Every SOC 2 cycle has a section that turns into a scramble: vendor management. The controls are in place, the evidence for your own systems is automated — and then the auditor asks how you monitor your vendors, and the honest answer is "we did a review a few weeks ago." Suddenly someone is opening thirty vendor pages, screenshotting subprocessor lists, and reconstructing a monitoring story that should have been accumulating all year.
Thorgate turns that scramble into an export.
What CC9.2 actually asks
The Trust Services Criteria expect you to assess and manage vendor and business-partner risk — and for Type II, to show it happened across the observation window, not in a single snapshot. Auditors increasingly press on this because point-in-time vendor reviews are easy to stage and hard to trust. What they want is evidence of continuous attention:
- Which vendor commitments were in force during the period
- What changed, and when
- That the changes were reviewed and dispositioned
Assembled by hand at audit time, that's days of work and a slightly nervous story. Accumulated automatically, it's a download.
What Thorgate gives your auditor
- Document version history per vendor. The contemporaneous record that a vendor's stated commitments existed at specific points in the observation period — not a screenshot taken last week.
- Change events with summaries and severity. Every material change across the window, described in plain language and classified — the "what changed and did it matter" narrative in one place.
- Reviewer attestations. Per-change "reviewed by [name] on [date]" records — the human-in-the-loop evidence auditors specifically look for.
- Workpaper-ready exports. Per-vendor audit PDFs and CSV, formatted to attach directly to your CC9.2 workpapers.
The shift in how audit prep feels
The difference isn't just less work — it's a stronger position. Instead of a point-in-time review you hope reads as "monitoring," you hand over a continuous, timestamped record of exactly what you watched and what you found across the whole period. That's the evidence Type II is actually asking for, and it's sitting there ready before fieldwork starts.
The honest boundaries
Thorgate covers the vendor-monitoring slice of CC9.2. It doesn't manage your own controls, automate the rest of your evidence, or run the audit — that's your GRC platform's job (see how Thorgate sits alongside Vanta or alongside Drata). And it produces evidence for your audit; our own SOC 2 Type II is in progress, with status on the Security page. What it removes is the specific, recurring, avoidable scramble that vendor management becomes every single cycle.