Article Summary
- Explains how to determine whether a vendor qualifies as a Subservice Organization in SOC 1 and SOC 2 reports.
- Defines Subservice Organizations based on AICPA SOC Audit Guides, emphasizing “relevant” and “necessary” controls.
- Identifies two key factors: whether vendor controls are relevant to control objectives/trust criteria and whether they are necessary to achieve them.
- Provides practical examples (e.g., report printing, software development, capacity monitoring, SaaS monitoring tools) to illustrate judgment areas.
- Concludes that determining Subservice Organizations requires professional judgment and coordination between management and the service auditor before the SOC exam begins.
Is my Vendor a Subservice Organization?
For SOC 1 and SOC 2 Reports, the Service Organization’s narrative is required to identify any Subservice Organization(s) the Company utilizes to meet its Control Objectives (SOC 1) or fulfill its Service Commitments and System Requirements (SOC 2) for its user entities. At a minimum, for each Subservice Organization, the narrative should include a listing of Complementary Subservice Organization Controls (CSOCs) that the Service Organization expects the Subservice Organization to have in place to fulfill the Service Organization’s services (carve-out method, not discussed in detail here). At a maximum, the narrative should include all the procedures and controls of the Subservice Organizations (inclusive method, not discussed in detail here) and the auditor would be required to test all those controls. The determination of whether the vendors used by a Service Organization are Subservice Organizations requires some judgement. This article was created to provide some insights and guidance to help with this determination.
Subservice Organization Definitions
According to AICPA Accounting and Audit Guides, Subservice Organizations are defined as follows:
SOC 1 Audit Guide*
“Paragraph .08 of AT-C section 320 defines a subservice organization as ‘a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant [emphasis added] to those user entities’ internal control over financial reporting."
SOC 2 Audit Guide*
“In this guide, a vendor is considered a subservice organization only if the following apply:
- The services provided by the vendor are likely to be relevant [emphasis added] to report users’ understanding of the service organization’s system as it relates to the applicable trust services criteria.
- Controls at the vendor are necessary [emphasis added], in combination with the service organization’s controls, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved based on the applicable trust services criteria.”
Subservice Organization Factors
From these definitions provided, we see that there are 2 main factors in determining whether a Subservice Organization exists:
- Are the controls provided by the vendor relevant to control objectives or trust services criteria
- If answer to #1 above is yes, are the controls provided by the vendor necessary, in combination with the Service Organization’s controls, to provide reasonable assurance that the control objectives or service commitments and system requirements are achieved.
Example of Subservice Organizations
The following are some examples to illustrate factors in determining Subservice Organizations. Many of these examples are obtained from the AICPA Audit Guides*.
|
What service does the organization provide to the Service Organization? |
Type of Report |
Is the service provided by the organization relevant to user entities’ control objective or service commitments and system requirements? |
Are the controls provided by vendor NECESSARY to provide reasonable assurance that the control objectives, service commitments and system requirements are achieved? |
Is the organization a Subservice Organization? |
|
Report printing and mailing
This organization prints the Service Organization’s electronic files containing financial reports for user entities and mails the reports to the user entities. The information in the reports is incorporated into the user entities’ financial statements. The organization is responsible for controls over the completeness and accuracy of the reports. |
SOC 1 |
Yes. The service provided by this organization is relevant to user entities’ internal control over financial reporting because the information in the reports is incorporated into the user entities’ financial statements. |
Yes. Vendor is responsible for the printing of the electronic files that goes to the user entities and Service Organization does not perform additional controls to review such reports. |
Yes. |
|
Document storage and record retention
This organization picks up boxes of documents from the Service Organization and stores them at its facility. |
SOC 1 |
No. Although this service is important to the Service Organization’s business and enables the Service Organization to meet certain regulatory requirements, document storage and record retention services do not relate to user entities’ internal control over financial reporting.
|
N/A |
No |
|
Electric power
This organization provides electric service to the Service Organization. |
SOC 1 |
No. Although important for the Service Organization’s continuing operations, the electric service does not relate to user entities’ internal control over financial reporting
|
N/A |
No |
|
Software development
The Service Organization outsources the development of its application changes to a software development organization. This organization receives the authorized changes from the Service Organization, develops the changes, and sends them back to the Service Organization. The Service Organization authorizes all changes to be developed, reviews the accuracy of the changes, performs all user acceptance testing, and approves all changes prior to implementing them in production.
