Many service organizations outsource functions of their business to third-party organizations (vendors). The functions performed by vendors may impact the service organization’s delivery of services to user entities. When completing a SOC 1 or SOC 2 examination, the service organization must determine if any of it’s vendors are considered subservice organizations and therefore in-scope for the SOC examination.
The difference between a vendor and a subservice organization is that a vendor’s controls are not necessary for the service organization to meet the SOC 1 objectives or SOC 2 criteria, while a subservice organization’s controls are likely to be necessary to meet the objectives or criteria. A vendor is likely to be considered a subservice organization if the following points apply:
If user entities’ understanding of the service organization’s system requires the services provided by the vendor to be included in the service organization’s system description; and
If controls at the vendor are necessary, in combination with the service organization’s controls, to provide assurance that the SOC 1 objectives or SOC 2 criteria are met; or
A service organization’s contract with the vendor stipulates that the vendor perform certain controls to address risks related to the vendor’s service.
As an example, consider a vendor that monitors a service organization’s IT logs for events that could indicate unauthorized activities. If the vendor is responsible for analyzing the logs for notable activities and alerting the service organization to suspicious activities, then controls at the vendor would be relevant to meeting the service organization’s security commitments, and the vendor would be a subservice organization because the vendor is performing the control to monitor the logs. The same vendor would not be considered a subservice organization if the service organization was reviewing summary reports of logged events generated by the vendor, since the service organization would be responsible for monitoring the reports and would not be relying on the vendor for identifying suspicious activity. The service auditor is allowed to assist with determining if a third party should be classified as a vendor or subservice organization, but the determination is ultimately the responsibility of the service organization’s management.
Once the necessary subservice organizations are identified, the service organization will need to determine if the inclusive or carve-out method will be used to present the subservice organizations in it’s SOC report. Look for our upcoming article titled “Inclusive or Carve-Out: How Subservice Organizations Are Presented in SOC Reports” for guidance on choosing the appropriate method.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.