Third-Party Risk Management: When to Accept or Reject Vendor Documentation

Catch this episode on Apple, Spotify, Amazon, or YouTube.

On a recent episode of GRC Uncensored, host Troy Fine and producer Elliot Volkman were joined by guest Stanley Krochik, a now seasoned GRC professional and former city security program manager, to discuss the realities of third-party risk Management (TPRM). The conversation focused on the growing issue of low-quality audits, the challenge of assessing vendor security postures, and the dilemma risk managers face when reviewing third-party documentation.

The Problem with Low-Quality Audits

As businesses increasingly rely on third-party vendors, the demand for security attestations like SOC 2 has surged. However, the market has responded with a wave of low-cost, low-quality audit firms that prioritize speed over rigor. Stanley highlighted the growing concern that some of these audits function more as a sales tool than a true security evaluation.

“There’s a trend of some companies becoming more sales-focused rather than compliance-focused. And when that happens, security takes a backseat,” said Krochik.

The issue is further exacerbated by vendors who bundle SOC 2 reports with compliance automation platforms, blurring the lines between independent assessments and self-certifications. Stanley noted that many of these firms lack peer reviews from the AICPA, raising questions about their credibility.

In many cases, the lack of peer review indicates they are under two years old or, in lesser cases, may be housed overseas. As discussed in previous episodes, there has been an increase in firms popping up over the past few years and latching on to compliance automation providers because it’s an easier source of clients, which further compounds the lack of transparency.

When to Push Back on Vendor Documentation

Risk managers often receive vendor-provided documentation that does not meet their organization’s security standards. The big question: Can (and should) they push back?

Stanley’s answer: It depends on the risk level of the vendor:

• Low-Risk Vendors: A lower-quality audit might not be a dealbreaker if a vendor has minimal access to sensitive data. The risk team may note deficiencies but still approve the vendor, with a recommendation for better audits in the future.

• High-Risk Vendors: If a vendor has access to sensitive systems, Stanley recommends a more stringent review process, including escalation to cloud security and infrastructure teams. In some cases, organizations may impose a time-bound risk acceptance, requiring the vendor to improve their security posture within a set timeframe.

“If an AI vendor is integrating with our customer support system and could potentially access sensitive data, I need to see a strong SOC 2 report. If it’s from a questionable firm, I escalate the review and make sure security is looped in,” said Krochik.

The Path Forward: Holding Vendors Accountable

To combat the rise of weak audits, Stanley and Troy suggested that organizations need to take a firmer stance:

1. Develop a Vendor Audit Policy: Create an internal list of approved and non-approved audit firms. Additional review steps should be triggered if a vendor submits a report from a questionable firm.

2. Enforce Time-Bound Risk Acceptances: If a vendor’s documentation is subpar, allow them to proceed with conditions, such as requiring a higher-quality audit within a year.

3. Move Beyond SOC 2: While SOC 2 remains the standard, risk teams should incorporate additional security assessments, such as penetration tests and real-time data flow monitoring, to get a more accurate picture of vendor risk.

Is SOC 2 Just a Checkbox?

One of the most provocative questions raised in the episode was whether SOC 2 has been reduced to a mere checkbox. While it remains a foundational requirement, the panel agreed that its effectiveness depends on the quality of the audit and how organizations use it in their risk assessments.

“SOC 2 is table stakes, but if companies don’t push back on low-quality audits, nothing will change,” said Fine.

The episode concluded with a call to action: If businesses want better vendor security, they need to demand it. Without accountability, the cycle of weak audits and inadequate risk management will continue.