within similar standards covering examinations, reviews and agreed-upon procedure engagements, specifically SSAE Nos. 10-17. These now fall under SSAE 18.

It supersedes the SSAE 16 and condenses other standards down to a more manageable state. Instead of making reference to SSAE 16, it’s best to just call System and Organization Control (SOC) reports, SOC 1 Type I or II and SOC 2 Type I or II. With the new guidance comes additional assistance which you can use in your vendor management process.

The Differences Between Vendor SOC Reports

The uses are meant to be different between SOC 1, SOC 2 and SOC 3. These include:

  • SOC 1: Meant to be used to attest that controls at a service organization, your vendor and relevant to your internal control over financial reporting, are in place, with Type I, and operating effectively, with Type II reports.
  • SOC 2: Meant for a much broader audience and includes many more IT controls. SOC 2 also follows the Trust Services Criteria - Availability, Confidentiality, Processing Integrity, Security, and Privacy - which makes it more structured and consistent.
  • SOC 3: Meant for general use and can be openly available on vendors’ websites if desired. SOC 3 contains much less detail and doesn’t include controls or the testing associated with it. These can be used for initial vendor vetting, but a SOC 1 and/or 2 should be reviewed prior to vendor selection.

SSAE 18 Addresses Fourth Parties

With SSAE 18, SOC reports now require creation and inclusion of Complementary Subservice Organization Controls, when applicable, which is when your vendor relies on one of their critical third parties to deliver a service to you – aka your fourth party. The good news about this is that your vendor must provide more clarity on how they are addressing their own vendor management obligations.

So, what does this really mean? It means that if your third party vendor is using a subservice provider that is critical to your organization’s delivery of products or services, then the vendor must be identified within the SOC report. You’ll be able to better manage your organization’s fourth party vendors.

SSAE 18 Helps Protect Your Organization

Ways SSAE 18 helps protect you are:

  1. Guarantees your third party fully discloses fourth parties critical to your operations so that you’re aware of them
  2. Clearly identifies responsibilities your third party relies on fourth parties
  3. Gives you a better understanding of how your third party manages the fourth parties so you can ensure there are no gaps you need to be concerned with

When Should You Review a Fourth Party SOC Report?

You should complete due diligence on your fourth party vendors. Therefore, you should collect and review fourth party SOC reports. But, which ones?

  1. It’s necessary to review the fourth party SOC report when the services they provide could directly affect your business. For example, if your vendor uses a fourth party for data center services, your data may now be outside the boundaries of your contract with your vendor. If your vendor uses a fourth party for information system controls, server security, network security, patch management, etc., or if the fourth party does not do their job, your data is at risk, which ultimately affects your business.

  2. If the fourth party provides a “make or break” service to your vendor like a data center service or information system services or if your vendor is just a reseller of another vendor’s product.

Who Is Responsible for Obtaining a Fourth Party SOC Report?

SOC 1 and SOC 2 reports are considered confidential. Sometimes, the fourth party vendor will not provide you with their due diligence information as your business in not their client. It’s the responsibility of your third party vendor to provide you with the fourth party’s SOC report(s) and additional due diligence documentation, which should be in your contract. You can also point to resources such as OCC Bulletin 2017-21. Be aware that the term subcontractor is used by the OCC – it’s a term that means fourth party.

When a fourth party provides a critical service to your vendor, contact your vendor and request the necessary fourth party SOC report, or a due diligence package if a SOC is unavailable. Again, you should be reviewing and analyzing critical fourth party SOC reports, just as you would if the fourth party was your direct vendor.

In addition, if there are Complementary User Entity Controls (CUEC) in the fourth party SOC report, you should verify that your third party has taken those into consideration and reviews them regularly to make sure that all bases are covered.

Don’t Let Your Fourth Party Be a Weak Link

Even if you don’t have a direct contractual relationship with a vendor, sometimes understanding a fourth party’s controls are equally as important as a lack in information security could directly impact your organization.

To remember all of the key points we've covered in this blog post, download our helpful infographic. 

SSAE 18 impact to bank credit union mortgage

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo