Due Diligence and Ongoing Monitoring

 View Only
  • 1.  SOC Reports

    Posted 11-02-2022 02:03 PM
    Is it a common practice for SaaS companies to provide you with a SOC report from the host (AWS) versus a SOC on the application itself?  Assuming it isn't and they don't have a SOC for themselves, how would you go about closing the risk gap (questionnaires, meetings, etc) to meet standards of an audit?  Thanks.

  • 2.  RE: SOC Reports

    Posted 11-02-2022 02:21 PM
    On a recent Venminder webinar, I asked a similar question.  Here is Venminder's response - 

    Q: We have a couple of vendors that have SOC reports for their internal processes only - not the products and services we use.  Is there a substitute report?


    A: There is not a substitute specifically for the SOC report. You would want to evaluate what due diligence you need in its absence.  You will want to determine risk/criticality and then try and determine what areas are most important to you.  So if availability is important, then you should consider reviewing their business continuity documentation.  If data protections are your biggest concerns, then consider reviewing there cybersecurity documentation.  See if they have a standard due diligence package and start there. If you feel they should have a SOC, ask them why they don't.


  • 3.  RE: SOC Reports

    Posted 11-04-2022 03:06 PM
    I see the same from a number of SaaS providers. 
    So if they provide the SSAE18 SOC report from AWS; we still require the provider to complete our due diligence questionnaires. 
    I don't have a big reliance on SOC reports in our process.
    That said. The report will have User Considerations (or Entity Controls), What you should ask of the SaaS provider is for evidence that demonstrates how they meet those considerations. The SOC report is only good if the User Considerations are being met.

    Bradley Martin