Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


What Is a Vendor SOC Report?

4 min read
Featured Image

A system and organization controls (SOC) report is often one of the most challenging documents to review during vendor due diligence. SOC reports are available in multiple variations that serve different purposes, and they might contain confusing terms like Trust Services Criteria or management’s assertion.

To begin, let’s review a basic definition of a SOC report:

It’s the resulting report from an independent examination of internal controls following the SSAE 18 standard issued by the American Institute of Certified Public Accountants (AICPA). The report will attest to the existence and effectiveness, for type II audits, of controls specified by the company being examined (your vendor). Basically, the report should tell you if your third-party vendor has the right controls in place to safeguard your data and if those safeguards are actually working, based on the scope and type of the examination as determined by the vendor.

If you’re still a little confused by this explanation, it may help to answer two common questions about third-party SOC reports. First, what are SOC reports used for? And second, why are there different types of SOC reports? Once you understand these two aspects, you should have a better understanding of these types of reports. 

What Is the Purpose of a Third-Party Vendor SOC Report?

First and foremost, a third-party vendor SOC report is produced to confirm whether a vendor’s controls are in place and operating effectively for type II examinations or identify if there are any control exceptions, which are occurrences where a control did not operate effectively during the period. Controls refer to governance and technical practices the vendor has implemented to measure whether their objectives have been achieved. 

One category of control that is often included in SOC reports of all types is logical access controls. These controls are designed to ensure that certain data and rights are only given to the appropriate users. Logical access controls are also used to limit data and rights so that users don’t have access to anything that they don’t need for their job. This type of control is often referred to as the principle of least privilege. Separation of duties is another control used to prevent a user from approving their own request or having access to data without another party knowing.

A third-party SOC report would reveal whether these controls are in place and effective. If they aren’t, the SOC report would contain something called an exception. The most common exceptions are around logical access controls, usually because of faulty termination or account audit processes. 

third-party vendor soc report

Aside from simply confirming controls, a third-party vendor SOC report can serve other purposes such as:

  1. Gives an opportunity to verify that independent testing of controls has been completed
  2. Provides an overview of the product/service you’re using
  3. Helps you with your requirement to continuously monitor vendors adequately
  4. Assists in verifying that the third-party vendor has adequate controls in place to protect their system

A third-party vendor SOC report can be very insightful, although this isn’t a standard document that every vendor will have. A low-risk vendor like a cleaning company or landscaper probably isn’t going to have a SOC report, which shouldn’t be an issue since they’re unlikely to have access to any sensitive data. New and small third-party vendors are also less likely to have SOC reports, in which case you’ll need to thoroughly review the other due diligence they provide. However, it should raise some concern if one of your critical vendors can’t provide a current SOC report, and you may want to re-consider the relationship.  

The Different Types of Third-Party Vendor SOC Reports

To touch on them briefly, here’s a quick overview of the three main reports you’ll see, along with the difference between Type I and Type II:

  • SOC 1 Report– Designed to review a vendor’s internal controls as they relate to financial reporting. SOC 1 audit reports are best for your non-information system-based products and services.
  • SOC 2 Report–An examination on the third-party vendor’s controls over one or more of the trust services criteria which are security, availability, processing integrity, confidentiality, and privacy.

    Note: SOC 1 and SOC 2 are further divided into the following:

    • Type I shows controls in a single point in time
    • Type II shows controls during a period of time 
  • SOC 3 Report– A high-level summary of the SOC 2 which can be shared publicly. Therefore, it’s not as comprehensive.

Additionally, guidance has been created to perform audits in the following specific areas, but their adoption has been slow. Those areas are:

  • SOC for Cybersecurity – This may help you understand a vendor’s maturity and effectiveness of their cybersecurity program. 
  • SOC for Supply Chain – Overlaps with the SOC 2 in some ways. If requested, review management’s description, management’s assertion, and practitioner’s report.

If you haven’t been requesting and reviewing a vendor's SOC reports, then make sure you adopt this important practice. It’s a regulatory requirement for some and a good recommendation for others.

In general, SOC reports are the best way to gain insight into your vendor’s control environment. Auditors and examiners will expect to see these reports and the corresponding analyses on file as part of your vendor due diligence process. Ensuring that you have these documents and analyses on file can help avoid exam findings and a lot of headaches down the road. If you’re not sure where to begin, check out the AICPA website for helpful information like this here

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo