Present Vendor Due Diligence to Your SOC 2 Auditor

During CC9.2 fieldwork, the auditor asks for five things. First, your vendor risk management policy — a written document defining how you identify, assess, and monitor vendor risks. Second, your vendor inventory — a complete list of all vendors with data access levels, risk tiers, and assessment dates. Third, individual assessment files for a sample of vendors (usually 5-15, selected by the auditor). Fourth, evidence of periodic reassessment — proof that vendors are reassessed on schedule. Fifth, documentation of how you handle vendor risk findings — how findings are tracked, who reviews them, and what actions are taken.

The auditor is testing whether your vendor management process is designed effectively (Type I) or operating effectively over the examination period (Type II). Missing any of these five elements creates a finding.

Here is what a complete CC9.2 evidence package looks like when built with ThirdProof.

Vendor inventory. A spreadsheet or GRC entry for each vendor showing: vendor name, data access level (sensitive, confidential, public), business criticality (critical, important, standard), risk tier from last assessment, last assessment date, and next reassessment date.

ThirdProof investigation report for each sampled vendor. A PDF report with SHA-256 hash for integrity verification. The report includes: risk tier with deterministic methodology, confidence score, individual findings with severity ratings and source attribution, sanctions screening results, compliance certification verification status, and recommended actions with timelines. For example, Stripe's report shows Tier 4 (Low Risk) at 98% confidence with four findings across 22 intelligence sources.

Review Certification for each report. The page that documents a human reviewed the assessment and recorded their decision: approve, approve with conditions, or reject. Includes reviewer name and date.

Risk register entries. For each assessed vendor, a row in your risk register showing: vendor name, risk tier, open findings, compensating controls (if applicable), and next reassessment date.

Reassessment schedule. A documented cadence showing planned re-investigation dates for all vendors, proportional to risk tier.

"This is automated — where is the human judgment?" Point to the Review Certification page. ThirdProof produces the evidence and findings. A human reviews the findings, evaluates them in the context of your specific use case, and documents the risk acceptance decision. The automation handles evidence collection at scale; the human handles judgment. This separation is actually stronger than a single analyst doing both — it provides independent evidence that the reviewer cannot influence.

"How do I know the data sources are reliable?" Point to the Evidence Chain in the report. Every finding links to its source with a verification URL. The auditor can click through to the OFAC SDN list, the FedRAMP Marketplace, or the vendor's trust page to verify each finding independently. All 22 sources are publicly available, authoritative databases.

"The vendor didn't provide their SOC 2 report." This is the point. ThirdProof's independence declaration explicitly states that the investigation does not rely on vendor cooperation. The vendor's non-participation means the assessment is fully independent — which is actually a stronger compliance posture than relying on vendor-provided materials. ThirdProof flags "request SOC 2 Type II report" as a recommended action, giving you a documented follow-up item.

"What about ongoing monitoring?" Document the reassessment cadence in your vendor risk management policy. Critical vendors are reassessed annually, standard vendors every 18-24 months. ThirdProof investigations are point-in-time assessments that can be re-run on schedule. Note continuous monitoring with email alerts as a planned enhancement.

The auditor will not review every vendor assessment — they will sample. Prepare by ensuring every vendor in your inventory has a current assessment file, not just the ones you expect to be sampled. Common auditor selections include: your cloud infrastructure provider (AWS), your identity provider (Okta), your payment processor (Stripe), your HRIS (BambooHR), and one or two vendors from your Tier 2 or Tier 3 list. Having all assessments complete before fieldwork begins — rather than scrambling to produce them when the sample is announced — demonstrates a mature, operating process.

ThirdProof reports are designed for this exact conversation. Get your first investigation free.