Many service organizations outsource functions of their business to third-party organizations (vendors). The functions performed by vendors may impact the service organization’s delivery of services to user entities. When completing a SOC 1 or SOC 2 examination, the service organization must determine if any of it’s vendors are considered subservice organizations and therefore in-scope for the SOC examination.
The difference between a vendor and a subservice organization is that a vendor’s controls are not necessary for the service organization to meet the SOC 1 objectives or SOC 2 criteria, while a subservice organization’s controls are likely to be necessary to meet the objectives or criteria. A vendor is likely to be considered a subservice organization if the following points apply:
- If user entities’ understanding of the service organization’s system requires the services provided by the vendor to be included in the service organization’s system description; and
- If controls at the vendor are necessary, in combination with the service organization’s controls, to provide assurance that the SOC 1 objectives or SOC 2 criteria are met; or
- A service organization’s contract with the vendor stipulates that the vendor perform certain controls to address risks related to the vendor’s service.
As an example, consider a vendor that monitors a service organization’s IT logs for events that could indicate unauthorized activities. If the vendor is responsible for analyzing the logs for notable activities and alerting the service organization to suspicious activities, then controls at the vendor would be relevant to meeting the service organization’s security commitments, and the vendor would be a subservice organization because the vendor is performing the control to monitor the logs. The same vendor would not be considered a subservice organization if the service organization was reviewing summary reports of logged events generated by the vendor, since the service organization would be responsible for monitoring the reports and would not be relying on the vendor for identifying suspicious activity. The service auditor is allowed to assist with determining if a third party should be classified as a vendor or subservice organization, but the determination is ultimately the responsibility of the service organization’s management.
Once the necessary subservice organizations are identified, the service organization will need to determine if the inclusive or carve-out method will be used to present the subservice organizations in it’s SOC report. Look for our upcoming article titled “Inclusive or Carve-Out: How Subservice Organizations Are Presented in SOC Reports” for guidance on choosing the appropriate method.