When preparing for a SOC report (SOC 1 or SOC 2) examination, when the inclusive method is decided upon to represent the subservice providers, there are impacts to the report that a service provider and service auditor must be aware of. There are multiple changes that are required to be made to the standard AICPA SOC format in order to incorporate the inclusive method. An inclusive report requires an extra management assertion from the subservice provider to be included within the report, it requires an extra letter of representation and it will require each section of the SOC report to be modified.
Most notably, the opinion section and description section will be updated to include sufficient detail about the subservice provider’s services. The inclusive audit will require actual testing of the subservice provider’s relevant controls, and it will often require additional updates to the complementary user entity controls and complementary service organization controls.
Every section of the SOC report is impacted by the change to the inclusive SOC report method. Performing an Inclusive SOC report is no easy feat, the specific inclusive additions require multiple stages of coordination between the service auditor, the service provider, and the subservice provider. Further, the service auditor performing the SOC assessment will need to be independent of both entities (service provider and subservice provider).
Service Provider vs. Vendor vs. Subcontractor vs. Subservice Provider
To determine the subservice providers that will be covered and included by the inclusive SOC report, it is necessary for the Company (service provider) receiving the SOC report to perform a vendor analysis and determine the vendors that actually perform controls or services that are necessary to meet the SOC 1 objectives or SOC 2 Trust Services Criteria.
What is a Subservice Organization?
A vendor/service provider/contractor/subcontractor is any entity or individual that provides goods or services to another entity. All subservice providers are vendors/contractors/service providers/subcontractors, but not all vendors/contractors/service providers/subcontractors are subservice providers. Over the course of the vendor analysis, the Company striving to receive the SOC report compliance will critically think about the services each vendor is performing and determine if that service supports or carries out controls within their control environment and/or significant portions of their service delivery.
If it is determined that an entity (i.e. a vendor/contractor/service provider/subcontractor) carries out a specific function that affects the Company’s ability to attain SOC compliance, that entity is required to be included in the SOC report. The Company may be relying upon the entity to either significantly assist to deliver their service to their users or to meet a SOC objective or criteria requirement. With this, the vendor/service provider/contractor/or subcontractor should be considered as a subservice provider in the inclusive SOC report.
After the subservice provider(s) have been identified that are necessary to either 1) assist to deliver components of the service provider’s service to the users or 2) assist with relevant controls to meet the service providers SOC 1 objectives or SOC 2 criteria. The Company striving to receive the SOC report should consider if the subservice provider(s) have their own SOC reports. If the subservice provider(s) have their own SOC reports, then the Company may utilize the subservice providers’ SOC report to minimize the risk associated with the subservice provider.
Ultimate Responsibility for Controls – Outsourcing Risk
A service provider cannot outsource risk and/or responsibility for their control environment. A service provider cannot punt responsibility of their controls to a subservice provider. The service provider can outsource components of their service to a subservice provider, but the risk and responsibility remains with the service provider.
For instance, if a company utilizes a data center to maintain its infrastructure, the data center subservice provider is maintaining the physical access and environmental controls that are necessary to meet the SOC 1 objectives and SOC 2 criteria. The data center controls are included in the service provider’s SOC report. The service provider that is attempting to become SOC compliant will require a method to get comfort that the data center subservice providers’ physical and environmental controls are designed appropriately and operating effectively.
What is a Vendor SOC Report? Are Subservice Organizations Included or Carved-Out? What is a SOC 1 Carve-Out? What is a SOC 2 Carve-Out?
The service provider will either need to be able to test the physical and environmental controls themselves (inclusive approach), or they may obtain the subservice provider’s SOC report (if it exists). SOC reports are sometimes referred to as Vendor SOC reports. A vendor SOC report is a SOC 1 or a SOC 2 – Type I, or Type II report (SOC stands for Service Organization Control). If the SOC report exists, the service provider can read about the design and operating effectiveness results performed by the independent third party, and assess the controls from that perspective (carve-out approach).
Both of these approaches require the service auditor to gain an understanding of the controls that the data center provider is performing. Neither approach allows the service provider to assume the data center subservice provider has the appropriate controls in place, action must be taken to know for certain. If it ends up that the data center subservice provider does NOT have controls in place that are designed appropriately and operating effectively, and as a result of that, the service provider cannot deliver their services and/or they experience a break or breach to their controls, the service provider is ultimately responsible to their users, not the data center subservice provider!
Subservice Provider – Right to Audit Clause
If a subservice provider does not have a SOC report available, things can get interesting. During the vendor management processes, preferably during the vendor onboarding stages, one step that is recommended to be included is a determination as to whether the vendor has a SOC report. If they do not, then consideration as to whether a “right to audit” clause should be added to the contract should take place.
