Staff augmentation is an outsourcing strategy where a company hires external professionals to supplement its existing workforce for specific projects or to meet temporary needs, rather than hiring full-time employees. This approach allows businesses to quickly scale their teams, access specialized skills, and maintain flexibility to handle fluctuating workloads without the long-term commitment of permanent hires.
When staff augmentation is used by a company that receives a SOC 1 or SOC 2 report, an evaluation should be performed to determine if the augmented staff should be treated as a subservice organization. It is highly unlikely that staff augmentation is considered a subservice for SOC reporting, because the key defining factor of a subservice organization is that the service organization relies on the vendor’s controls to meet its own service commitments to its customers. This is not the case in a typical staff augmentation arrangement, where the client remains responsible for supervising the work of the augmented staff.
The distinction between staff augmentation and a subservice hinges on control and responsibility.
| Staff Augmentation | Subservice Organization | |
| Control | The client maintains full control over the augmented staff’s work, including supervision, direction, and evaluation. | The service organization relies on the subservice organization’s controls and procedures to perform specific functions. |
| Integration | The augmented staff is integrated into the client’s existing team and processes to supplement internal capabilities. | The vendor performs a specific, outsourced function on behalf of the service organization with minimal direct oversight. |
| Responsibility | The client is ultimately responsible for the work performed by the augmented staff, and any associated controls. | The subservice organization is responsible for its own controls related to the specific services it provides. |
| SOC Impact | The client’s SOC report would cover the controls related to the augmented staff’s activities because the client has direct control and responsibility. The report may need to describe the use of external staff. | The service organization’s SOC report must explicitly address the use of a subservice organization, typically by either including the subservice’s controls in the report (inclusive method) or carving them out and relying on the subservice’s own SOC report (carve-out method). |
While not a subservice, staff augmentation should still be considered during a SOC audit. The report’s “Description of the System” section should include details about how the augmented staff is managed and controlled. Auditors will verify that the internal controls in place for augmented personnel—such as background checks, access provisioning, and supervision—are sufficient and operating effectively.
Thanks for reading!