What differentiates an organization from being considered a vendor versus a subservice organization? This distinction is important for SOC 1 reports because information about the services provided by a subservice organization must be presented in the description of the service organization’s system (using either the carve-out or inclusive method).
SOC 1 Reporting
A subservice organization is defined as a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting. Organizations that provide services to a service organization that are not considered subservice organizations are referred to as vendors. Services provided by vendors are not subject to the reporting requirements of those provided by a subservice organization.
One way for management to determine whether an organization is a vendor or a subservice organization is to determine whether the controls implemented by the organization would be included in the service organization’s description of its system had they been performed by the service organization itself. If so, the organization would be considered a subservice organization.
For example, suppose an organization provides services for offsite storage of electronic information. Although this service is important to the service organization’s business, document storage does not relate to user entities’ internal control over financial reporting. However, let’s now suppose that the organization is also responsible for performing the back-up and monitoring the status of the backup, along with hosting the application servers to support the production environment of this organization. In this case, the services provided would relate to the user entities’ internal control over financial reporting because controls at the subservice provider are necessary for the service organization’s application controls to operate effectively.
The AICPA Guide, Service Organizations – Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) provides valuable guidance to assist management and the service auditor in distinguishing the differences between subservice organizations and vendors. For more information on Service Organization Control Reports, visit our website.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.