When building Software-as-a-Service (SaaS) applications over the last few years, more and more companies are electing to leverage an infrastructure-as-a-service provider like Google Cloud Platform (GCP). One of the main reasons companies do so is to leverage the GCP SOC 2 compliant infrastructure. These SaaS companies, also labeled as service organizations by the American Institute of CPAs, leverage GCP, because it is such a compliant infrastructure right out of the box. GCP for example is compliant with a number of frameworks and standards.
Google Cloud’s SOC 2 report provides assurance to investors and clients that Google Cloud infrastructure had controls in place to meet the SOC 2 criteria and those controls operated effectively over time. Leveraging the GCP SOC, many of our clients receive annual Type II SOC 2 reports where Google was responsible for providing SOC 2 compliant infrastructure and our clients were responsible for configuring client environments in GCP to meet the SOC 2 criteria.
Occasionally, we get asked by our clients, “GCP already has a SOC 2 and we leverage its infrastructure, can’t we just share GCP’s SOC 2 when we get asked our SOC 2?”
When leveraging GCP as an IaaS, GCP is responsible for some of the controls to meet the SOC 2 criteria, but your SaaS company is likely responsible for other controls to meet the SOC 2 criteria. Your client’s auditors may ask for assurance that the controls that are your company’s responsibility are designed and operating effectively.
You can try sharing the GCP SOC 2 in lieu of your own, but be prepared for further questions from your clients and stakeholders. If sharing the Google Cloud SOC 2 report satisfies security-related questions from prospects and stakeholders, then great. If not, then your company may need its own SOC 2 report.
What is a Carve-Out Report and How Does it Work?
If you leverage GCP’s infrastructure and receive your own SOC 2, the controls that are the responsibility of GCP will be “carved-out” of your report. That means that your report will reference the controls that are GCP’s responsibility, but they will not be tested within your report unless you receive an inclusive report. A company’s SOC 2 report includes only controls and testing of controls that are the company’s responsibility to meet the applicable SOC 2 Trust Services Criteria.
Using the carve-out method, a service organization will describe the services it provides as well as those provided by each sub-service organization. Then, the SOC report for the service organization will include testing of only the controls that are the service organization’s responsibilities. The report should also include any vendor risk management or monitoring controls in place to ensure the subservice organization is fulfilling its obligations.
Does My Company Need a SOC 2 Report?
Most companies choose to receive a SOC 2 when clients and prospects demand it. Based on our firm’s experience, not many companies have obtained SOC 2 audits before clients insisted unless the company was in a highly regulated industry, such as the financial industry.
Do We Save on SOC 2 Compliance by Utilizing GCP?
GCP is compliant with many security frameworks and standards. By using GCP or another IaaS provider, companies leverage a subservice organization’s (GCP’s) controls to build a SOC 2 compliant application. By leveraging GCP, the number of SOC 2 controls that are a service organization’s responsibility will be fewer than if the service organization was responsible for all the applicable SOC 2 controls themself.
Which SOC 2 Controls is Google Cloud Responsible for?
Google Cloud provides a highly available, secure, and compliant environment to its customers. GCP provides physical and environmental controls to any company leveraging its infrastructure. In addition to those controls, GCP also offers the following:
- Data encryption at rest and in transit
- Application layer transit security
- Secure low-level infrastructure
- Secure service deployment
- Secure data storage
By leveraging GCP, many SOC 2 controls will be the responsibility of GCP. Our firm passes along savings to our clients when they use a subservice organization to address some of the SOC 2 criteria. The time saved associated with testing fewer controls is reflected by our fees.
What is a Service Organization vs. a Subservice Organization?
What is a Service Organization?
The AICPA defines a service organization as “The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.”
What is a Subservice Organization?
The AICPA defines a subservice organization as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” Subservice organizations in a SOC 2 report are responsible for meeting some of the SOC 2 criteria.
Example: Many SaaS applications are built on top of IaaS environments like AWS and GCP. An example is a company providing business intelligence and data analytics solutions to it’s clients. If the company uses GCP to host the application, GCP will provide physical security, environmental controls, and systems monitoring services for the service organization. In this case, the data analytics company is the service organization and GCP is the subservice organization.
Risk Management and Subservice Organization Monitoring
The British Petroleum (BP) Deepwater Horizon oil spill in 2010 highlighted a failure of a third-party, Transocean, to install appropriate safety equipment on a drilling rig. Initially, BP blamed Transocean fully for the disaster, but it turned out that BP did not have the correct controls in place to monitor Transocean. BP’s vendor risk management should have ensured Transocean was following appropriate safety measures such as installing appropriate safety equipment and testing each component of the safety equipment.
Disasters such as the BP oil spill have brought more attention to the need to monitor third-parties (subservice organizations in the AICPA context) to ensure they have appropriate controls in place. In an age of great outsourcing to subservice organizations, it’s no longer enough to blame the subservice organization if there were no vendor risk management procedures being followed by the company doing the outsourcing. Had BP performed adequate risk management procedures on Transocean and the Deepwater Horizon rig, it’s possible a disaster could have been averted.
The AICPA’s SSAE 18 guidance includes monitoring of subservice organizations. See our previous article related to SSAE 18 including monitoring of subservice organizations.
Service organizations must have monitoring controls in place for any third-party (subservice organization) being used. The monitoring controls should include reviewing compliance reports such as SOC 1 and SOC 2 reports from subservice organizations and ensuring there are no significant control gaps that could affect the service organization’s service offering.
If a compliance report (e.g., SOC 1, SOC 2, ISO) is not available from a subservice organization, reviews may include Google searches, security questionnaires, and limited controls testing performed by the service organization or its auditor.
Summary
Many SaaS companies are finding value in leveraging IaaS services like Google Cloud to provide compliant infrastructure to build applications on. When a SaaS company has outsourced the performance of certain controls to a subservice provider like GCP, GCP becomes a subservice provider to the SaaS company. The controls outsourced to GCP will address some of the SOC 2 criteria. Service organizations (SaaS company) should monitor any subservice organizations used to ensure that they are performing the controls related to SOC 2 requirements without exception. Companies must review GCP’s SOC 2 report and the relevant areas to the service provided.
Controls to meet the SOC 2 requirements that are your company’s responsibility should be included within your SOC 2 report. Please contact us at Linford & Company if you would like to discuss your adoption of a subservice organization and the impact that might have on the scope and fees associated with your SOC 2 report.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.