Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


I’ve Never Dealt with a Vendor SOC Report: Where Do I Begin?

3 min read
Featured Image

The importance of a System and Organization Controls (SOC) report in third party risk management cannot be stressed enough. A SOC report is prepared by an independent auditor, so you can be assured that you’re getting an impartial view of your vendor’s control environment. The good, the bad and the needs some work are all in one place.

Before you start your SOC review process, you will need to contact your vendor and request their current SOC report and any pertinent gap (bridge) letter. The gap letter is issued by the vendor to cover the dates in between the last SOC report period ending date and the date of the letter. It’s often used as an interim assurance that controls are still in place and operating effectively while you’re waiting for the next SOC audit report to be released. In addition, make sure that you request the specific SOC report or gap letter for the product or service that you have contracted for, as many vendors have multiple service offerings so, therefore, have multiple reports.

I’ve Received the Report. Now What?

Let’s break it down into four steps:

  1. Confirm the Dates and Product/Service: Once you’ve received the appropriate SOC report, you will first need to verify that it’s the most current report available and covers the product/service under contract.

  2. Review the “Report of Independent Service Auditors” section: This part of the report will explain to you exactly what the report will be covering and will let you know if the report resulted in a Qualified Opinion. An auditor provides a qualitied opinion when their designated controls are NOT operating effectively. It’s a potential reg flag!

  3. Review the auditor’s results of testing all the control objectives: As you review the report, you will see the auditor’s results of testing all the control objectives. In the event there are any exceptions – an exception is when a control objective did not operate as it should – you will want to review those and any management response, if any, from the vendor.

  4. Look at the Complementary User Entity Controls (CUECs). These are YOUR responsibility. The CUECs are controls that your vendor needs you to have in place so that the vendor’s controls are operating effectively. These controls “complement” your vendor’s controls.

The SOC Report Frequency

Typically, SOC reports are conducted annually, although there are some vendors that engage a firm for a semi-annual or even bi-annual SOC report. The frequency of your vendor’s SOC reporting period will determine the frequency of your review. Just remember that examiners and auditors love to see that your vendor’s current SOC report is on file and has been reviewed.

SOC Reports Don’t Have to Be Confusing

A SOC report can appear to be a very intimidating report. Don’t let it scare you and remember that a SOC report is presented in a very standard format:

Section 1            Report of Independent Service Autor

Section 2            Vendor Assertion

Section 3            Vendor’s Description

Section 4            Control Objectives and Results of Testing

Section 5            Other Information

Once you become familiar with the format and the language, you’re halfway there to conquering this new territory. Just follow the steps above and you will be on your way to a better understanding a SOC report.

Learn to better understand the different definitions of vendor SOC reports. Download the infographic. 

New call-to-action


Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo