Hi Kouadjo,
We struggled with Jack Henry for a few years too, based on the size and complexity. We finally settled on this...
Our due diligence review is attached to the primary vendor profile, Jack Henry, regardless of how many of JH's products we might purchase (or how many 4th party vendors might apply). We obtain and review any documents that might apply to the overarching company, like financial docs and proof of insurance. We also obtain and review any documents that apply to the product lines we elected to purchase, like SOC reports...which means we complete SOC reviews each year for Episys, Synergy, EPS, etc. (If they had any 4th parties, we would also review those SOC reports, etc. at this time.) Once we have completed all the individual document reviews, we begin an overall review/risk assessment that considers all of the subparts mentioned above and knits them together into a cohesive risk picture.
Hope this helps!
Sheila
Original Message:
Sent: 06-10-2020 06:21 PM
From: kouadjo bini
Subject: How do other you evaluate JHA or Vendors with multiple SOC reports ?
Hi, I am wondering how other companies evaluate Jack Henry as a whole when they have about 10 SOC reports for each division. Do you have JHA broken down into multiple Sub vendors, according to their SOC & DR Plans testing ? Is this in your Vendors Management policy ?
Please advise