VM-02 Third-Party / Vendor Management

SOC Report Review (SOC 1/2)

Outsourced controls are evidenced and gaps managed.

Domain
Third-Party / Vendor Management
Control type
Detective
Automated / manual
Manual
Frequency
Annual
Framework reference
AICPA SOC; MAS Outsourcing

What good looks like

SOC reports obtained/reviewed; CUECs identified/implemented; exceptions assessed.

Risk if it fails

Reliance on outsourced functions without assurance.

How Tess tests it

4 tests — each concludes only on cited evidence.

SOC-review process defined

Design
Procedure
Inspect the process.
Expected
Defined.
Sample
1 (design inspection)
Evidence
SOC 1/2 reports, CUEC analysis, exception assessment.

SOC reports obtained for material providers

Operating
Procedure
Inspect reports.
Expected
Current reports held.
Sample
1
Evidence
SOC 1/2 reports, CUEC analysis, exception assessment.

CUECs identified & implemented

Operating
Procedure
Inspect the CUEC mapping.
Expected
Implemented.
Sample
1
Evidence
SOC 1/2 reports, CUEC analysis, exception assessment.

Exceptions/qualifications assessed

Operating
Procedure
Inspect the assessment.
Expected
Evaluated for impact.
Sample
1
Evidence
SOC 1/2 reports, CUEC analysis, exception assessment.

Evidence Tess looks for

SOC 1/2 reports, CUEC analysis, exception assessment.

More in Third-Party / Vendor Management

VM-01 Vendor / Third-Party Risk Assessment VM-03 Cloud Provider Governance (GCP) VM-04 Outsourcing Register & MAS Compliance VM-05 Third-Party Access Management

Want Tess to test VM-02 against your evidence?

Book a demo