How do you base the frequency of reviews for your vendors' SOCs? If you rated a vendor as medium, and the frequency of your due diligence monitoring of documentation is every other year, would that include the SOC, even if produced annually?
What if that vendor had transaction information, but based on your assessment, they are still only a medium risk vendor?
Is there a best practice to reference?