Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Question about biannual SOC 1 Type 2 Report

    Posted 07-17-2023 11:38 AM

    Hi All!  I came across something new, and wanted to check in to see if others have run into this as well.  For a debt collections vendor we use for residential mortgages, the vendor participates in SOC 1 Type 2 reporting.  For 2022 they did not have a SOC review performed, and their compliance team said the reports could be done biannually.   

    We do request/review other due diligence documentation, but don't typically request financials from this vendor.  My main questions are below:

    1.  Do you recommend requesting something from the vendor (audited financials or balance sheet / profit & loss, etc.) to review, since no SOC 1 is available?  Would this raise a concern in your program?
    2. Is it ok to only have that review performed biannually?  I checked SSAE and AICPA docs, and did not see anything specific referencing that detail, and I know it can be costly, so I'm guessing that could be a driver here.
    3. Do you accept a bridge letter to span for an entire year if no SOC is being performed?

    Any thoughts/suggestions on this?

    Thank You in advance!!

    Tracey L. Campbell

  • 2.  RE: Question about biannual SOC 1 Type 2 Report

    Posted 07-17-2023 11:49 AM

    We work with a Bridge or Gap letter to satisfy the request.


    Greg Schilder

    Vendor Manager


  • 3.  RE: Question about biannual SOC 1 Type 2 Report

    Posted 07-17-2023 12:11 PM

    They should be able to provide you a Bridge letter to attest to the fact that there haven't been any material changes since the last audit period. 

    1. Are you asking about financials because you think they might be having some financial troubles and that's why they do the audits biannually?  Unless there are other indicators of financial stress, I wouldn't look at this specifically as an indicator that they might be having trouble.  Some companies just choose not to do them annually.
    2. SOCs aren't certifications like other audits (i.e. ISO, PCI, etc.).  There aren't requirements for them to be completed annually.  More and more, I think companies are starting to have them done annually, but many still choose to have them done every other year and use a bridge letter to fill in the gap in the off year.
    3. As long as the bridge letter brings it into the current year, we generally accept them.  

    Hope this helps, and remember, if you have any specific concerns, you can always key in on those and ask for additional supporting evidence.  I always look at penetration tests as a good example of updated info that I like to see.  If the last time these were looked at by an auditor was in 2021, then it might be worth seeing if you can get the executive summary of their latest test just to help ease any concerns.

  • 4.  RE: Question about biannual SOC 1 Type 2 Report

    Posted 07-17-2023 01:37 PM

    Hi Tracy,


    SOC reports should typically be performed annually.  However, there is no regulatory requirement to set the length of the examination or the frequency.


    These are termed based on your contractual requirements with the vendor.







    Al Tanju
    Director of Cybersecurity