Good Morning,
When reviewing your vendors SOC reports, do you map CUECs to your internal controls? If so, what is your method? Do you prefer a description of the internal control or a reference to applicable formal P&P?
Where you obtain a SOC for a provider who supports your vendor (4th party) do you follow up with your vendor to see how they address the identified CUECs or any exceptions noted in their vendors SOC report?
Appreciate any input on your processes around SOC reviews and mapping.
------------------------------
Rachel Kenyon
Division Third Party Risk Management Senior Analyst
CRVPM IV
------------------------------