FAQ: Are Third Party Vendor reviews required for SOC 1 and SOC 2?

FAQ: Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Additional FAQs

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.)

Can I fail a SOC 2 audit?

Yes, failure to meet the relevant Trust Service Criteria may result in a failed SOC 2 audit, requiring remediation. This is known as a Qualified Opinion when this happens.

Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This

SOC 1 Report – Who needs it?

Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.

SOC 1 or HITRUST?

The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is

When is SSAE-18 Effective?

SSAE-18 is effective for all reports issued after May 1, 2017.

Get Our Emails

SOC Reporting Guide