Third-Party Risk Management Evidence Requirements: How to Automate Vendor Audits
Third-party risk management (TPRM) evidence requirements include vendor risk assessments, SOC 2 report reviews, and signed Data Processing Agreements (DPAs). This guide explains exactly what evidence auditors require for SOC 2 CC9 and ISO 27001 A.5 controls and how to automate the collection of vendor due diligence documentation.
Third-party risk management (TPRM) evidence requirements for frameworks like SOC 2 and ISO 27001 mandate that organizations document the selection, assessment, and ongoing monitoring of external vendors. Auditors require specific artifacts—such as completed vendor risk assessment questionnaires, signed Data Processing Agreements (DPAs), and documented reviews of vendors' SOC 2 Type II reports—to prove that supply chain risks are managed effectively. While GRC tools track vendor lists, automating the actual collection and review of these evidence documents remains a critical challenge for compliance teams.
What Evidence Do Auditors Require for TPRM?
For most audits, including SOC 2 and ISO 27001, a simple list of vendors is not sufficient evidence. Auditors need to see the process of due diligence and ongoing monitoring.
Specifically, auditors look for the "Three Pillars of TPRM Evidence":
- Onboarding Evidence: Proof that security was considered before the contract was signed. This includes risk questionnaires (SIG Lite, CAIQ) and security scorecards.
- Contractual Evidence: Legal agreements that bind the vendor to security standards, specifically Data Processing Agreements (DPAs) and Service Level Agreements (SLAs).
- Ongoing Monitoring Evidence: The most commonly failed category. This requires annual reviews of the vendor's own compliance reports (e.g., reviewing AWS's SOC 2 report) and documenting the review of Complementary User Entity Controls (CUECs).
The "Bridge Letter" Gap
A common audit finding involves "Bridge Letters." If a vendor's SOC 2 report covers January to December, but your audit is in March, you need a "Bridge Letter" from the vendor stating no material changes occurred in the gap period. Missing this specific PDF is a frequent cause of TPRM deviations.
SOC 2 vs. ISO 27001 vs. HITRUST Vendor Requirements
Different frameworks emphasize different aspects of vendor risk. Understanding the specific control IDs is essential for mapping your evidence correctly.
| Feature | SOC 2 (CC9 Series) | ISO 27001:2022 (Annex A.5) | HITRUST r2 (Domain 15) |
|---|---|---|---|
| Primary Controls | CC9.2: Assess and manage vendor risks. | A.5.19: Supplier relationships. A.5.21: Managing supplier chain security. | 15.0: Third-Party Assurance. |
| Key Requirement | Reviewing vendor SOC 2 reports and CUECs. | Documenting the supplier lifecycle (selection to exit). | Inheritance of controls (e.g., inheriting physical security from AWS). |
| Evidence Focus | Artifact-heavy: Needs the actual PDF report review. | Process-heavy: Needs policy and procedure documentation. | Score-heavy: Needs quantitative risk scoring of vendors. |
| Common Pitfall | Failing to document the review of the report (just saving the PDF isn't enough). | Missing evidence of "exit strategy" or offboarding. | Incorrectly applying inheritance factors. |
How to Document Vendor Reviews (The CUEC Problem)
Collecting a vendor's SOC 2 report is only step one. The actual compliance requirement—and the evidence auditors demand—is the review of that report.
What are CUECs?
Complementary User Entity Controls (CUECs) are responsibilities listed in your vendor's SOC 2 report that you must fulfill.
- Example: AWS secures the physical data center, but you are responsible for configuring the firewall.
The Evidence Workflow
To satisfy SOC 2 CC9.2, you must produce a document (often a spreadsheet or PDF) that shows:
- Vendor Name: e.g., Datadog.
- Report Period: e.g., Jan 1, 2025 – Dec 31, 2025.
- Opinion: Was the report "Unqualified" (Clean)?
- CUEC Verification: A checklist confirming you have implemented the controls AWS/Datadog assigned to you.
Manual vs. Automated Evidence:
- Manual: downloading the PDF, reading page 40-50 for CUECs, and typing them into Excel.
- Automated: Using AI agents to parse the PDF, extract CUECs, and generate a "Review Summary" automatically.
Where Traditional GRC Tools Fail at TPRM Automation
Most GRC platforms (like Drata or Vanta) are excellent at maintaining a Vendor Inventory. They can connect to your accounting software (QuickBooks, Xero) to find new payments and flag new vendors.
