OUR THOUGHTS ON:

Service Organization Control (SOC) Reporting - Vendor vs. Subservice Organization

SSAE 18/SOC

By Holly Russo

What differentiates an organization from being considered a vendor versus a subservice organization?  This distinction is important for SOC 1 reports because information about the services provided by a subservice organization must be presented in the description of the service organization’s system (using either the carve-out or inclusive method). 

SOC 1 Reporting

A subservice organization is defined as a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.  Organizations that provide services to a service organization that are not considered subservice organizations are referred to as vendors.  Services provided by vendors are not subject to the reporting requirements of those provided by a subservice organization.

One way for management to determine whether an organization is a vendor or a subservice organization is to determine whether the controls implemented by the organization would be included in the service organization’s description of its system had they been performed by the service organization itself.  If so, the organization would be considered a subservice organization.

For example, suppose an organization provides services for offsite storage of electronic information.  Although this service is important to the service organization’s business, document storage does not relate to user entities’ internal control over financial reporting.  However, let’s now suppose that the organization is also responsible for performing the back-up and monitoring the status of the backup, along with hosting the application servers to support the production environment of this organization.  In this case, the services provided would relate to the user entities’ internal control over financial reporting because controls at the subservice provider are necessary for the service organization’s application controls to operate effectively.

The AICPA Guide, Service Organizations – Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) provides valuable guidance to assist management and the service auditor in distinguishing the differences between subservice organizations and vendors. For more information on Service Organization Control Reports, visit our website.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments