Due Diligence and Ongoing Monitoring

Hi All!  I came across something new, and wanted to check in to see if others have run into this as well.  For a debt collections vendor we use for residential mortgages, the vendor participates in SOC 1 Type 2 reporting.  For 2022 they did not have a SOC review performed, and their compliance team said the reports could be done biannually.   

We do request/review other due diligence documentation, but don't typically request financials from this vendor.  My main questions are below:

1.  Do you recommend requesting something from the vendor (audited financials or balance sheet / profit & loss, etc.) to review, since no SOC 1 is available?  Would this raise a concern in your program?
2. Is it ok to only have that review performed biannually?  I checked SSAE and AICPA docs, and did not see anything specific referencing that detail, and I know it can be costly, so I'm guessing that could be a driver here.
3. Do you accept a bridge letter to span for an entire year if no SOC is being performed?

Any thoughts/suggestions on this?

Thank You in advance!!

Tracey L. Campbell

They should be able to provide you a Bridge letter to attest to the fact that there haven't been any material changes since the last audit period. 

1. Are you asking about financials because you think they might be having some financial troubles and that's why they do the audits biannually?  Unless there are other indicators of financial stress, I wouldn't look at this specifically as an indicator that they might be having trouble.  Some companies just choose not to do them annually.
2. SOCs aren't certifications like other audits (i.e. ISO, PCI, etc.).  There aren't requirements for them to be completed annually.  More and more, I think companies are starting to have them done annually, but many still choose to have them done every other year and use a bridge letter to fill in the gap in the off year.
3. As long as the bridge letter brings it into the current year, we generally accept them.  

Hope this helps, and remember, if you have any specific concerns, you can always key in on those and ask for additional supporting evidence.  I always look at penetration tests as a good example of updated info that I like to see.  If the last time these were looked at by an auditor was in 2021, then it might be worth seeing if you can get the executive summary of their latest test just to help ease any concerns.