Crash course here: Everyone is heavily overburdened with the demands of trying to comply with regulations. So if your IT or Info Security team doesn’t have enough staff to review all SOC reports (or possibly just reviews those with exceptions) yet your internal audit dept wants proof that reviews of all SOC reports are conducted, here’s a crash course for those of you on the first line of defense who own vendor relationships (or who volunteer to help) and are tasked with getting it done. I put together a document with the basic steps you need to take to get a very good idea of the adequacy and effectiveness of your vendor’s controls. I initially distributed it only to our Certified Regulatory Vendor Program Managers (CRVPM‘s) but thought it would benefit everyone for the greater good of vendor management. Please note that this is no substitute for having the properly skilled person review the report but it will provide you with the critical information that you need and definitely get you through your audit and know when to bring exceptions to those who can take a more in-depth look!