your approach is solid. Never heard IA requesting 4th SOC reports, that is ridiculous. Your approach leverages your TP relationship and controls over their TPs. perfect.
Do your contracts have provisions re your TP having TPRMO in ...
Yes, that's a solid approach. Certain 4th parties may have SOC (or related compliance) information available online for access but it is far better to have the assurance that your vendor is reviewing the compliance artifacts that they should be in ...
Fourth party to nth party risk is evolving and there really is not much guidance on it from regulators but they do expect oversight. It really does come down to your risk appetite and tolerance within your third party oversight program. Whenever we ...
1) We have executed NDAs with the Fourth Parties to gain access to the SOC 2 Reports, and
2) Our third parties share their summary of due diligence - just what was reviewed - Such as the SOC Report, financials, COIs , etc.
Our External Auditor's are requesting that we need to obtain our 4th Parties SOC Report. This has posed a challenge with confidentially since the 4th Party does not have a relationship with us. In evaluating 4th Parties, I have typically reviewed our ...