|
SOC 1 |
Yes. Controls over software development are relevant to Information Technology General Control (ITGC)s for financial reporting as the software is providing transaction processing.
|
No. In this scenario the organization would not be considered a Subservice Organization because the Service Organization’s controls alone are sufficient to meet the needs of a user entity’s internal control over financial reporting. |
No |
|
Backup Power Maintenance
ABC Vendor is responsible for performing quarterly maintenance on the Service Organization’s backup power system; |
SOC 2 (Security, Confidentiality, and Availability) |
Yes. ABC vendor is performing monitoring controls over the Service Organization’s availability commitments. |
No. Service Organization personnel participate in post-maintenance testing used to verify the backup power system is working as intended, which serves as a primary control. In this instance, ABC Vendor’s controls are not necessary for the Service Organization to achieve its service commitments and system requirements based on the applicable trust services criteria for availability; therefore, ABC Vendor would not be considered a Subservice Organization.
|
No |
|
Capacity Monitoring
XYZ Vendor is responsible for monitoring service capacity and usage and for projecting future capacity demands based on historical trends. |
SOC 2 (Security, Confidentiality, and Availability) |
Yes. Capacity monitoring is a relevant function over the Service Organization’s availability commitments. |
Yes. Without additional controls at the Service Organization, controls at the vendor are necessary for the Service Organization to achieve its service commitments and system requirements related to availability based on the applicable trust services criteria. Therefore, XYZ Vendor would be considered a Subservice Organization. |
Yes. However, if the Service Organization were to independently perform high-level capacity monitoring activities and review the future capacity demands projected by XYZ Vendor for appropriateness, XYZ Vendor might not be considered a Subservice Organization because the vendor’s controls may not be necessary for the Service Organization to achieve its service commitments and system requirements based on the applicable trust services criteria. The service auditor would need to use judgment to determine whether the review controls were precise enough that the vendor controls would not be necessary.
|
|
Monitoring of configuration settings
A Service Organization purchases from JKL Vendor a tool to monitor and report on the status of configuration settings that affect the operation of control activities. JKL Vendor also provides services around the use of that tool through a software-as-a-service (SaaS) model. |
SOC 2 (Security, Confidentiality, and Availability) |
Yes. Security configuration monitoring is a relevant function over the Service Organization’s security commitments. |
Yes. In this situation, management has effectively outsourced monitoring of the configuration settings to JKL Vendor. Because management considers this function and related controls necessary to the achievement of the Service Organization’s service commitments and system requirements, JKL Vendor would be considered a Subservice Organization.
|
Yes. However, if JKL Vendor does not provide additional services (only provided the software and no additional services) then there is an argument the Company |
As noted above, controls at an entity that provides services to a Service Organization may appear to be relevant to a user entity’s internal control over financial reporting. However, if the Service Organization’s controls alone are sufficient to meet the needs of the user entity’s internal control over financial reporting (that is, achievement of the Service Organization’s control objectives is not dependent on the subservice entity’s controls) or its Service Commitments and System Requirements, management may conclude that the entity is not a Subservice Organization. In these circumstances, management of the Service Organization would not need to, but may, indicate in its description of the Service Organization’s system and in management’s assertion that it uses the services of another entity.
Conclusion
Determining whether a vendor is a Subservice Organization for SOC reporting requires judgement. Service Organizations and service auditors should discuss these factors to make sure they agree on the in-scope Subservice Organizations before beginning their SOC exam. For additional guidance and questions, please contact a Larson professional for help.
*SOC Audit Guides refer to the following:
Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (SOC 1®)(Updated as of September 1, 2022) Published by AICPA
(SOC 2) Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (Updated As of October 15, 2022) Published by AICPA
Choosing the Right Criteria for your SOC 2 Audit
SOC Audits are becoming even more important in today’s interconnected world. Many vendors are implementing requirements that their business partners have a valid SOC audit. But, choosing which of the trust criteria you want in your SOC report can be difficult when you don’t know what they are. That’s why we’ve created this guide to help you understand your options and how we can tailor your SOC Audit to fit the needs of your business.
