SOC 2 CC9.2 Vendor Management: What Your Auditor Actually Needs to See

CC9.2 (Risk Assessment of Third Parties) states that the entity assesses the risks associated with vendors and business partners. The AICPA Trust Services Criteria further specify that this includes: identifying third parties with access to systems or data, assessing risks of third-party relationships, evaluating the design and operating effectiveness of third-party controls, and monitoring third-party risk over time. In practice, this means your auditor expects to see four things: a complete vendor inventory, a risk assessment for each vendor proportional to their access and criticality, evidence of due diligence with cited sources, and periodic reassessment documentation.

Inventory completeness. Your auditor will compare your vendor list against your accounts payable records, SSO integrations, and infrastructure configuration. Missing vendors are a finding. The inventory should include vendor name, service provided, data access level, risk tier, assessment date, and next review date.

Assessment quality. For each vendor, auditors look for documented findings from identified sources — not just a risk rating in a spreadsheet. They want to see what you checked (sanctions, certifications, cyber posture, adverse media), what you found, and how that informed your risk decision. Self-reported vendor questionnaires without independent verification are increasingly questioned.

Reassessment cadence. CC9.2 implies ongoing monitoring. Auditors check whether you reassess vendors periodically (typically annually for critical vendors) and whether you re-evaluate after material events like breaches, acquisitions, or regulatory actions. A vendor assessed in 2023 with no update in 2025 will be flagged.

Incomplete vendor inventory. The most common finding — teams forget shadow IT, embedded SDKs, or vendors accessed through other vendors (fourth parties). Build your inventory from multiple sources: procurement records, SSO logs, browser extension audits, and cloud marketplace purchases.

Self-reported data without verification. A completed vendor questionnaire is evidence that you asked — not evidence that you verified. Auditors increasingly expect independent corroboration of vendor claims, especially for certifications and security controls.

No periodic reassessment. Initial assessments without updates suggest a check-the-box approach. Document reassessment dates and triggers (annual cycle, material events, contract renewals).

Missing risk tiering. Treating all vendors identically — or not documenting why vendors are in different tiers — suggests your program lacks risk-proportional rigor. Document your tiering criteria and apply them consistently.

A defensible CC9.2 evidence file contains: (1) a vendor inventory with risk tiers and assessment dates, (2) an assessment methodology document describing your process, sources checked, and tiering criteria, (3) individual vendor risk reports with source-cited findings and risk scores, (4) reviewer sign-off documenting who reviewed each assessment and their decision (approve, conditional approve, reject), and (5) reassessment schedule with evidence of completed periodic reviews. Each vendor report should link findings to specific sources — not just state conclusions. When an auditor asks "how do you know this vendor is low risk?" your answer should be the report, not your memory.

ThirdProof produces audit-ready vendor risk assessments designed for CC9.2 compliance. Each investigation queries 24 intelligence sources in parallel — sanctions databases, business registries, threat intelligence feeds, certification registries, SEC filings, and more — and produces a PDF report with source-cited findings, deterministic risk scoring, methodology disclosure, and SHA-256 integrity seals. The report is formatted in compliance language that auditors expect. Combined with ThirdProof's review certification workflow (reviewer name, date, decision), each investigation creates a complete CC9.2 evidence unit. Run investigations for your full vendor inventory and you have a documented, source-cited, methodology-consistent vendor risk program that satisfies CC9.2 requirements.