Risk Assessments

 View Only
  • 1.  SOC CUEC Mapping

    Posted 03-17-2021 12:02 PM
    Good Morning,

    When reviewing your vendors SOC reports, do you map CUECs to your internal controls? If so, what is your method? Do you prefer a description of the internal control or a reference to applicable formal P&P?

    Where you obtain a SOC for a provider who supports your vendor (4th party) do you follow up with your vendor to see how they address the identified CUECs or any exceptions noted in their vendors SOC report? 

    Appreciate any input​​ on your processes around SOC reviews and mapping.

    ------------------------------
    Rachel Kenyon
    Division Third Party Risk Management Senior Analyst
    CRVPM IV
    ------------------------------


  • 2.  RE: SOC CUEC Mapping

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2021 01:17 PM
    This message was posted by a user wishing to remain anonymous

    We address the CUEC's by having the Line of Business/SME address each one.  They provide a description of the control, however We are slowly making it a more formal "mapping" process.

    If we need the SOC for the 4th party, our review process is to ask our 3rd party how they address the CUECs.

    Interested in what others do as well.


  • 3.  RE: SOC CUEC Mapping

    Posted 03-18-2021 11:58 AM
    ​Thank you,

    How responsive is your 3rd party to the inquiry regarding their vendors CUECs?  One of my larger providers is vague when addressing the concerns.

    ------------------------------
    Rachel Kenyon
    Division Third Party Risk Management Senior Analyst
    CRVPM IV
    ------------------------------