Many organizations have a difficult time distinguishing between “vendors” and “subservice organizations” for purposes of their SOC 1 and SOC 2 reports. This is partially because the differentiation / classification of vendors and subservice organizations has no bearing whatsoever on day to day operations of a service provider / organization receiving a SOC 1 or SOC 2 report. However, it is important to identify subservice organizations as part of the SOC reporting process for several reasons. Most notably, there are disclosure requirements in the SOC report’s system description related to sub service organizations that do not apply to vendors. And there are additional procedures that service auditors must perform relative to subservice organizations that do not apply to vendors.
SOC 1 Reports
Let’s get started by looking at some definitions. Here is how the AICPA defines subservice organizations for purposes of a SOC 1 report: “A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” Examples of subservice organizations include the following:
- An entity that hosts key applications used by a service organization and is responsible for general IT controls that are likely to be relevant to user entities’ internal control over financial reporting, such as controls related to logical access, program changes, and computer operations
- An entity that processes a subset of the transactions that are part of the services provided by the service organization that are likely to be relevant to user entities’ internal control over financial reporting, for example,
- a claims processing entity that processes a subset of the claims processed by the service organization
- an entity that has custody over certain types of securities (a sub custodian) that is part of the custodial services provided by the service organization
Subservice organizations may be separate entities that are external to the service organization or may be entities related to the service organization, for example, a subservice organization that is a subsidiary of the same company that owns the service organization.
The AICPA also says “Controls at an entity that provides services to a service organization may appear to be relevant to a user entity’s internal control over financial reporting. However, if the service organization’s controls alone are sufficient to meet the needs of the user entity’s internal control over financial reporting (that is, achievement of the control objectives is not dependent on the entity’s controls), management may conclude that the entity is not a subservice organization.”
For colocation and hosting services (i.e., AWS, Microsoft Azure, etc.), the distinction between “subservice organization” and “vendor” is straight forward. Most SOC 1 and SOC 2 reports include hosting providers as “carved out” subservice organizations. But for many other service providers, the distinction between vendor and subservice organization is not as black and white. For SOC 1, a simplistic approach is to ask the following question. (Note, the approach for SOC 2 is different and is described below.) If the answer is yes, then there is a high probability that the entity you are evaluating is a subservice organization. Here is the question:
- If the organization that provides us with XYZ services does not have effective controls in place, could the financial statements of our clients be materially misstated?
SOC 2 Reports
The AICPA defines subservice organizations a little differently for purposes of a SOC 2 report: “A vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved.” And here is how the AICPA defines vendors: “An individual or business (and its employees) engaged to provide services to the service organization. Depending on the services a vendor provides (for example, if it operates certain controls on behalf of the service organization that are necessary, in combination with the service organization’s controls, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved), a vendor might also be a subservice organization.”
A vendor is considered a subservice organization only if the following apply:
- The services provided by the vendor are likely to be relevant to report users’ understanding of the service organization’s system as it relates to the applicable trust services criteria.
- Controls at the vendor are necessary, in combination with the service organization’s controls, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved based on the applicable trust services criteria.
If the service organization’s controls alone achieve its service commitments and system requirements, or if the service organization’s monitoring of the vendor’s services and controls is sufficient to achieve its service commitments and system requirements, the services provided by a vendor are not likely to be relevant to the SOC 2 examination.
Reporting Considerations for Both SOC 1 and SOC 2 Reports
There are 2 methods of reporting that can be followed for subservice organizations:
- Carve-out method: Method of addressing the services provided by a subservice organization in which the components of the subservice organization’s system used to provide the services to the service organization are excluded from the description of the service organization’s system and from the scope of the examination. However, the description identifies (1) the nature of the services performed by the subservice organization; (2) the types of controls expected to be performed at the subservice organization; and (3) the controls at the service organization used to monitor the effectiveness of the sub service organization’s controls.
- Inclusive method: Method of addressing the services provided by a subservice organization in which the description of the service organization’s system includes a description of (a) the nature of the services provided by the subservice organization and (b) the components of the subservice organization’s system used to provide services to the service organization, including the sub service organization’s controls. (When using the inclusive method, controls at the subservice organization are subject to the service auditor’s examination procedures. Because the subservice organization’s system components are included in the description, those components are included in the scope of the examination.)
An inclusive report generally is most useful in the following circumstances:
- The services provided by the subservice organization are extensive.
- A type 1 or type 2 report that meets the needs of report users is not available from the subservice organization.
- Information about the subservice organization is not readily available from other sources.
Although the inclusive method provides more information for report users than the carve-out method, the inclusive method may not be appropriate or feasible in all cases. When using the carve-out method, the description would identify the types of complementary subservice organization controls (CSOCs) that the subservice organization is assumed to have implemented. Examples of the types of CSOCs the subservice organization is assumed to have implemented include the following:
- Controls relevant to the completeness and accuracy of transaction processing on behalf of the service organization
- Controls relevant to the completeness and accuracy of specified reports provided to and used by the service organization
- Logical access controls relevant to the processing performed for the service organization
- Physical security and environmental controls at data centers used by the service organization
In conclusion, although the AICPA specifies that it is management’s responsibility to identify subservice organizations and the related CSOCs in SOC 1 and SOC 2 engagements, this is often a challenging and difficult endeavor. Service auditors are well positioned and trained to help with this process. If you start working with a new vendor and need help determining whether they are a subservice organization or not – seek out your friendly auditor for guidance!
Thanks for reading.