When preparing for a SOC 1 or SOC 2 examination, service organizations, particularly those who elect to report their subservice organizations using the carve-out method, often conclude that anything related to their subservice organizations is out of scope for their own SOC report. However, that is not the case. This blog will discuss the requirements service organizations have in relation to monitoring the effectiveness of controls at their subservice organizations and provide examples of controls or procedures used to monitor subservice organizations.
What Are the Requirements for Monitoring the Controls at Subservice Organizations?
Per the AICPA (SOC 2 Guide, AAG-SOP 3.50), “regardless of whether the carve-out or inclusive method is selected, the description of the service organization’s system and the scope of the service auditor’s examination include the controls designed, implemented, and operated at the service organization to monitor the effectiveness of controls at the subservice organization. Controls over subservice organizations are usually a necessary part of a system of internal control[.]”
As such, even if using the carve-out method, service organizations have a responsibility to monitor the controls at subservice organizations relevant to the services used, and to describe those controls that have been implemented to monitor the subservice organization within the system description of their SOC report. Service auditors — those performing the SOC examination — have a responsibility to evaluate and test those controls. For a SOC 2 report, these control procedures are typically included to address the trust service criterion CC9.2 “The entity assesses and manages risks associated with the vendor of business partners.”
How Do You Monitor Controls at Subservice Organizations?
There are a variety of methods that can be employed to monitor the controls at subservice organizations. The AICPA provides the following examples:
- Reviewing and reconciling output reports.
- Holding periodic discussions with subservice organization personnel.
- Making regular site visits to the subservice organization.
- Performing tests of controls at the subservice organization.
- Monitoring external communication (such as customer complaints) relevant to the service provided.
- Reviewing type 1 or type 2 reports on the subservice organization’s systems.
The methods a service organization chooses will depend on the resources, availability, and access that both the service organization and subservice organization have and are willing to provide. Let’s explore each of these examples in more detail to see how they could be utilized.
Examples of Activities to Monitor Controls at Your Subservice Organizations
Reviewing and Reconciling Output Reports
This involves comparing records from the third party to your own records or another source to determine if there are any discrepancies. Through the reconciliation process, the service organization can identify potential issues with the processing of data or ascertain that all items were processed as expected. While this method may be more commonly used with financial transactions (e.g., bank reconciliation, payment or payroll processing, etc.), it can be done in other situations. For example, if access provisioning is outsourced to a subservice organization, the service organization can obtain and review user access reports to determine if users have been added/removed appropriately.
Periodic Discussion with Subservice Organization Personnel
This is an effective way to establish an understanding of the subservice organization and key processes and controls that subservice organizations have in place. Often, particularly as it relates to data security and privacy, a questionnaire is sent to subservice organizations to gather information on their process and controls. However, there are some limitations to this method. First, inquiry alone is generally not sufficient to determine the effectiveness of controls. Second, service organizations may not get a timely response (or a response at all), particularly from large subservice organizations that may be responding to many similar requests.
Making Regular Site Visits to the Subservice Organization
Visiting and touring sites that are relevant to the services being used can be effective, especially in relation to physical or environmental type controls. For example, if a service organization is using a colocation data center or cloud computing, site visits to the data center would allow them to observe the physical and environmental safeguards that have been implemented by the subservice organization. A site visit would also be a great opportunity to engage subservice organization personnel in discussions about their control activities. However, a primary concern with this method is whether the service organization has access or availability to the various locations that are of interest to the organization. Further, personnel and other resources may not be available on either side to accommodate these visits, particularly with large subservice organizations with many user entities.
Performing Tests of Controls at the Subservice Organization
This may be the most effective method to monitor the performance of controls at a subservice organization. Essentially, the service organization would conduct an audit of the relevant controls at the subservice organization. While this is a highly effective method, it may not be realistic for most organizations as it requires personnel with the appropriate training and experience to perform an audit of controls. Even for those organizations with an internal audit department, there would need to be resources allocated to the audit of the subservice organization and an agreement with the subservice organization to perform the audit. It is likely not practical to do this on an ongoing basis, unless it is a small subset of controls that are being evaluated and a small subservice organization with relatively few user entities.
