I've never reached out directly to a 4th party, but that depends on what you put into your policy.
I've used ideas like – the 3rd party has a vendor management program of their own, so we only request a SOC report of 4th parties that have our data.
The 3rd party can generally give you a copy of the 4th party, with permission of course, and possibly an NDA.
Thanks,
Dave
David Howe
Chief Information Officer