Hi All! I came across something new, and wanted to check in to see if others have run into this as well. For a debt collections vendor we use for residential mortgages, the vendor participates in SOC 1 Type 2 reporting. For 2022 they did not have a SOC review performed, and their compliance team said the reports could be done biannually.
We do request/review other due diligence documentation, but don't typically request financials from this vendor. My main questions are below:
Any thoughts/suggestions on this?
Thank You in advance!!
Tracey L. Campbell
We work with a Bridge or Gap letter to satisfy the request.
ONE AMERICAN BANK
They should be able to provide you a Bridge letter to attest to the fact that there haven't been any material changes since the last audit period.
Hope this helps, and remember, if you have any specific concerns, you can always key in on those and ask for additional supporting evidence. I always look at penetration tests as a good example of updated info that I like to see. If the last time these were looked at by an auditor was in 2021, then it might be worth seeing if you can get the executive summary of their latest test just to help ease any concerns.
SOC reports should typically be performed annually. However, there is no regulatory requirement to set the length of the examination or the frequency.
These are termed based on your contractual requirements with the vendor.
Original Message:Sent: 07-17-2023 11:37 AMFrom: Tracey CampbellSubject: Question about biannual SOC 1 Type 2 Report