New AICPA White Paper: A Guide to Vendor Management and Third-Party Risk Reviews
The AICPA has released a comprehensive white paper designed to help organizations strengthen their vendor management and third-party risk assessment practices. This resource is especially valuable for user entities that rely on SOC 2® reports to evaluate the security, availability, confidentiality, processing integrity, and privacy controls of their service providers.
The paper outlines a structured framework for building and maintaining a robust vendor management program. It covers key areas such as governance, policy development, risk assessment procedures, due diligence, contract evaluation, and ongoing monitoring. It also provides practical guidance on how to interpret and apply SOC 2® reports in the context of vendor oversight. Whether you’re establishing a new program or refining an existing one, this guide offers actionable insights to help you align vendor oversight with your organization’s risk tolerance and regulatory obligations.
Check out the full white paper here.
Breaking Down the Five Trust Services Criteria
Another great resource provided by the AICPA & CIMA breaks down the essential components of a SOC 2® report, helping management teams better understand their responsibilities and the report’s structure. It covers the five Trust Services Criteria—Security, Availability, Processing Integrity, Confidentiality, and Privacy—and explains how these criteria are evaluated through system descriptions, management assertions, and the service auditor’s report. Whether you’re preparing for an audit or reviewing vendor compliance, this guide is a must-watch for aligning your organization with SOC 2 standards. See the video here.
If you have questions about these resources and how they relate to your organization, reach out to our Information Systems & Risk Assurance team.Â