Hello Everyone,
I'm the Contract Administrator for a technology company that specializes in human capital management. This is my first post although I actively read your posts, which are incredibly valuable in so many ways, which is why I'm coming here today on a topic I do not recall being discussed. If it has, please let me know where I can find the conversation.
The conundrum: We've encountered a precedent this week. A new vendor for tax notice management is a fairly new company (less than one-year-old) and, among other things, does not have a completed SOC I report. The due diligence they already provided to us is predominately their internally composed documents (BCP, etc), which is a red flag in and of itself. Insurance is ok although I'd like higher limits given the subject matter. Couple that info with no SOC I, and I'm preparing to recommend the requesting department look for another vendor (think lead balloon).
In the interim, I am interested to know how any of you have handled similar encounters. Is there something the vendor can provide to us other than an engagement letter from the SOC auditor? Is there such a thing as a preliminary SOC I report?
Your feedback is greatly appreciated.
Kindest regards,
Lynn