Pro audit program · v1.0

SOC 2 Vendor Evidence Check

Quick check on whether you are reviewing vendor SOC 2 reports properly — not just collecting them.

General target area
SOC 2 / ISAE 3402 framework
6 controls in this program
Cyentrix Cyentrix Trusted Author

Sign in to run → Back to library

About this program

Quick check on whether you are reviewing vendor SOC 2 reports properly — not just collecting them.

Risks addressed

High SOC 2 collected but never read u2014 qualifications missed
High Carve-out / sub-service organisations not chased down
High Complementary user-entity controls (CUECs) ignored

Controls (6)

SOC 2 / ISAE 3402 collected for Tier-1 vendors
High

SOC 2 / ISAE 3402 collected for Tier-1 vendors

How to test + evidence

Testing procedure: Vendor register flags Tier-1; reports on file dated within 12 months.

Evidence to collect: Vendor register + report files.
Reports actually reviewed by SecOps
High

Reports actually reviewed by SecOps

How to test + evidence

Testing procedure: Documented review with date + reviewer + findings.

Evidence to collect: Review log.
CUECs mapped to your own controls
High

CUECs mapped to your own controls

How to test + evidence

Testing procedure: Complementary user-entity controls captured in your control library.

Evidence to collect: CUEC mapping.
Qualifications / exceptions tracked
High

Qualifications / exceptions tracked

How to test + evidence

Testing procedure: Each qualification raised as a risk + mitigated or accepted.

Evidence to collect: Risk register entries.
Sub-service organisations evidenced
Medium

Sub-service organisations evidenced

How to test + evidence

Testing procedure: Carve-out method? Chase the sub-service report.

Evidence to collect: Sub-service inventory.
Annual recheck workflow
Medium

Annual recheck workflow

How to test + evidence

Testing procedure: Reports expire; workflow chases renewal within 60 days of expiry.

Evidence to collect: Renewal calendar.