Subservice Organizations: Their Role and Impact on Your SOC Report

In today’s interconnected business landscape, understanding the role of subservice organizations in SOC (System and Organization Controls) reports is paramount.

Subservice organizations are third-party entities utilized by service organizations to perform key functions, necessitating scrutiny to ensure comprehensive risk management and regulatory compliance.

Through a detailed examination of subservice organizations’ roles, responsibilities, and impact on SOC reporting, organizations can enhance their ability to effectively manage risk and uphold the integrity of their assurance processes.

This article delves into the significance of subservice organizations within SOC reports, exploring how to identify a subservice organization, and what that means for your SOC report.  

What is a Subservice Organization?

The 2022 AICPA SOC 2 Guide defines a subservice organization as a "vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved". 

To elaborate on the AICPA’s definition of a subservice organization, a vendor is a subservice organization if the following are true:

• You need the vendor’s controls to achieve service commitments and meet system requirements for SOC 1 objectives or SOC 2 criteria.
• It is necessary to describe the vendor’s services for customers to understand your core system and how it relates to applicable Trust Services criteria.
• A contract is in place with the vendor that stipulates the vendor’s obligations to execute certain controls to address risks related to their service.

When adding a subservice organization to your report, all of the subservice organization’s complementary controls (CSOCs) and each user entity’s complementary user entity controls (CUECs), must be evaluated to be in alignment with the operating effectiveness of the service organization controls.

One of the most typical scenarios seen for adding a subservice organization is for cloud-based hosting services. Amazon Web Services (AWS), Azure, and the Google Cloud Platform (GCP) are typical service providers for this specific type of service.

One of the CSOCs for a subservice organization like AWS, Azure, or GCP for providing cloud-based hosting services would be providing physical and environmental security over the production servers being used.

Choosing the Inclusive or Carve-Out Method for Reporting

When a service organization chooses to add a subservice organization to their SOC report, they can choose to use either the inclusive or carve-out method to present the subservice organization.

When using the inclusive method, the auditor will audit the subservice organization for the controls that the service organization relies on them for.

When choosing this method, it’s important to consider whether the subservice organization is willing to allow the auditor to test the controls within their environment.

When the carve-out method is used, the auditor does not audit the subservice organization for the controls that the service organization relies on them for. When choosing this method, it’s important to consider if the subservice organization receives a SOC report or another certification that will allow you to monitor their control environment.

Monitoring Your Subservice Organization

When choosing to rely on the controls that a subservice organization is performing, it is important to consistently review the control reports (e.g., SOC reports) as they are made available.

When reviewing the subservice organization’s SOC reports, check to see if the subservice organization received a clean opinion or any exceptions on controls that could have an impact to the service you are providing to your clients.

If the subservice organization does not have a SOC report, it’s important to find an alternate approach to monitor the controls that are being relied on. This could mean requesting vendor questionnaires or even setting up recurring meetings with the subservice organization for monitoring.

Preparing for Your Next SOC Audit

It is important to note that whether you use the inclusive or carve-out reporting method, you must disclose any use of services provided by a subservice organization in your audit report.

For your next SOC audit, do you need to decide whether to have an inclusive or carve-out report to represent your subservice organization?

After considering the positives and negatives of both methods, you can now make an informed decision on what is best for you and your customers.

If you need help determining subservice organizations, have questions on audit reporting methods, or any other SOC questions, feel free to contact our team directly at [email protected].

Related Resources

• Schneider Downs SOC Report Brochure
• Schneider Downs SOC FAQs

About Schneider Downs Risk Advisory 

Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

Explore our full Risk Advisory Service offerings or contact the team at [email protected]