Request Demo →
Product
tprm software

Manage the Complete Vendor Lifecycle

Easily manage your third-party risk management activities across the vendor lifecycle – onboarding, ongoing management, offboarding.

Take a Product Tour to See Venminder in ActionNew
View Pricing & Packaging
 
vendiligence

Outsource Vendor Control Assessments

Order due diligence assessments on your vendors that include qualified risk ratings and reviews from Venminder experts.

 
venmonitor

Continuously Monitor with Risk Intelligence

Seamlessly combine risk intelligence data to monitor for risks within cybersecurity, business health, financial viability, privacy, ESG and more.

samples library
Why Venminder
case studyCase Studies

Learn how our customers have managed their vendors and risk with Venminder.

researchIndependent Research

Check out independent research that validates Venminder's market leader position.

Take a Product Tour to See Venminder in ActionNew

 
check whyWhy Venminder

See why Venminder is uniquely positioned to help you manage vendors and risk.

customer experienceCustomer Experience

Our team is committed to a single goal: a customer experience second to none.

implementationImplementation

We offer quick and customer-focused implementation for fast ramping.

 
business caseBusiness Case

Learn practical steps to create and present a business case for third-party risk management to stakeholders.

industriesIndustries

Learn how Venminder helps companies of all sizes and within all industries.

samples library
Education
resourcesResources

Download complimentary resources to guide you through all the various components of a successful third-party risk management program.
blogBlog

Read Venminder's blog of expert articles covering everything you need to know about third-party risk management.

 
webinarsWebinars

Stay current on the latest best practices and trends in third-party risk management
online communityCommunity

Join a free community dedicated to third-party risk professionals where you can network with your peers.

 
samples librarySamples

Download samples of Venminder’s vendor risk assessments and see how we can help reduce the workload.

third party thursday newsletterWeekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

resources-whitepaper-state-of-third-party-risk-management-2025
State of Third-Party Risk Management 2025
 

Venminder's State of Third-Party Risk Management 2025 whitepaper provides third-party risk management insight and industry statistics to help you make informed programs decisions. Learn how others are managing third-party risk.

About
venminderCompany

Venminder is the industry's leading third-party risk management solution provider.
careersCareers

We're hiring! Explore career opportunities and learn more about Venminder culture.

Take a Product Tour to See Venminder in ActionNew

 
partnersOur Partners

Check out the select partners we aligned with to provide additional solutions and services.

partner programPartner Program

Learn how to become a Venminder integration or referral partner.

 
request a demoRequest a Demo

See how Venminder can enable you to run an efficient third-party risk program.

contact usContact Us

Get in touch with a member of your team to discuss a question you may have.

customer supportCustomer Support

Already a Venminder customer? Connect with the Customer Support Team.

g2 recognition venminder
Third-Party Risk Management

Common Vendor Risk Management SOC Questions & Answers

By: Aaron Kirkpatrick on April 26 2017

3 min read
Featured Image

Let's spend a couple minutes on discussing SOC reports from an examiner's perspective and what we are seeing for 2017 

Subheading

Here's an example question that I'm getting from our clients regarding examiner expectations. So one of the questions you can see here is: 

  • So does this mean that our SOC 1 just flat out replaces our previous SAS70? And the answer is unfortunately somewhere in the middle. Again, because the SAS70 became this gorilla before and scoped so many different ways, when they retooled it into these new SOC reports, now you really need to know what to request. Because sometimes people just simply replace SAS70 with SSAE16 and effectively we’re not getting the same report. When they really need to ask for both the SOC 1 and SOC 2 report, to be able to not only look at the financial controls of a SOC 1 but also the compliance and information security controls of a SOC 2. So it’s case by case. It’s driven by criticality of vendor. Not all vendors need a SOC 2, not all vendors need a SOC 1 frankly. So, it really just depends on that vendors relationship with you and where it falls in your risk matrix.  
  • And, another question that I get is, is SOC 3 reports good for anything then? And, certainly I think there’s value there, often times when SOC 2 and SOC 3 reports are done because we are doing SOC 2 work, and naturally a SOC 3 report will be produced at the same time since you’re kinda covering the same areas anyway, there’s just some additional reporting time, so I always tell folks from an initial due diligence standpoint it’s great, if you’re just going out and trying to find a half dozen vendors that do mobile, whatever the case may be, an encryption company, having that could be a vetting part for you to kind of whittle down to folks that are kind of thinking the same way you need them to think and so having a SOC 3 report like that is kind of an early indicator that they are maybe doing the right things. And I should emphasis MAYBE doing the right things. But later on, as you get it down to 2 or 3 vendors you certainly want to get some more information and detail from those other types of reports.  

 Subheading

So in short, I would just simply recap and say, SOC 1 and SOC 2’s, I would get in the process of asking every single time for any of your critical vendor’s.  

Learn more about analyzing SOC reports. Download our eBook.  
Infographic

Donec nec justo eget felis facilisis fermentum. Aliquam porttitor mauris sit amet orci. 

placeholder

Related Posts

15 Tasks for When A Vendor Management Examiner Comes to Town

The examiner is coming, the examiner is coming! DON'T PANIC! Seriously, there’s no need if you’re...

8 Items to Have Ready For An Examiner's Arrival

I'm often asked what sort of things a third party risk or compliance manager might be asked to have...

Balance In Third-Party Risk Management

When I’m not at work, you’ll most likely find me on my bicycle. Some might argue that I am...

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo