Our CISSPs are available to do a qualified review and analysis of your vendor SOC reports so that you can focus on the strategic decisions
It is required that you review and understand your vendor's SOC report(s) to ensure that they have the proper controls in place to protect the interest of your financial institution.
Our CISSPs can review your vendor SOC reports and do a complete analysis, including providing you with an overall risk score for each vendor. This service is highly recommended for your critical and/or high risk vendors.
The SOC II Report
This report covers controls in place to ensure security, availability, processing integrity, confidentiality and privacy. These reports contain controls implemented by the vendor and also those required to be implemented by the customer (your financial instiitution) in order to complete the control structure.
A SOC Audit
A SOC audit is the testing of controls applied by your vendor when storing, processing or transmitting your data. The audit will be conducted by a qualified CPA firm.
You need to receive this document from your vendor and review the SOC audit report(s) to ensure the vendor has the proper controls in place to protect the interest of your financial institution.
If you are not a subject matter expert on IT control environments, or famillar with audit report formats or the auditor/tech language used for descriptions in the related documentation…well, it can be a bit daunting to read a SOC report and walk away with confidence that you understand the answer to the underlying question: Is my vendor handling my data in a safe, secure and responsible manner?
At Venminder, we have a highly trained and qualified staff of CISSPs (Certified Information Systems Security Professional) available to analyze your vendor’s SOC reports.
The guidance requires you to collect due diligence documentation and one of the important pieces is the SOC reports so that you understand the health of your vendors operating environment.
What will the examiners want to see?
Your examiner will want to see the actual SOC reports on file, as well as a qualified review of the audit report(s) acknowledging your understanding of strengths and weaknesses. The review should be done by qualified personnel who understand what controls should be in place at your vendor and the severity of any findings.
Excerpt from FFIEC IT Examination Handbook
Third-party management program: Due diligence and monitoring present valuable information on the third-party provider’s control environment. This information is necessary to identify the risks in an institution’s IT environment.
Save Time: We do the tactical work of reviewing the SOC reports leaving you time to focus on the strategic decisions required based on those results.
Examiner Proof: Our work product has been scrutinized by examiners from every regulatory body with rave reviews.
Cost Effective: Adding qualified Full Time Employee's (FTEs) is expensive. Existing qualified FTE's are stretched thin. Our staff can fill your resource gaps at a fraction of the cost.
Experience: Our SOC reviews are performed by trusted CISSPs who take deep dives into your vendor's SOC report to call out findings and concerns.
Confidence: SOC reports can be complex. It's imperative to understand the contents and any risks identified. Our reviews ensure you never miss anything important regarding the security and safety of your (and your customers or members) data.
Download one of our sample SOC reviews. Click here.