SOC Reporting: Vendor or Subservice Organization?

Risk Advisory/Internal Audit, SOC
by Timothy Wolfgang
share with a colleague Download PDF

Many service organizations outsource functions of their business to third-party organizations (vendors).  The functions performed by vendors may impact the service organization’s delivery of services to user entities.  When completing a SOC 1 or SOC 2 examination, the service organization must determine if any of it’s vendors are considered subservice organizations and therefore in-scope for the SOC examination. 

The difference between a vendor and a subservice organization is that a vendor’s controls are not necessary for the service organization to meet the SOC 1 objectives or SOC 2 criteria, while a subservice organization’s controls are likely to be necessary to meet the objectives or criteria.  A vendor is likely to be considered a subservice organization if the following points apply:

  • If user entities’ understanding of the service organization’s system requires the services provided by the vendor to be included in the service organization’s system description; and
  • If controls at the vendor are necessary, in combination with the service organization’s controls, to provide assurance that the SOC 1 objectives or SOC 2 criteria are met; or
  • A service organization’s contract with the vendor stipulates that the vendor perform certain controls  to address risks related to the vendor’s service.

As an example, consider a vendor that monitors a service organization’s IT logs for events that could indicate unauthorized activities.  If the vendor is responsible for analyzing the logs for notable activities and alerting the service organization to suspicious activities, then controls at the vendor would be relevant to meeting the service organization’s security commitments, and the vendor would be a subservice organization because the vendor is performing the control to monitor the logs.  The same vendor would not be considered a subservice organization if the service organization was reviewing summary reports of logged events generated by the vendor, since the service organization would be responsible for monitoring the reports and would not be relying on the vendor for identifying suspicious activity.  The service auditor is allowed to assist with determining if a third party should be classified as a vendor or subservice organization, but the determination is ultimately the responsibility of the service organization’s management.

Once the necessary subservice organizations are identified, the service organization will need to determine if the inclusive or carve-out method will be used to present the subservice organizations in it’s SOC report.  Look for our upcoming article titled “Inclusive or Carve-Out:  How Subservice Organizations Are Presented in SOC Reports” for guidance on choosing the appropriate method.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
Financial Services, Risk Advisory/Internal Audit BY Marcy King
Enhancing Focus on Risk Management and Consumer Protection
read more >
Financial Services, Fraud/Investigative & Forensic Accounting, Risk Advisory/Internal Audit BY Tyler Caven
Controlling Wire Fraud in the Financial Industry
read more >
Risk Advisory/Internal Audit BY Brendan Leech
The Top Risks Internal Audit Leaders Need to Know for 2024
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
IT Risk Advisory, Risk Advisory/Internal Audit BY Michael Sinkevich
Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
most recent
Dynamics 365 Business Central 2024 Release Wave 1: Top 5 Features
Consulting, Digital & Technology
By Michael Scalamogna | 4.23.2024

Learn more about the top five new artificial intelligence features of wave one of the 2024 release of Dynamics 365 Business Central. ...

read more
most popular
Dynamics 365 Business Central 2024 Release Wave 1: Top 5 Features
Consulting, Digital & Technology
By Michael Scalamogna | 4.23.2024

Learn more about the top five new artificial intelligence features of wave one of the 2024 release of Dynamics 365 Business Central. ...

read more
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept