It is to the vendor's advantage to share the SOC 2 reports as those provide you the ability to review security posture without having to conduct all that audit work yourself. If they don't provide the SOC 2, then your contractual audit rights are more applicable and the questions get more lengthy and time consuming. Financial data, on the other hand for private companies, is another story.
|
|
Frank M. Delker, CPA, CISA, CIPM
Sr. Director of Compliance
|
Original Message:
Sent: 3/8/2024 5:45:00 PM
From: Kelli Shoup
Subject: RE: SOC Report
Hello
I have been told that private companies are not required to share their financial statements. That does not stop me from asking for them though. Most of the time they will share with a signed NDA.
I ask for the same documents from all my vendors to allow them to tell me what they don't have or refuse to provide. That was a tip from FDIC. Now as for SOC reports. I have never heard of private companies not needing to share those.
From my understanding at 17 years experience is being private only applies to financial. Like I mentioned above though it doesn't stop me from asking for them. It is just how hard I can push back if they say no.
Thanks
Sent from my iPhone
Original Message:
Sent: 3/8/2024 5:22:00 PM
From: Wendi Inglis
Subject: RE: SOC Report
This question/comment is piggybacking on your conversion...
I'm in the middle of our third-party CPA/internal audit on Vendor Management.
The auditor is telling me that Privately Owned companies (vs Publicly Owned) are not required to provide us with SOC (SSAE 16/18) reports, or with Financial Statements. In my 15 years of handling vendor due diligence and contracts, I don't believe I've ever segregated vendors and my expectations of them, in this way.
Does anyone know if this is a hard truth or some kind of confusion about what small or less risky companies may have (opposed to SOCs) and their willingness to provide their non-public financial information?
------------------------------
Wendi M Inglis
Compliance Officer
TRU·FI CU
------------------------------
Original Message:
Sent: 03-07-2024 11:38 AM
From: Tara Murray
Subject: SOC Report
Our tiers have specific Due Diligence questions that are sent to the vendor. For top-tier vendors, we request SOC reports in the questionnaire. We also use Nvendor to monitor our tiers 1-3 so after the initial gathering they take care of gathering the yearly reports for us.
Original Message:
Sent: 03-07-2024 10:09 AM
From: L Beachy
Subject: SOC Report
Our (contractual) language is: 'Service Provider shall at least annually engage a qualified, independent external auditor to conduct periodic reviews of the Service Provider's organizational security practices and the effectiveness of designed controls against recognized audit standards...' Since we are a global organization and engage global vendors, we do not restrict the audit to AICPA (SSAE or SOC) but also accept international and localized audit frameworks such as ISO, ISEA, and others.
------------------------------
L. Beachy
Original Message:
Sent: 03-07-2024 09:54 AM
From: Anonymous Member
Subject: SOC Report
This message was posted by a user wishing to remain anonymous
How you properly explain to a client/vendor or an upcoming organization why they need to have a SOC report?