Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Understanding Vendor SOC Scope, Time and Narrative

CPE Credit Eligible

The importance of reviewing your vendor's SOC scope, time and narrative.

Learn what the scope of a vendor's SOC report means and where to find it, typical audit periods and a few questions to ask yourself while reviewing the narrative.

You may also be interested in:

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. In this video, we’re going to cover a SOC Report's scope, period and narrative section.

What is the scope of the report?

Normally, there are two places where you can find the scope of the report you are reviewing.

  1. First, you’ll find it within the “Independent Service Auditor’s Report” section at the beginning of the report.

    There's a couple different statements you should look for:

    • “We have examined [Vendor Name]’s accompanying Description of [Service Name]...” which will inform you of the primary focus of the audit.
    • Another statement is, “Our examination did not extend to controls of the aforementioned (subservice organization/products/services),” meaning that those products or services were not included within the audit scope. This statement will be the case for the large majority of reports. You’ll find similar wording within the vendor’s, “Management Assertion.”

  2. The second place to look for the audit scope is within Section 3 of the report, the narrative. The typical heading is “Scope of Report.” This will give you a more in-depth explanation of the scope.

    You’ll also want to determine what type of SOC Report it is and if it’s a SOC 2, what trust services principles were in scope. Types of SOC reports are covered in depth in another Third Party Thursday video titled 5 Types of Vendor SOC Reports.

What time period was audited in the SOC report?

Typical periods are January 1 - December 31 or October 1 - September 30 for twelve-month audit periods. The latter’s offset from January through December is because it takes two to three months to get the final report issued and SOC Reports generally follow financial statement timing.

A Gap or Bridge letter may be requested from management which is meant to disclose whether any control changes, deviations or exceptions have occured

Reviewing the SOC report’s narrative

The narrative tells you about the vendor, products within scope of the audit and how controls fit into general operations. Some vendors are much more thorough than others when creating this section. It should help answer questions such as:

  • Are the products and services you receive from this vendor covered in the SOC report you have in hand?
  • Many vendors produce multiple SOC reports, do you have the right one or do you need additional reports?
  • Do they explain how controls govern their internal operations and product or service delivery for the products or services relevant to you?
  • Do they explain how controls provide security, and potentially processing integrity, confidentiality, availability, and privacy of your data they are managing?

So there we go, now you know: What the scope means and where to find it, typical audit periods of a SOC report and a few questions to ask yourself while reviewing the narrative.

Again, I'm Aaron Kirkpatrick and thank you for watching! If you haven't already, subscribe to the Third Party Thursday series.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo