Vendor Management

Vendor management, sometimes called third-party risk management, is the program that evaluates and monitors security and compliance risks introduced by external service providers. SOC 2 audits expect a documented vendor inventory, risk-tiered review depth, evidence of due diligence performed before onboarding new vendors, periodic re-reviews on cadence appropriate to risk, contractual security requirements, and procedures for offboarding when a vendor is no longer used. Critical vendors typically require review of their own SOC 2 reports, security questionnaire responses, and contractual commitments to notification and audit rights. Lower-risk vendors may only need an inventory entry and basic contractual terms. Auditors test vendor management by reviewing the inventory, sampling onboarding records, examining risk reviews for documented analysis, and confirming offboarding occurred for departed vendors. Modern programs use platforms that automate questionnaire collection and continuous monitoring of vendor security posture. SimpleAudit includes a vendor register that tracks vendors, their risk tiers, and review status across the compliance lifecycle.