Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

podcast

Understanding Your Vendor's SOC Report - The Basics

CPE Credit Eligible

What is a SOC report?

A SOC report is an independent audit report performed by a public accounting firm and attests to the existence and effectiveness of the controls put in place to safeguard your data. Listen to this podcast as we break down 6 of the most important parts of your vendor's SOC report.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg

 

Podcast Transcript

vendor soc audit reportsWelcome to this week’s Third Party Thursday! My name is Lisa-Mae Hill and I’m an Information Security Specialist here at Venminder. In today’s podcast we’re going to discuss the basics of a vendor SOC report. 

A SOC report is an independent audit report performed by a public accounting firm. The report will attest to the existence and effectiveness of controls specified by the company that’s being audited, your vendor. Basically, the report should tell you if your vendor has the right controls in place to safeguard your data and if those controls are actually working, based on the scope of the audit.

It's important to thoroughly review the vendor SOC reports as you obtain them. When you receive the report, it’s not only imperative that you read it, but also that you review and truly understand the report. As you review the document, begin drafting an analysis that identifies any gaps and the complementary controls.

The best way to start your review of a SOC report is to understand what to look for in the report and how to Identify the gaps in your third party’s controls.

When reviewing a SOC report, it’s important to look at and review the following areas:

  1. The reporting period – you want to make sure the report is the MOST current available and that it’s recent. If a SOC review was not done within the last 18 months, request additional information from the vendor. They may be able to provide a GAP letter, or bridge letter as some call it, which is a letter issued by your vendor that covers the gap between the last SOC report period ending date and the date of the letter. It can be used by you as an interim assurance by management while waiting for the next audit.

  2. Organization and administration – This section gives you information about the vendor itself. How are they set up, who is responsible for what and what kind of management structure they have in place.

  3. Products and Services – You want to make sure that the report you are reviewing covers the products and services YOU utilize from the vendor. Many vendors have several reports for different products and services and they could all be different.

  4. Understand the information system Understanding what type of information a vendor process and how they protect it is critical. Your vendor should provide information regarding how they secure servers, networks and computer systems.

  5. Review data center information – access controls, environment and the monitoring of this infrastructure. Data center protections are crucial to protecting information. Understanding how a vendor manages their data center and ensures their infrastructure is resilient and available at all times is important.

  6. Control objectives and activities – This is where the audit firm will actually test the controls in place and determine if they are operating effectively. Identifying failures and areas that are not operating effectively as well as remediations that are in place are an important tool in determining if a vendor can provide you the service they are contracted to provide.

It’s important to identify gaps when reviewing each area within the SOC report and to document any findings. Have a qualified individual, such as a CISSP, perform the review and write up an expert analysis outlining the overall findings.

Your examiner will want to see the actual SOC reports on file for your vendors, as well as a qualified review of the audit report(s) acknowledging your understanding of strengths and weaknesses. The review should be done by qualified personnel who understand what controls should be in place at your vendor and the severity of any findings.

Again, I’m Lisa and thanks for tuning in to this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.

38116-newsletter

Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.

 

New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo