Why Vendor Risk Management Fails: The Gap Between Collecting SOC Reports and Reviewing Them

Many organizations believe they have a vendor risk management process because they collect SOC reports, insurance certificates, security questionnaires, or compliance documents from their vendors. But collecting documents is not the same as reviewing risk.

A SOC report sitting in a folder does not reduce risk by itself. A vendor questionnaire that no one evaluates does not prove the vendor is secure. A contract with security language does not mean controls are operating effectively.

Vendor risk management fails when the process becomes a documentation exercise instead of a risk review.

Vendor Risk Is Business Risk

Most organizations rely on third-party vendors for critical business functions. Vendors may process customer data, host financial systems, support payroll, manage cloud infrastructure, provide software, store sensitive information, or perform outsourced services.

That means vendor risk can quickly become operational risk, financial risk, compliance risk, cybersecurity risk, reputational risk, or reporting risk.

If a key vendor experiences a breach, outage, control failure, or compliance issue, your organization may still be responsible for understanding the impact.

This is why vendor risk management should not be treated as a one-time checklist. It should be part of the organization’s broader governance, risk, and compliance process.

The Common Mistake: “We Have the SOC Report”

One of the most common vendor risk mistakes is assuming that receiving a SOC report means the vendor has been reviewed.

A SOC report can be valuable, but only if someone actually reads it, understands it, and evaluates whether it addresses the risks relevant to your organization.

A meaningful SOC report review should consider questions such as:

• What services are covered by the report?

• What period does the report cover?

• Is it a SOC 1 or SOC 2 report?

• Which trust services criteria are included, if applicable?

• Are any key systems, locations, or services excluded?

• Did the auditor identify control exceptions?

• Are there complementary user entity controls that our organization is responsible for?

• Are subservice organizations included or carved out?

• Does the report period align with our reliance period?

• Do the vendor’s controls address the risks we care about?

Without this review, the organization may have documentation but not assurance.

SOC 1 vs. SOC 2: The Difference Matters

Not all SOC reports answer the same question.

A SOC 1 report focuses on controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. This type of report is often important when a vendor affects financial transactions, payroll, claims processing, revenue, billing, or other financial reporting processes.

A SOC 2 report focuses on controls related to trust services criteria such as security, availability, processing integrity, confidentiality, and privacy. This type of report is often relevant for technology, cloud, SaaS, data hosting, and service providers that handle sensitive information or critical systems.

If an organization requests the wrong type of report, it may not get the assurance it actually needs.

For example, a SOC 2 report may provide useful information about security controls, but it may not address financial reporting risks. A SOC 1 report may address transaction processing controls, but it may not provide the cybersecurity coverage a customer is expecting.

The review should start with the risk, not the acronym.

Control Exceptions Should Not Be Ignored

Many vendor reviews stop once the report is received and filed. But the most important information may be in the details.

If the SOC report includes control exceptions, management should evaluate whether those exceptions matter to the organization’s use of the vendor.

A control exception does not automatically mean the vendor is unacceptable. The issue may be limited, remediated, or unrelated to the services your organization uses. But it should be reviewed and documented.

Questions to ask include:

• What control failed?

• Was the exception isolated or systemic?

• Did it affect the services we use?

• Was customer data, system availability, processing accuracy, or financial reporting impacted?

• Did the vendor provide a remediation plan?

• Was the issue repeated from a prior report?

• Do we need a compensating control on our side?

Ignoring exceptions can create a false sense of security.

Complementary User Entity Controls Are Often Overlooked

One of the most overlooked sections of a SOC report is the complementary user entity controls section.

These are controls the vendor assumes the customer has in place for the vendor’s control environment to be effective.

For example, the vendor may assume that your organization:

• Reviews user access regularly

• Removes terminated users promptly

• Configures system settings appropriately

• Restricts administrator access

• Reviews transaction reports

• Reconciles output from the vendor system

• Communicates changes or issues timely

• Maintains appropriate backup or continuity procedures

If your organization does not perform these responsibilities, the vendor’s controls may not fully protect you.

This is a major reason vendor risk management cannot stop at collecting SOC reports. The organization must understand what responsibilities remain on its side.

Subservice Organizations Can Create Hidden Risk

Vendors often rely on other vendors. These are known as subservice organizations.

A cloud software provider may rely on a hosting provider, payment processor, data center, support platform, or identity management tool. Those subservice organizations may affect security, availability, confidentiality, privacy, or processing integrity.

When reviewing a SOC report, it is important to understand whether subservice organizations are included in the scope of the report or carved out.

If they are carved out, the report may not provide assurance over those subservice providers’ controls. That does not automatically mean the vendor is high risk, but it does mean the organization should understand what is excluded and whether additional review is needed.

Vendor risk rarely stops with the direct vendor.

Report Timing Matters

A SOC report covers a specific period of time. If the report period ended months ago, the organization may need a bridge letter or other update from the vendor to understand whether material changes occurred after the report period.

For example, if a SOC 2 Type 2 report covers January through December of the prior year, but your organization is relying on that vendor for the current year, you may need to consider the gap period.

Questions to ask include:

• Is the report current enough for our review?

• Does the period cover the time we relied on the vendor?

• Has the vendor provided a bridge letter?

• Were there major system, control, ownership, or security changes after the report period?

• Have any incidents occurred since the report was issued?

A report that is outdated or misaligned with your reliance period may provide less comfort than expected.

Vendor Criticality Should Drive the Level of Review

Not every vendor requires the same level of review.

A low-risk office supply vendor should not receive the same level of scrutiny as a payroll provider, cloud hosting provider, payment processor, or software platform that stores sensitive customer data.

A strong vendor risk process usually starts by categorizing vendors based on risk and criticality.

Factors may include:

• Type of data accessed or stored

• Impact on financial reporting

• Impact on operations

• Access to systems or networks

• Regulatory or contractual requirements

• Volume of transactions processed

• Availability or business continuity impact

• Customer-facing impact

• Subcontractor or subservice reliance

• Difficulty of replacing the vendor

The higher the risk, the deeper the review should be.

A Strong Vendor Review Should Be Documented

A vendor risk review should leave behind evidence of the review performed, not just evidence that a document was received.

That documentation may include:

• Vendor risk rating

• SOC report review notes

• Exceptions identified

• Management’s assessment of exceptions

• Complementary user entity controls assigned internally

• Follow-up questions sent to the vendor

• Evidence of vendor responses

• Approval or acceptance of residual risk

• Renewal or reassessment date

• Assigned owner for ongoing monitoring

This documentation matters for audits, compliance, customer due diligence, cyber insurance, board reporting, and internal accountability.

Signs Your Vendor Risk Process May Need Improvement

Your vendor risk management process may need attention if:

• SOC reports are collected but not reviewed.

• Vendor reviews are performed only when a customer or auditor asks.

• There is no vendor risk rating or criticality ranking.

• Complementary user entity controls are not assigned or tracked.

• Control exceptions are not evaluated.

• Subservice organizations are not reviewed.

• Reviews are not updated annually.

• Vendor access is not reviewed after contract changes or employee turnover.

• No one owns vendor risk after onboarding.

• Vendor documentation is stored in multiple locations with no clear process.

These issues are common, especially in growing organizations. The risk is not that the company has vendors. The risk is that no one has a clear view of which vendors matter most and what controls are needed to manage them.

Vendor Risk Management Should Be Ongoing

Vendor risk does not end after onboarding.

A vendor may change systems, add subservice providers, experience a security incident, receive a qualified report, change ownership, expand services, or become more critical to your operations over time.

That is why vendor risk management should include ongoing monitoring.

At a minimum, organizations should consider periodic reviews of critical vendors, updated SOC reports, contract renewals, insurance coverage, access rights, incident history, and performance concerns.

The goal is not to create unnecessary paperwork. The goal is to understand whether the vendor still meets the organization’s risk, compliance, security, and operational needs.

Helpful Vendor Risk Management Resources

Vendor risk management does not have to be complicated, but it should be intentional. If your business works with vendors who access financial data, customer information, payroll records, cloud systems, or other sensitive information, these resources may be helpful:

• CISA Vendor Supply Chain Risk Management Template — A practical template with questions businesses can use when reviewing technology vendors and service providers.

• CISA Small and Medium-Sized Business Vendor/Supplier Assessment Fact Sheet — A small-business-focused resource for assessing vendor and supplier security.

• FTC Cybersecurity for Small Business: Vendor Security — A client-friendly guide explaining why vendor security should be addressed in writing and included in vendor contracts.

• NIST Cybersecurity Supply Chain Risk Management — A more detailed government resource on identifying, assessing, and reducing cybersecurity risks across vendors, technology providers, and supply chains.

• NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices — A more advanced resource for businesses that want a deeper framework for vendor and supply chain risk management.

These resources can help you understand what questions to ask, what documentation to request, and how to create a more consistent vendor review process.

If you are not sure which vendors create the most risk for your business, start by asking this

question:

“Which vendors have access to our money, systems, client data, employee data, or confidential information?”

Those vendors should usually receive the closest review.

Final Thoughts

Vendor risk management is more than collecting SOC reports and checking a box.

A strong process evaluates whether the vendor’s controls address the risks that matter to your organization. It considers report scope, exceptions, complementary user entity controls, subservice organizations, timing, criticality, and ongoing monitoring.

For many organizations, the biggest gap is not the absence of vendor documentation. It is the absence of documented review and follow-up.

If your organization collects vendor SOC reports but is not sure whether they are being reviewed effectively, our team can help assess your vendor risk management process, identify gaps, and strengthen your IT GRC controls.

Contact us to discuss a vendor risk management or IT GRC review.