Many companies that receive SOC 1 reports use “subservice organizations” as part of their service offering. The AICPA defines a subservice organization as: “A service organization used by another service organization to perform some or all of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” A situation sometimes arises where a customer of a service organization wants to obtain the SOC report of a subservice organization in order to understand the controls of the subservice organization. However, most companies will only distribute their SOC report to their direct customers.
There are restrictions on the distribution of a SOC 1 report that are set forth in the SOC auditor’s opinion. The standard SOC 1 opinion states that the report is intended solely for:
- The service organization receiving the report
- User entities of the service organization’s system during some or all of the period that was audited
- The auditors of user entities
The AICPA has introduced the concept of “indirect” or “downstream” customers in SSAE #18 (section AT-C 320.A70). The AICPA states that “A user entity is also considered a user entity of the service organization’s subservice organizations if controls at subservice organizations are relevant to internal control over financial reporting of the user entity. In such case, the user entity is referred to as an indirect or downstream user entity of the subservice organization. Consequently, an indirect or downstream user entity may be included in the group to whom the use of the service auditor’s report is restricted.”
A common reason that companies cite for refusing to provide a SOC 1 report is that the party requesting the report is not their customer and the auditor’s opinion in the SOC report restricts the distribution of the report to user entities (see 2nd bullet above). However, indirect and downstream customers can often times be considered user entities and are therefore one of the intended users of the SOC 1 report. Sometimes all it takes is a conversation with the service organization to explain this relationship and help them understand that it is appropriate to provide their SOC report to indirect / downstream users in a similar way that they provide it to direct customers.
If the situation described above occurs and the subservice organization will not provide their SOC 1 report to the indirect / downstream user, another alternative is to inquire if the subservice organization receives a SOC 3 report. Unlike a SOC 1, the SOC 3 is a general distribution report and most companies are much less rigid about who they send it out to. And many companies (for example Amazon Web Services and Microsoft Azure) provide SOC 3 reports on their public facing websites. The SOC 3 report will not have the level of detail of a SOC 1 and will not be focused on internal controls over financial reporting, but it does provide a level of comfort around security and other controls.
Thanks for reading!