For an inclusive method SOC report, it is critical that the service auditor has complete access necessary to carry out the required testing procedures for each objective and/or service criteria area deemed relevant. If there is no agreement upfront with the subservice provider, negotiating to get access for the audit may be time-consuming and difficult. Per the AICPA’s guidance for Information Management of a Service Organization, the inclusive method is more easily facilitated if the service organization and the subservice organization are related parties or if there is a contract upfront between the two service organizations that provides for an inclusive description of their combined services.
Inclusive Audit Methodology – Structure of the SOC Report
In an inclusive audit report, the SOC report sections remain the same, but the items included in each SOC report area are enhanced:
SOC Report Sections:
- Section I: Independent Service Auditor’s Report (Opinion)
- Inclusive consideration: Include the description for the subservice organization and the design and operating effectiveness (SOC Type II only) opinion of the subservice organization’s controls.
- Section II: Management Assertion
- Inclusive consideration: Include the management assertion from the subservice provider in addition to the service provider assertion (becomes 2 assertions). The assertion of the subservice organization also presents the description of the controls and services provided by the subservice organization.
- Section III: Service Description
- Inclusive consideration: Include the service description of the subservice provider, clearly indicating the processes and controls that are performed by the subservice provider, along with each relevant subservice provider that the subservice provider may utilize (are we having fun yet!?), and include any relevant complementary user entity controls of the service provider for consideration.
- Section IV: Independent Service Auditor’s Testing and Test Results
- Inclusive consideration: Include specific testing and samples for the subservice provider controls. If these are separate controls from the original SOC service provider, clearly articulate which controls apply to which service provider over which objective, or trust service criteria area.
- Section V: Requirement Mapping (as applicable)
- Inclusive consideration: Optional consideration for mapping the subservice provider controls to the objective or criteria areas.
- Section VI: Other Information Provided by Management (as applicable)
- Inclusive consideration: Optional for the subservice organization to include management responses for any subservice control deficiencies identified, or other relevant information to communicate regarding the subservice organization relationship or service.
In an inclusive report, the auditor should adjust each area to include the subservice organization. The subservice provider will be required to provide a Letter of Representation as well as their Management Assertion (management assertion is included in the SOC report in section II).
An inclusive SOC report figuratively is like two SOC reports in one. Therefore, significant upfront planning should be performed to ascertain that all the appropriate service components and controls have been included. In section III, special considerations should be made to include complementary control considerations of the subservice vendors.
What are Complementary Controls Considerations?
Within a vendor SOC report there are both Complementary User Entity Controls (CUECs) and Complementary Subservice Organization Controls (CSOCs).
- What are Complementary User Entity Controls (CUECs)?
- CUECs are controls that exist at the user entity level (users of the SOC report). These are controls the end-user of the report must have in place designed and operating effectively in order to achieve the service commitments and system requirements based on the SOC objectives or trust service criteria.
- What are Complementary Subservice Organization Controls (CSOCs)?
- CSOCs are the controls that are performed by the subservice organization. These controls need to be designed and operating effectively in order to achieve the service commitments and system requirements based on the SOC objectives or trust service criteria. With the inclusive method of SOC reporting, these CSOCs are fully included in the SOC report description and testing.
Take note: If the service provider had decided to use the “Carve-out” method as opposed to the Inclusive method, the CSOCs performed by the subservice organization would not be tested in the SOC report. If the carve-out method had been used, instead a description of what the subservice organization’s service is would be included in the SOC report. The description must include how the subservice organization interacts with the service provider (what service they provide them).
The description would also include the controls that the subservice provider must have in place in order for the service provider to achieve their required objectives and/or trust service criteria (the CSOCs). If the carve-out method is used, the service provider is required to obtain the subservice provider’s SOC report or other assurance evidence and determine that the CSOC controls identified do exist and are designed and operating effectively. These determination procedures should be documented as a review control in the service provider’s control environment as a component of their vendor Risk Mitigation processes.
Inclusive Method SOC 1 & 2 Reports – In Summary
In summary, an inclusive method SOC audit report is a stronger report. It is a stronger report because it includes all the relevant service provider and subservice providers controls and each control is tested and concluded upon in one document. An inclusive method report is appropriate when subservice organizations are utilized that do not have their own SOC report or other assurance methods regarding their controls.
The subservice organization will need to agree upfront to being subjected to the SOC audit procedures and be willing to provide the SOC auditor with a management representation letter as well as a written management assertion, and access to their systems and/or control support documentation. Although the inclusive method provides more information for users of the report, it may not always be appropriate or feasible. This approach generally requires extensive planning and communication between all parties involved (service auditor, service provider, and subservice provider). In addition, all parties involved should agree on the inclusive approach before it is implemented.
If you are interested in understanding more about inclusive audit reports, contact our team of professionals at Linford & Co, or feel free to reach out directly to me, Rhonda Willert, and I am more than happy to make time!
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.