February 7, 2023
For SOC 1 and SOC 2 Reports, the Service Organization’s narrative is required to identify any Subservice Organization(s) the Company utilizes to meet its Control Objectives (SOC 1) or fulfill its Service Commitments and System Requirements (SOC 2) for its user entities. At a minimum, for each Subservice Organization, the narrative should include a listing of Complementary Subservice Organization Controls (CSOCs) that the Service Organization expects the Subservice Organization to have in place to fulfill the Service Organization’s services (carve-out method, not discussed in detail here). At a maximum, the narrative should include all the procedures and controls of the Subservice Organizations (inclusive method, not discussed in detail here) and the auditor would be required to test all those controls. The determination of whether the vendors used by a Service Organization are Subservice Organizations requires some judgement. This article was created to provide some insights and guidance to help with this determination.
According to AICPA Accounting and Audit Guides, Subservice Organizations are defined as follows:
SOC 1 Audit Guide*
“Paragraph .08 of AT-C section 320 defines a subservice organization as ‘a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant [emphasis added] to those user entities’ internal control over financial reporting."
SOC 2 Audit Guide*
“In this guide, a vendor is considered a subservice organization only if the following apply:
From these definitions provided, we see that there are 2 main factors in determining whether a Subservice Organization exists:
The following are some examples to illustrate factors in determining Subservice Organizations. Many of these examples are obtained from the AICPA Audit Guides*.
What service does the organization provide to the Service Organization? |
Type of Report |
Is the service provided by the organization relevant to user entities’ control objective or service commitments and system requirements? |
Are the controls provided by vendor NECESSARY to provide reasonable assurance that the control objectives, service commitments and system requirements are achieved? |
Is the organization a Subservice Organization? |
Report printing and mailing
This organization prints the Service Organization’s electronic files containing financial reports for user entities and mails the reports to the user entities. The information in the reports is incorporated into the user entities’ financial statements. The organization is responsible for controls over the completeness and accuracy of the reports. |
SOC 1 |
Yes. The service provided by this organization is relevant to user entities’ internal control over financial reporting because the information in the reports is incorporated into the user entities’ financial statements. |
Yes. Vendor is responsible for the printing of the electronic files that goes to the user entities and Service Organization does not perform additional controls to review such reports. |
Yes. |
Document storage and record retention
This organization picks up boxes of documents from the Service Organization and stores them at its facility. |
SOC 1 |
No. Although this service is important to the Service Organization’s business and enables the Service Organization to meet certain regulatory requirements, document storage and record retention services do not relate to user entities’ internal control over financial reporting.
|
N/A |
No |
Electric power
This organization provides electric service to the Service Organization. |
SOC 1 |
No. Although important for the Service Organization’s continuing operations, the electric service does not relate to user entities’ internal control over financial reporting
|
N/A |
No |
Software development
The Service Organization outsources the development of its application changes to a software development organization. This organization receives the authorized changes from the Service Organization, develops the changes, and sends them back to the Service Organization. The Service Organization authorizes all changes to be developed, reviews the accuracy of the changes, performs all user acceptance testing, and approves all changes prior to implementing them in production.
|
SOC 1 |
Yes. Controls over software development are relevant to Information Technology General Control (ITGC)s for financial reporting as the software is providing transaction processing.
|
No. In this scenario the organization would not be considered a Subservice Organization because the Service Organization’s controls alone are sufficient to meet the needs of a user entity’s internal control over financial reporting. |
No |
Backup Power Maintenance
ABC Vendor is responsible for performing quarterly maintenance on the Service Organization’s backup power system; |
SOC 2 (Security, Confidentiality, and Availability) |
Yes. ABC vendor is performing monitoring controls over the Service Organization’s availability commitments. |
No. Service Organization personnel participate in post-maintenance testing used to verify the backup power system is working as intended, which serves as a primary control. In this instance, ABC Vendor’s controls are not necessary for the Service Organization to achieve its service commitments and system requirements based on the applicable trust services criteria for availability; therefore, ABC Vendor would not be considered a Subservice Organization.
|
No |
Capacity Monitoring
XYZ Vendor is responsible for monitoring service capacity and usage and for projecting future capacity demands based on historical trends. |
SOC 2 (Security, Confidentiality, and Availability) |
Yes. Capacity monitoring is a relevant function over the Service Organization’s availability commitments. |
Yes. Without additional controls at the Service Organization, controls at the vendor are necessary for the Service Organization to achieve its service commitments and system requirements related to availability based on the applicable trust services criteria. Therefore, XYZ Vendor would be considered a Subservice Organization. |
Yes. However, if the Service Organization were to independently perform high-level capacity monitoring activities and review the future capacity demands projected by XYZ Vendor for appropriateness, XYZ Vendor might not be considered a Subservice Organization because the vendor’s controls may not be necessary for the Service Organization to achieve its service commitments and system requirements based on the applicable trust services criteria. The service auditor would need to use judgment to determine whether the review controls were precise enough that the vendor controls would not be necessary.
|
Monitoring of configuration settings
A Service Organization purchases from JKL Vendor a tool to monitor and report on the status of configuration settings that affect the operation of control activities. JKL Vendor also provides services around the use of that tool through a software-as-a-service (SaaS) model. |
SOC 2 (Security, Confidentiality, and Availability) |
Yes. Security configuration monitoring is a relevant function over the Service Organization’s security commitments. |
Yes. In this situation, management has effectively outsourced monitoring of the configuration settings to JKL Vendor. Because management considers this function and related controls necessary to the achievement of the Service Organization’s service commitments and system requirements, JKL Vendor would be considered a Subservice Organization.
|
Yes. However, if JKL Vendor does not provide additional services (only provided the software and no additional services) then there is an argument the Company |
As noted above, controls at an entity that provides services to a Service Organization may appear to be relevant to a user entity’s internal control over financial reporting. However, if the Service Organization’s controls alone are sufficient to meet the needs of the user entity’s internal control over financial reporting (that is, achievement of the Service Organization’s control objectives is not dependent on the subservice entity’s controls) or its Service Commitments and System Requirements, management may conclude that the entity is not a Subservice Organization. In these circumstances, management of the Service Organization would not need to, but may, indicate in its description of the Service Organization’s system and in management’s assertion that it uses the services of another entity.
Determining whether a vendor is a Subservice Organization for SOC reporting requires judgement. Service Organizations and service auditors should discuss these factors to make sure they agree on the in-scope Subservice Organizations before beginning their SOC exam. For additional guidance and questions, please contact a Larson professional for help.
*SOC Audit Guides refer to the following:
Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (SOC 1®)(Updated as of September 1, 2022) Published by AICPA
(SOC 2) Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (Updated As of October 15, 2022) Published by AICPA