Skip to main content
Currently onloravaughn.com→ visit Vaughn Cyber Group
Lora Vaughn

// BLOG POST

Your Vendor's Auditor Is Also a Vendor

By · Jul 15, 2026 · 3 min read

SR Bancorp didn’t get breached. Its auditor did.

On July 10, the bank filed an 8-K saying an outside party accessed files sitting on the servers of Mercadien, the CPA firm that handles its internal audit work. Names, Social Security numbers, account numbers, identification documents, dates of birth. Somerset Regal Bank’s own systems were never touched. The core processor, the loan origination platform, the online banking stack, all untouched. Doesn’t matter. The customer data still walked out the door, through a vendor most third-party risk programs don’t even think to scrutinize.

The audit firm is a vendor too

Ask any community bank risk officer to name their top third-party risks and you’ll get the same list every time. Core processor. Loan origination system. Maybe the document imaging vendor if they’ve had a scare. The audit firm rarely makes that list, because it doesn’t feel like a vendor. It feels like oversight. A firm you hire to check your controls, not a firm whose own controls you need to check.

That framing is backwards. To do the job, an internal auditor needs access to real customer data, sometimes more of it than the core processor ever touches. Full account histories, loan files, and whatever the sample set requires that quarter. A firm holding that much sensitive data carries the exact same breach exposure as any other vendor on the list. TPRM programs treat it like a different category of relationship, but it isn’t.

What the SOC 2 report never asks

Most banks lean on a vendor’s SOC 2 report and call the diligence done. The report tells you the vendor’s own controls passed an audit. It tells you nothing about the controls of the firm doing your audit. That’s a blind spot almost no questionnaire covers, because the audit relationship gets waved through on trust instead of evidence.

TPRM is mostly theater when it stops at “send us your SOC 2.” A clean report is a point-in-time attestation, not proof the vendor’s environment is secure today. Contract language with actual teeth does more work than any report: a named breach notification window, a right-to-audit clause you’ll actually use, and a hard limit on what data the vendor can hold and for how long. If your auditor needs to verify a sample of loan files, they don’t need your entire customer base sitting on their servers indefinitely.

What to change this quarter

Pull the vendor list and check whether the audit firm, outside counsel, and any collections or statement-printing vendor are scored the same way as the core processor. If they’re not, that’s the gap. Anyone who touches unmasked customer data earns the same scrutiny, regardless of what category the vendor management policy filed them under.

Then go back to the contract. Ask for evidence of the vendor’s own security program, not just a report cover page. Add a data minimization clause that limits what they can retain and for how long. Put a real clock on breach notification, not the generic “in a timely manner.”

None of this is new work. It’s the same TPRM process already running on the core systems, applied to the vendors that have been quietly exempted. SR Bancorp just handed every risk officer in the industry a live example of why that exemption doesn’t hold. Use it before the board asks the question first.

If your vendor management program still treats the audit firm as a different category of risk, that’s worth a conversation. Book a call: https://cal.com/vaughn-cyber-group

Lora Vaughn, fractional CISO and cybersecurity speaker

About the Author

Lora Vaughn is a fractional CISO and cybersecurity speaker with 20+ years securing banks, digital payments, and financial products at scale. She is a two-time CISO (MoneyGram, Simmons Bank), a former NSA analyst, a CISSP, and a two-time CISOs Connect A100 honoree. She writes practical, no-buzzword security guidance from Birmingham, Alabama.

Work With Lora

Need Help Getting Exam-Ready?

Vaughn Cyber Group helps community banks build security programs that satisfy examiners and actually protect your institution.

Consulting services are delivered through Vaughn Cyber Group.