Each SOC audit contains at least one of the five Trust Criteria. These criteria are (from AICPA) Security, Availability, Processing Integrity, Confidentiality, and Privacy. While all of these criteria can be added to your SOC report, Security is always included. The criteria for Security are known as the Common Criteria and are the main items included in the audit. After security, it’s your choice whether you want to add any of the rest. You should think about time and budgetary needs as well as your commitments to customers made in your service level agreements (SLAs).
Availability is mostly applicable when you’ve made commitments to your customers to have information and systems available within certain parameters. That being said, availability doesn’t require any type of specific acceptable performance level. In other words, don’t worry that the auditor is going to shut you down if you have up time that’s not the greatest. You set the criteria in your customer contracts, which means you get to decide the best way to test your availability needs.
Processing integrity, as defined by the AICPA means that, “system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.” While this may seem a bit nebulous, it basically means that the processes that you have in your business are working well to turn inputs into outputs. We usually recommend this trust criteria for businesses who input customer information and ouput a result, like payment providers; and that have made commitments to customers about the quality of the output. It’s also useful for those who create a physical product, as the trust criteria apply there as well.
The confidentiality criteria of a SOC 2 audit are designed to ensure that an organization's confidential information is protected from unauthorized access, use, disclosure, modification, or destruction. In other words, any business that has made commitments to its customers about how it handles sensitive or confidential information should consider using the confidentiality trust criteria in their SOC 2 audit. We would recommend adding Confidentiality to your report for organizations that work in healthcare, finance, law, or any other industry where confidentiality is important to your clients.
The final trust criteria are focused on Privacy. While similar to confidentiality in plain English, in SOC language, they differ just a bit. The main difference is that the privacy criteria apply only to personal information, while confidentiality applies to any information that is expected to remain confidential. Privacy criteria are designed specifically to ensure that an organization’s privacy practices protect personal information from unauthorized collection, use, retention, disclosure, and disposal. If your company has made commitments to customers about how it handles any type of personal information, whether internal or external data, you should consider using these criteria.
It's easy to say that you should just use all of the criteria, but businesses have budgets and adding criteria can often push the boundaries of those budgets. That’s why it’s important to know which criteria are most aligned with the core competencies of your business and the commitments you have made to customers in your SLAs. For example, imagine that you’re a tech startup that focuses on managing client relationships for doctors. In order to secure a certain deal, you need a SOC 2 report. You should probably stick with just the criteria that they require. However, picture the same startup a few years down the road. Now you’re in the customer acquisition phase and trying to make your product stand out. A SOC 2 would look much better with privacy and confidentiality so that you can assure potential customers and vendors that you really do care about their data.
For additional guidance, reach out to the Larson SOC Team and schedule a free 2-hour SOC readiness assessment.
Frequently Asked Questions About SOC Reporting
What is a Subservice Organization in a SOC 1 report? A Subservice Organization is a service organization used by another service organization to perform services that are likely to be relevant to user entities’ internal control over financial reporting, according to the AICPA SOC 1 Audit Guide.
What qualifies a vendor as a Subservice Organization in a SOC 2 report? Under SOC 2 guidance, a vendor is a Subservice Organization only if:
- The services are relevant to the applicable Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, or Privacy), and
- The vendor’s controls are necessary, in combination with the service organization’s controls, to achieve service commitments and system requirements.
How do you determine if vendor controls are “necessary” for SOC reporting? Vendor controls are considered necessary if the Service Organization’s controls alone are not sufficient to achieve its control objectives or service commitments. If the Service Organization performs effective oversight or review controls that meet objectives independently, the vendor may not be considered a Subservice Organization.
Are all outsourced vendors considered Subservice Organizations? No. Vendors such as document storage providers or electric utilities may be important to operations but are not Subservice Organizations if their services are not relevant to user entities’ internal controls or trust services criteria.
What are examples of Subservice Organizations in SOC 1 and SOC 2? Examples include:
- A report printing and mailing vendor responsible for financial reports included in user entities’ financial statements (SOC 1).
- A capacity monitoring vendor whose controls are necessary to meet availability commitments (SOC 2).
- A SaaS vendor managing configuration monitoring when those controls are necessary to meet security commitments.
.png)
