Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



5 Types of Vendor SOC Reports

CPE Credit Eligible

There are five types of SOC reports, do you know all of them?

So, what are the types of service organization control (SOC) reports and which type of SOC report did your vendors have performed? It can be confusing to keep track of them. To help, we'll briefly go through all 5 of them in this video.

You may also be interested in:

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at VenminderToday we’re going to be talking about the five types of service organization control reports, SOC reports for short. If you missed the Third Party Thursday video on the 3 first key points to review in SOC reports, I recommend queuing that up next! Let’s get started...

So what are the types of SOC reports and which type of SOC report did your vendors have performed? Well, there are five types.

  • SOC 1 Type I
  • SOC 1 Type II
  • SOC 2 Type I
  • SOC 2 Type II
  • SOC 3

SOC 1 Type II and SOC 2 Type II are the most common.

So what are the differences between the reports?

SOC 1 Type 1’s cover an environment which could affect your financial statements if certain controls are not followed. This audit is performed at a point in time. The catch is that With a SOC 1, like the old SAS 70’s, the vendor gets to write their own controls.

A SOC 1 Type 2 has the same base, the SOC 1 part meaning that the controls are decided on by the vendor, but the Type 2 designation means that the audit covers a period of time. Normally 6 to 12 months. 

A SOC 2 Type 1 is the next type. SOC 2’s made their way into the audit scene in mid 2011 and had a slow adoption. SOC 2’s follow the Trust Service Principles of:

  • Confidentiality
  • Availability
  • Processing
  • Integrity
  • Security
  • Confidentiality

Only a subset of these has to be chosen and each principle has a set of defined control objectives.

The vendor still gets to write and customize the actual control that gets tested, and can also state that certain control objectives are not applicable, but the SOC 2 provides a much more structured and consistent control environment. 

The SOC 2 Type 2 report is the report that we like the best as it provides a more consistent control environment to review and as it’s a Type 2, it covers a period of time, so we know that the controls were in place and operating effectively for that period of time and weren’t just implemented while the auditors were on site one day. A quick note to say that we feel that Type 1 SOC reports covering only a point in time are worthwhile. Type 1 reports can be great when a vendor has a new service offering or is a new company and don’t have the evidence to cover a period of time, yet still need to show your customers and potential customers that the vendor has created a control environment which has been tested by a third party.

SOC 3 is the last type of SOC. Like the SOC 2 it follows the Trust Service Principles. SOC 3’s are mainly used early on in the Sales process as they don’t require a non-disclosure or confidentiality agreement since they are only the auditors and vendors statements and a description of the vendor’s system stating that controls for the chosen Trust Service Principles are in place and have been audited. Once you get further into the vendor selection process we recommend that you review their SOC 2 report as well.

The benefits of reviewing SOC reports are not limited simply to the examiner’s request. There are true strategic business advantages to be gained from them. Again, I’m Aaron and thank you for watching! Don’t forget to subscribe for next week's Third Party Thursday video. 


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo