Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Why and When You Look at a Fourth Party’s SOC Report

5 min read
Featured Image

There’s a common saying that a chain is only as strong as its weakest link. This is helpful to think of in relation to your vendor management program. Just one single vendor can expose your organization to significant risk, but what about those other links you can’t see? Remember, each of your vendors also has their own vendors, also known as your fourth parties.

Although you don’t have a contract with your fourth parties, this doesn’t mean they’re exempt from your vendor risk management activities. Certain fourth parties may provide products or services that directly affect your organization, in which case you’ll want to review their SOC report.

Why Fourth-Party Vendor SOC Reviews are Essential

Reviewing your fourth party’s SOC report might seem like a time-consuming task that doesn’t provide much value, but this process can help confirm the following critical details:

  • The fourth party has controls in place. If a fourth party has access to your organizational or customer’s data, you need confirmation that it has controls in place to protect its system.
  • The fourth party’s controls are operating effectively. The existence of a fourth party’s controls is just the first step; you also need to confirm that they’re effective.
  • The fourth party’s controls have gone through independent testing. It never hurts to have an outside perspective on any of your third or fourth parties. This gives you an unbiased opinion on whether the vendor’s controls are effective.

3 Examples of When You Should Review a Fourth Party's SOC Report

Obtaining a fourth party’s SOC 1 or SOC 2 report can be challenging because these are considered confidential documents. The fourth-party vendor won’t typically provide confidential information to anyone that isn’t a direct client – including your organization. Therefore, you’ll often need to obtain this type of information from your third-party vendor, with whom you do have a direct relationship.

The following are examples of when you should obtain the information from your third-party vendor and review your fourth party’s SOC report:

  1. If the fourth party is used by one your critical vendors, since your organization might be impacted during a service outage or other unexpected event. 
  2. If a vendor uses a subservice organization for data center services, your data is now outside the boundaries of your contract with the vendor.
  3. If a vendor uses a subservice organization for information system controls, server security, network security, patch management, etc., your data will be at risk if that fourth party doesn’t do their job effectively. This ultimately affects your organization, so it’s important to review the fourth party’s SOC report. 

why when look fourth partys soc report

Steps to Properly Reviewing a Fourth Party’s SOC Report

Before you begin, you’ll need to review your vendor’s SOC report to identify your fourth parties. This should be straightforward, as the SSAE 18 report requires your third-party vendors to identify their subservice organizations. Focus on the fourth parties that provide a critical product or service to your vendor, such as a data center or information system service provider. These are the fourth parties that you should be reviewing in more detail, so ask your third-party vendor to provide their SOC reports.

Your subject matter experts (SMEs) are crucial to the review process. You should use a qualified expert or team of experts who have the capability and knowledge to review the SOC report.

Let’s now discuss the steps:

First step: Verify the report’s date and make sure you’re reviewing the most current version. For Type I reports, which cover a point in time, this should be no older than one year. Type II reports cover a period of time, usually six to twelve months. You may need to request a Bridge/Gap Letter if there’s a gap in “coverage” for the SOC report, or a significant amount of time has passed since the completion of the SOC audit.

Second step: Understand how to read the auditor’s opinion, which is generally categorized as unqualified, qualified, a disclaimer, or adverse. These specific words might not be used, so it’s helpful to understand the meanings:

  • Unqualified opinion – The “baseline” state of a SOC report. It essentially means that an auditor believes a vendor’s controls are operating effectively. 
  • Qualified opinion – Indicates that at least one control is ineffective or not in place.
  • Disclaimer – The auditor couldn’t prove or disprove that a control was in place or working effectively.
  • Adverse opinion – Should be considered a red flag because it’s given to a vendor that held back or modified information to verify that a control was in place or working effectively. 

Pro Tip: Ask your vendor for additional information on your fourth party’s controls if you see any disclaimers or qualified or adverse opinions in the SOC report.

Third step: Thoroughly examine the fourth party’s controls, which will generally include the following details:

  • Management’s assertion – This is essentially a written statement from the fourth party’s management that describes its system at a high level. The assertation’s goal is to prove the validity of what’s stated in the System Description and Control Environment. 
  • Description of system and controls – The fourth party should provide information such as its security training and policies, along with the board of directors or executive leadership’s involvement in its risk management activities. You may also see evidence of complementary user entity controls (CUECs), which are controls that your vendor is responsible for implementing. You’ll want to regularly verify that your vendor has implemented these if they’re listed in your fourth party’s SOC report.
  • Control objectives, activities, and testing – These details will provide evidence that the audit firm has tested the controls and whether they meet their objectives. You’ll want to note any exceptions found and determine their impact.

Overall, it’s essential to have a solid understanding of your fourth party’s entire control structure because their activities can impact your organization. Reviewing a fourth party’s SOC report can prevent unwanted exposure to risk that comes from an extension of your direct vendor environment.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo