For SOC 2 audit prep

Vendor Evidence for SOC 2 Audit Prep

The CC9.2 vendor-management ask is the scramble nobody plans for. Thorgate keeps continuous vendor-monitoring evidence year-round, so audit prep is an export — not a fire drill.

Start a 14-day trial → See pricing

Every SOC 2 cycle has a section that turns into a scramble: vendor management. The controls are in place, the evidence for your own systems is automated — and then the auditor asks how you monitor your vendors, and the honest answer is "we did a review a few weeks ago." Suddenly someone is opening thirty vendor pages, screenshotting subprocessor lists, and reconstructing a monitoring story that should have been accumulating all year.

Thorgate turns that scramble into an export.

What CC9.2 actually asks

The Trust Services Criteria expect you to assess and manage vendor and business-partner risk — and for Type II, to show it happened across the observation window, not in a single snapshot. Auditors increasingly press on this because point-in-time vendor reviews are easy to stage and hard to trust. What they want is evidence of continuous attention:

  • Which vendor commitments were in force during the period
  • What changed, and when
  • That the changes were reviewed and dispositioned

Assembled by hand at audit time, that's days of work and a slightly nervous story. Accumulated automatically, it's a download.

What Thorgate gives your auditor

  • Document version history per vendor. The contemporaneous record that a vendor's stated commitments existed at specific points in the observation period — not a screenshot taken last week.
  • Change events with summaries and severity. Every material change across the window, described in plain language and classified — the "what changed and did it matter" narrative in one place.
  • Reviewer attestations. Per-change "reviewed by [name] on [date]" records — the human-in-the-loop evidence auditors specifically look for.
  • Workpaper-ready exports. Per-vendor audit PDFs and CSV, formatted to attach directly to your CC9.2 workpapers.

The shift in how audit prep feels

The difference isn't just less work — it's a stronger position. Instead of a point-in-time review you hope reads as "monitoring," you hand over a continuous, timestamped record of exactly what you watched and what you found across the whole period. That's the evidence Type II is actually asking for, and it's sitting there ready before fieldwork starts.

The honest boundaries

Thorgate covers the vendor-monitoring slice of CC9.2. It doesn't manage your own controls, automate the rest of your evidence, or run the audit — that's your GRC platform's job (see how Thorgate sits alongside Vanta or alongside Drata). And it produces evidence for your audit; our own SOC 2 Type II is in progress, with status on the Security page. What it removes is the specific, recurring, avoidable scramble that vendor management becomes every single cycle.

Frequently asked

What does an auditor want to see for vendor management?
For CC9.2, evidence that you assess and monitor vendor risk on an ongoing basis — not a single point-in-time review. That means document versions, a record of what changed during the period, and proof that someone reviewed the changes. Thorgate produces all three.
We do our vendor review the week before the audit. Isn't that enough?
It can pass, but it's the fragile path. A point-in-time review done just before fieldwork doesn't demonstrate monitoring across the observation window, which is what Type II is about. Continuous evidence is stronger and far less stressful to assemble.
Can Thorgate exports go straight into my workpapers?
Yes. Per-vendor audit PDFs and CSV exports include document version history, change events with summaries, severity, and named reviewer attestations — formatted to attach directly as vendor-management workpaper evidence. See the SOC 2 page.
Is Thorgate itself SOC 2 certified?
Not yet — we're pursuing SOC 2 Type II and publish progress on our Security page. Thorgate produces vendor-monitoring evidence for your audit; it isn't a substitute for your own GRC platform.
Try it on your vendor stack.

14-day free trial, no credit card required.

Start a trial