SOC 2 audits are increasingly common for software companies, SaaS businesses, and any company that handles customer data. If you are pursuing SOC 2 or your customers are asking for your SOC 2 report, your vendor management program will be reviewed.
This guide covers what auditors look for in vendor management and how to structure your program to pass.
Why Vendor Management Appears in SOC 2
SOC 2 is structured around the Trust Services Criteria, developed by the AICPA. The Common Criteria — the set that applies to all SOC 2 audits regardless of category — includes criteria around vendor risk.
Specifically, Common Criteria 9.2 requires organizations to assess the risks arising from vendors and business partners, including subservice organizations. The underlying question: if your vendors mishandle data, cause outages, or fail to maintain their own security controls, what exposure does that create for your customers?
Auditors are not looking for a perfect vendor management program. They are looking for evidence that you have a systematic process — that vendor risk is managed, not ignored.
What Auditors Look At
Vendor Inventory
Do you have a complete list of your vendors, especially those with access to customer data? Can you distinguish between high-risk vendors (those who process customer data, maintain infrastructure, or provide critical services) and lower-risk vendors?
Vendor Risk Assessment
Have you assessed the risk each vendor represents? For high-risk vendors, do you have a documented risk assessment that informed your decision to engage them?
Due Diligence at Onboarding
What controls do you require vendors to have before you engage them? Do you collect and review SOC 2 reports, security questionnaires, or other evidence of their controls? Do you have signed contracts with appropriate data handling terms?
Contracts and Data Processing Agreements
For vendors who handle customer data, do you have Data Processing Agreements or Business Associate Agreements (for HIPAA) in place? Do your vendor contracts include appropriate security requirements, audit rights, and breach notification obligations?
Ongoing Monitoring
Do you re-assess vendor risk periodically? Do you track when vendor certifications (like their own SOC 2 report) expire and request renewals? Do you review vendor security incidents?
Subservice Organization Reporting
For vendors who are themselves SOC 2 certified, do you obtain and review their SOC 2 reports annually? Do you verify that the controls you rely on are included in their report?
The Evidence Auditors Want to See
Auditors will ask for documentation supporting your vendor management process. Be prepared to produce:
A vendor inventory listing all vendors with access to customer data, their risk classification, and the controls you have in place for each.
Due diligence records for high-risk vendors — completed security questionnaires, reviewed SOC 2 reports, or other evidence that you assessed their controls before engaging them.
Signed contracts with data handling terms for every vendor who processes customer data.
Renewal tracking showing that vendor certifications and agreements are monitored for expiration.
A process document describing your vendor management procedure — how new vendors are assessed, who approves high-risk vendor engagements, and how ongoing monitoring works.
Common Gaps That Generate Audit Findings
No formal process. Vendor management happens informally, with no documented procedure and no system of record. Every auditor finds this.
Missing contracts. Vendors are in use without signed agreements. This is particularly damaging if the vendor handles customer data.
Stale assessments. Vendors were assessed two years ago and never re-reviewed. Circumstances change — a vendor who was SOC 2 certified may have let that lapse.
No inventory of vendors with data access. Companies often cannot quickly produce a list of which vendors have access to customer data. If you cannot produce this list, you cannot demonstrate that you manage the risk.
No subservice organization reports. Your critical infrastructure vendors (cloud providers, data processors) are themselves subject to SOC 2 if they are US entities. Review their SOC 2 reports annually.
What Is Not Required
SOC 2 does not require you to audit every vendor. The criteria apply risk-based thinking — high-risk vendors warrant more scrutiny than low-risk vendors. A vendor who provides office supplies does not need a security questionnaire. A vendor who processes customer payment data does.
Proportionality is a feature of the criteria, not a loophole. Apply your controls in proportion to the risk.
Building the Evidence Base
The most common audit failure mode is not that the controls do not exist — it is that the evidence cannot be produced. Auditors work with what they can see. If your vendor management process is in someone's head or in an email thread, it does not exist from an audit perspective.
A vendor compliance platform that tracks every onboarding event, every document collection, and every status change provides the audit evidence automatically. The log is the documentation.