Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Analyzing Vendor SOC Controls

CPE Credit Eligible

How to identify your vendor's SOC controls.

Learn where to find the controls section within a SOC report, what control objectives and activities are and what to look out for in findings and exceptions.

You may also be interested in:

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder.

In this video, we’re going to cover how to review the control section in SOC reports.

Let’s start with Complimentary User Entity Controls. To find this control section, look towards the bottom of SOC 1 and SOC 2 reports – it will normally be called “Complementary User Entity Controls” or just “User Entity Controls”. These are some of the most important controls in the report. In this section, the vendor is telling you that for their controls to be effective, you have a role in supporting those controls.

NOT doing so will have a negative impact and increase the risk to your institution. We’ve seen SOC reports with 0 as they’re not required, but we’ve also reviewed reports with over 75.

In an effort to reclarify their original intention, the AICPA notes in SSAE 18 that Complementary User Entity Controls should directly relate to the products or service the vendor is providing and be associated with the vendors control environment.

It was becoming common to find generalized best practice controls listed as Complementary User Entity Controls. Some vendors structure their controls to where they claim Complementary User Entity Controls are not required to and are self-sustaining.

In regards to Complimentary User Entity controls, expect your regulator to ask 2 things:

  1. First, to see a list of vendors where complementary user entity controls are identified in a vendor(s) SOC report, especially for critical and/or high risk products. This is your chance to demonstrate you read the report and know where these controls exist.
  2. Second, they’ll ask to see evidence of processes and/or procedures you have put in place to ensure you are executing internally on those controls. Be ready. We know this commonly happens during client exams.

Vendor Control Objectives and Activities

Let’s switch over to the vendor’s control environment which consists of Control Objectives, a general category of policies and practices in place meant to achieve a common goal, and Control Activities, those policies and practices.

An important area to look at within this section are at the tests the auditor actually performed to determine whether the control activities were operating effectively throughout the period covered by the report. Looking into how the controls were tested sometimes reveals how well the auditors know the product or service type.

As you review these controls, are there any exceptions noted on any of them?

Exceptions are noted deviations from the documented control environment as discovered by the audit entity or in other words, the vendor stated they have a control in place, the auditor tested it and discovered either a gap in the process or a case, or multiple, where the control failed.

A significant exception is one that could have or could still pose a risk to the vendor to the point of internal systems being compromised by malicious outsiders.

A common exception we see in our reviews concerns user management, specifically user terminations. We’re constantly reporting on exceptions showing months went by without administrative accounts being disabled or deleted.

If that user were terminated and was malicious, they’ve just given extended access to someone with potential for malicious intent that has intimate knowledge of how your system works.

It's typical that the vendor's management will respond to exceptions. You should pay attention to if these responses cover the mitigating controls that were in place at the time of the exception as well as whether there has been action taken to fix the failed process.

Management responses are either noted in the same area as the control activities, or, sometimes they are noted in section 5 of the report which you’ll find at the end.

You should review exceptions and determine if additional action is required. If the noted exceptions are severe enough, the vendor may need to have increased monitoring in your vendor management programOther actions may include reviewing previous reports to determine if a negative or positive trend is occurring within the vendor’s environment.

Overall how well do they cover these items?

Were there critical or high risk exceptions? You should develop a rating system for consistent reviews for all your vendors. This rating system should inform your overall risk assessment on the vendor and carefully identify any remaining risk associated with doing business with the vendor.

The SOC report is only one element, although an important one, in your overall risk assessment process.

So there we go, now you know:

Where to find the controls section, what control objectives and activities are, and what to look out for in findings and exceptions.

Again, I’m Aaron Kirkpatrick and thank you for watching! If you haven't already, please subscribe to the Third Party Thursday series.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo