Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

podcast

What is SSAE 18 in Vendor Management?

CPE Credit Eligible

How SSAE 18 affects your institution. 

Are you familiar with SSAE 18 yet? It came into effect on May 1. We'll go through what it is and how it affects vendor management at your institution.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg

 

Podcast Transcript

Aaron_Kirkpatrick_2016_circle.jpgWelcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder

In this video, we’re going to cover what you need to know about the SSAE 18. But, before we dive into that, let’s cover some basic knowledge related to how SSAE 18 works with the other SOC type documents

  1. First off, SOC 1 and SSAE 16 will no longer be synonymous (or considered the same thing/named together). SOC 1’s will only be SOC 1’s.
  2. Second, the SSAE 18 does not directly replace the SSAE 16. The SSAE 18 is a simplified standard covering many other standards, SSAE 16 was just one. The SSAE 18 causes the SSAE 16 to be retired though as 16 is covered within 18.

  3. Third, if you request an SSAE 16/SOC 1 now, you’ll still request a SOC 1, just without reference to SSAE 16 or 18.

  4. And fourth, the SSAE 18 does not affect SOC 2 or 3’s as they are covered under a different standard than the SSAE 16 was.

Now that we covered that, let's cover more about what SSAE 18 is.

SSAE 18 requires a new creation and mandatory inclusion of Complementary Subservice Organization Controls when applicable - so controls related to your fourth parties. This will provide additional clarity of how your vendor is addressing their own vendor management obligations - so how they are handling your fourth parties

More specifically, your vendors must identify the functions and controls that your vendor assumes their vendors are performing – all to provide you with a product or service as agreed in your contract and service level agreement.

This is good news because now vendor management is no longer just your problem, it's also your vendor's problem.

The bad news is this does not provide you with any additional assurance as the scope of your vendor’s audit will not include the operating effectiveness of the controls at your fourth party. However, it will provide the guidance you need to perform an informed review of your fourth party's SOC 1 or 2 report or other available and comparable documentation. 

With SSAE 18 coming into effect, there's also 3 key updates to SOC 1’s.

  1. There's a risk assessments requirement. This was something the SOC 2 already required to ensure controls address risks. So ask yourself, "Does the vendor fully understand and document the risks of operating and are there controls in place to monitor and mitigate that risk?"

  2. Another update is the creation of the Complementary Subservice Organization Controls. Meaning, "Does the vendor use a separate vendor or internal business unit critical to the delivery of products or services which is not within the scope of the audit?"

  3. And the third update is additional guidance to further the auditor’s understanding of the subject matter and internal control environment of the service organization, your vendor. So this means, "Does the auditor understand what they’re auditing?“

  4. And the fourth update is a clarification on Complementary User Entity Controls, which emphasizes that those controls should be specific to the product or service in scope and provided by the vendor and should relate back to specific vendor control objectives. 

So, when can you expect to see the new SSAE 18?

The official date was May 1, 2017. And also now, SSAE 16 will no longer be used. By mid to late 2017, you should begin to see the first SSAE 18’s being provided by vendors.

Our customers who use our SOC Analysis service already know that subservice organizations have been a focus in our analysis’ and this update will further our ability to provide even more insight into the operations of your vendors.

Now you know the key updates associated with SSAE 18, when to expect SSAE 18's, and why it matters to you.

Again…I’m Aaron Kirkpatrick and thank you for watching! If you haven’t already subscribe to the Third Party Thursday series.

38116-newsletter

Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.

 

New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo