Buyer's Guide

What Compliance Teams Expect in Vendor Risk Reports

Your auditor just asked for your CC9.2 vendor management evidence. What exactly do they want to see? After reviewing hundreds of vendor risk assessments across SOC 2, HIPAA, and PCI-DSS audits, compliance teams consistently expect eight specific elements in every vendor risk report. Missing any one of them creates follow-up questions during fieldwork.

1. Clear risk tier with documented methodology

Every report needs a definitive risk classification — not a vague "medium risk" label, but a tier assignment backed by a documented methodology. Your auditor wants to know the rules: what makes a vendor Tier 1 vs. Tier 3? Are the rules deterministic (same evidence = same tier) or subjective? ThirdProof uses a rule-based engine with specific escalation criteria — an active sanctions match escalates to Tier 1 regardless of other scores, while strong certifications with clean screening supports a Tier 4 or Tier 5 rating. Stripe received Tier 4 — Low Risk because it passed all escalation checks and demonstrated strong controls across every category.

2. Confidence score showing evidence coverage

A risk tier without a confidence score is incomplete. Confidence reflects how much evidence was available to support the assessment. A Tier 4 (Low Risk) rating at 98% confidence (like Stripe's) means nearly all intelligence sources returned data — the assessment is well-supported. A Tier 4 at 60% confidence means several sources were unavailable, and the rating should be treated with caution. ThirdProof calculates confidence based on which of the 22 intelligence sources returned usable data, with deductions for each source that was unavailable or returned errors.

3. Individual findings with severity and source attribution

Generic statements like "vendor has adequate security" are useless in an audit. Compliance teams need specific findings: what was found, how severe it is, and where the evidence came from. ThirdProof's investigation of QuickBooks produced three specific findings: clean domain reputation across 94 security engines (Info), no subprocessor page found (Low), and security header deficiencies scoring F at 0/100 (Medium). Each finding cites its source — "HTTP Security Scan" or "Supply Chain & Subprocessor Discovery" — so the auditor can verify the evidence chain.

4. Sanctions screening results

Sanctions screening is non-negotiable. The report must document that the vendor was screened against OFAC SDN, EU, and UN sanctions lists, and state the result explicitly — either clear or flagged with disambiguation details. ThirdProof's investigation of Stripe documented: "Clear — 5 matches checked, none confirmed." That phrasing tells the auditor that fuzzy matches were found, investigated, and resolved. See our sanctions screening guide for the full methodology.

5. Compliance certification verification

Your auditor will ask: does the vendor have SOC 2? ISO 27001? HITRUST? FedRAMP? The report should not just state the vendor's claim — it should classify the evidence behind it. ThirdProof uses three levels: Independently Verified (confirmed in a public registry like the FedRAMP Marketplace), Vendor Attested (claimed on the vendor's trust page but not independently verifiable), and Not Found in Evidence. BambooHR claims SOC 2, SOC 1, and PCI DSS — all classified as vendor-attested, prompting a recommended action to request the actual reports.

6. Supply chain and subprocessor discovery

Your vendor's vendors are your fourth parties. The report should document whether the vendor publishes a subprocessor list, who those subprocessors are, and whether downstream risk has been assessed. Dropbox publishes a subprocessor list at trust.dropbox.com/subprocessors — ThirdProof flags this for manual review and incorporation into your fourth-party risk register. Vendors without published subprocessor lists (like Wise) receive a finding that prompts a direct request to the vendor.

7. Recommended actions with timelines

Findings without actions are observations, not risk management. Each finding should map to a specific recommended action with a compliance citation and timeline. ThirdProof's investigation of QuickBooks produced three recommended actions: request Intuit's DPA and subprocessor list within 60 days (citing GDPR Article 28 and PCI-DSS 12.8.5), obtain the PCI-DSS AoC from Intuit's compliance team, and request the SOC 2 Type II report to verify the vendor-attested claim. These actions tell your team exactly what to do next.

8. Reviewer sign-off section

The report must include evidence that a human reviewed the assessment and made a risk acceptance decision. This is the element that separates automated output from an auditable vendor management process. ThirdProof's Review Certification page captures the reviewer's name, decision (approve, approve with conditions, reject), and date — creating the documented sign-off that CC9.2 fieldwork requires.

Get your first vendor risk report free — under 2 minutes, no credit card.

See this in action

ThirdProof automates vendor risk assessment across 24 intelligence sources. Investigate any vendor in under 2 minutes — no questionnaires, no vendor cooperation required.

Try ThirdProof Free →

No credit card required

Frequently asked questions

What should a vendor risk assessment report include?+

A complete vendor risk assessment report includes eight elements: a risk tier with documented methodology, a confidence score reflecting evidence coverage, individual findings with severity ratings and source attribution, sanctions screening results, compliance certification verification (independently verified vs. vendor-attested), supply chain and subprocessor discovery, recommended actions with timelines and compliance citations, and a reviewer sign-off section documenting the risk acceptance decision.

How is a vendor risk report different from a SOC 2 report?+

A SOC 2 report is produced by the vendor's auditor and evaluates internal controls. A vendor risk report is produced by your organization (or a tool like ThirdProof) and evaluates the vendor from your perspective — including risks that SOC 2 does not cover, such as sanctions exposure, adverse media, domain security, infrastructure exposure, and subprocessor supply chain risk. The vendor risk report is your evidence; the SOC 2 report is one input into it.

What format should vendor risk reports use?+

For audit purposes, PDF is the standard format because it can be hashed (SHA-256) for integrity verification and stored as a point-in-time record. The report should include source citations with verification links so auditors can trace findings back to evidence. ThirdProof generates PDF reports with SHA-256 hashes, source attribution, and a Review Certification page designed specifically for audit evidence binders.

How many vendor risk reports does an auditor typically sample?+

During SOC 2 CC9.2 fieldwork, auditors typically sample 5-15 vendor risk assessments depending on the size of your vendor portfolio and the audit firm's methodology. They select a mix of critical and non-critical vendors. Each sampled assessment must include the full evidence package: investigation report, findings, recommended actions, and reviewer sign-off.