Q: We have a couple of vendors that have SOC reports for their internal processes only - not the products and services we use. Is there a substitute report?
A: There is not a substitute specifically for the SOC report. You would want to evaluate what due diligence you need in its absence. You will want to determine risk/criticality and then try and determine what areas are most important to you. So if availability is important, then you should consider reviewing their business continuity documentation. If data protections are your biggest concerns, then consider reviewing there cybersecurity documentation. See if they have a standard due diligence package and start there. If you feel they should have a SOC, ask them why they don't.