Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Frequency of SOC Reviews

    Posted 10-30-2023 12:52 PM

    How do you base the frequency of reviews for your vendors' SOCs? If you rated a vendor as medium, and the frequency of your due diligence monitoring of documentation is every other year, would that include the SOC, even if produced annually?

    What if that vendor had transaction information, but based on your assessment, they are still only a medium risk vendor?

    Is there a best practice to reference?

  • 2.  RE: Frequency of SOC Reviews

    Posted 10-31-2023 08:59 AM

    Typically, we only review the SOC reports if the vendor is up for a review that year. Operationally Critical vendors are reviewed every year. Very High and High risk vendors are reviewed annually. Medium Risk vendors are reviewed every two years. Low and Very Low risk vendors are reviewed every three years.


    There are a few vendors that we review SOC reports for each year, regardless of the risk or criticality. HRIS vendor is the big one. The reason we do not rate them as Critical or High risk is because we do not utilize them to move payroll funds. We also have contingency processes in place should they have an outage that hits during a time that is not ideal.






    A picture containing text, clipart  Description automatically generated



           Like us on Facebook


  • 3.  RE: Frequency of SOC Reviews

    Posted 12-01-2023 02:38 PM
    Do you collect SOC 1 and 2 docs for all vendors regardless of risk?

  • 4.  RE: Frequency of SOC Reviews

    Posted 12-01-2023 02:41 PM

    We review SOC 1 reports for suppliers that process financial transactions or provide Tier 1 applications that impact our financial reporting.  We review SOC 2 reports for suppliers that have access to our confidential information in their environment, as well as for suppliers that are classified as business critical.