However, they often stop short of evidence collection and analysis.
| Task | Traditional GRC Tool | The Automation Gap |
|---|---|---|
| Vendor Discovery | ✅ Automated (via accounting integrations) | N/A |
| Sending Questionnaires | ✅ Automated (email triggers) | N/A |
| Collecting SOC 2 Reports | ⚠️ Partial (Vendor must upload) | High Friction: Chasing vendors for PDFs is manual work. |
| Reviewing Reports | ❌ Manual | The Gap: A human must read the PDF and extract CUECs. |
| Verifying Offboarding | ⚠️ Partial (SSO check) | The Gap: Did we actually delete the data? (Requires UI evidence). |
The "Offboarding" Evidence Gap
When a vendor is terminated, auditors require evidence that data was deleted or access was revoked. GRC tools check if the SSO app was removed, but they cannot log into the vendor's portal to screenshot the "Account Deleted" confirmation screen. This requires Screenata or similar "computer-use" agents to capture the final evidence of data destruction.
How to Automate TPRM Evidence Collection
To fully automate Third-Party Risk Management evidence, organizations are moving toward AI-driven Evidence Capture Agents.
Step 1: Automate the "Chasing"
Instead of emailing vendors manually, use workflow automation tools to request updated compliance packets (SOC 2, ISO certs) annually.
Step 2: Automate the Report Review (AI Analysis)
Modern AI tools can ingest a 100-page SOC 2 Type II PDF and extract the relevant data points:
- Auditor Opinion: Pass/Fail.
- Period of Coverage: Dates.
- Exceptions: Did the vendor fail any controls?
- CUECs: extracted list of user responsibilities.
Step 3: Automate Offboarding Verification with Screenshots
Use an evidence automation tool to record the offboarding workflow.
- Action: Admin logs into the SaaS tool (e.g., Salesforce).
- Task: Deactivate the integration user or delete the tenant.
- Evidence: Screenata captures the "User Deactivated" toast notification and timestamps it.
- Result: A PDF evidence pack proving access revocation for ISO 27001 A.5.23.
Example: Documenting a Vendor Review for SOC 2 CC9.2
Control Requirement: The entity assesses and manages risks associated with vendors and business partners.
The Manual Way:
- Email GitHub support for their SOC 2 report.
- Wait 3 days.
- Receive PDF.
- Read PDF.
- Update "Vendor Review 2025.xlsx" with "Reviewed on Jan 2nd, clean report."
The Automated Way (Evidence Pack):
- Trigger: Annual review cycle detected.
- Collection: Agent retrieves GitHub's publicly available compliance report from their trust center.
- Analysis: AI scans the document for "Qualified Opinion" (red flag) or "Unqualified Opinion" (green flag).
- Output: Generates a Vendor Review Evidence Pack (PDF).
- Page 1: Summary of GitHub's security posture.
- Page 2: List of CUECs (e.g., "User is responsible for managing access tokens").
- Page 3: Confirmation that internal controls map to these CUECs.
Frequently Asked Questions
Do I need a SOC 2 report from every vendor?
No. You need to perform a risk assessment first. Critical vendors (those with access to customer data or production environments) require a SOC 2 review. Low-risk vendors (like a catering service) do not. Evidence of this categorization is required.
What if a vendor doesn't have a SOC 2 report?
If a critical vendor lacks a SOC 2 report, you must provide alternative evidence. This typically includes a completed Security Questionnaire (SIG/CAIQ) and evidence that you reviewed their answers and accepted the risk.
How often must TPRM evidence be collected?
Annually at a minimum. For SOC 2 Type II, you must show that you monitored vendors throughout the audit period. If a vendor's report expires mid-year, you need the renewal evidence immediately.
Can I automate the review of vendor SOC 2 reports?
Yes. AI agents can now read standard SOC 2 PDFs to identify the audit period, the auditor's opinion, and CUECs, generating a summary document that auditors accept as proof of review.
Key Takeaways
- ✅ Review is mandatory: Collecting a PDF isn't enough; you must document the review of that PDF (SOC 2 CC9.2).
- ✅ CUECs matter: Auditors specifically check if you acknowledged your responsibilities listed in the vendor's report.
- ✅ Offboarding requires proof: Use screenshot automation to prove data deletion or access revocation when a vendor relationship ends.
- ✅ Risk-based approach: Document why certain vendors are "Critical" vs. "Low Risk" to reduce the evidence burden.
- ✅ Bridge Letters: Always check dates; if there's a gap between the vendor's report and your audit, demand a bridge letter.
Learn More About Internal Audit Compliance Automation
For a complete guide to streamlining your internal audit processes, see our guide on automating internal audit evidence collection, including how to manage workpapers, testing, and third-party risk documentation efficiently.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.