Monitoring External Communications
Monitoring external communications such as customer complaints, regulatory reports, news feeds for specific industries, or other communication can be an effective way of providing management with information related to the adequacy of controls at subservice organizations. However, the source of such communication should be evaluated before applying judgments for or against a subservice organization’s control environment, and the lack of news or negative reviews is not necessarily an indication that controls are effective.
Reviewing a Type 1 or Type 2 Report on the Subservice Organization
The preferred method of most service organizations is to obtain and review SOC audit reports from their subservice organizations. There are some advantages with reviewing a SOC report:
- The SOC report communicates information specifically about the subservice organization’s system and design (Type 1 and Type 2) and operating effectiveness of controls (Type 2).
- It is more efficient than performing your own audit, especially when using multiple subservice organizations.
- It is as effective as performing your own tests of controls but does not utilize any of your own resources as it is performed by independent auditors hired by the subservice organization.
However, the review of a SOC report should consist of more than just a casual reading of the report. A review of a SOC report should consider the following items:
- The Scope of the Report – Is the report related to the services used by the service organization? Some organizations issue different reports over different systems and services. It is important to make sure that the report covers the relevant services and systems. Also, does the report include a description of controls that the service organization expects the subservice organization to cover?
- As part of a service organization’s SOC report, Complementary Subservice Organization Controls (CSOCs) will be added to the description which describes those controls/processes that the subservice organization is responsible for on behalf of the service organization. The CSOCs should be addressed by controls in the subservice organization’s SOC report. For example, if the subservice organization is responsible for providing physical security controls to protect assets from unauthorized access, service organizations should review the SOC report to make sure that controls related to physical security are included.
- The Service Auditor’s Opinion – Did the auditor conclude that controls were either not designed or operating effectively to achieve a stated objective or a trust services criteria? If so, the service organization will need to evaluate the impact that it has on its system and controls and determine if there are any mitigating factors or controls.
- Complementary User Entity Controls (CUECs) – These are those controls that the subservice organizations have identified as needing to be present at the user entity (in the context of this article, the service organization is the user entity) in order to satisfy the applicable objective or trust services criteria.
- For example, a common CUEC is that user entities are responsible for provisioning and deprovisioning users’ access to the user entities’ instance of the application. If the user entity does not have this control in place, then there is a question as to whether that objective or criteria is achieved. It is the responsibility of the service organization to evaluate its own system of internal controls to determine if these controls are in place.
- Deficiencies – Even if the auditor issued an unqualified report (i.e. a clean opinion), are there deficiencies that could have an impact on the service organization? Are there deficiencies that are not adequately explained by the subservice organization management’s responses? If so, the service organization should identify controls or other procedures that mitigate the risk associated with the identified deficiencies.
How Do I Evidence the Controls Performed to Monitor Subservice Organizations?
Documentation will need to be created that demonstrates the activities performed to monitor the effectiveness of controls at the subservice organization. The documentation should include information about what was done, conclusions from management, and artifacts obtained from the review. For example, for a review of a SOC report, a document should be created to accompany the SOC report which includes the following:
- Attributes of the report such as the examination period and scope.
- The opinion of the report.
- Deficiencies and the user entity’s conclusion on those deficiencies.
- Confirmation that CSOCs are covered in the report.
- A detailed analysis of CUECs and linkage of relevant CUECs to user entity controls.
By completing such a document, the user entity will demonstrate that they performed the control related to reviewing the SOC report.
When issuing a SOC report, service organizations will need to demonstrate the design and operating effectiveness of controls to monitor their subservice organizations. There are a variety of methods that can be used by service organizations, but the most commonly used, and most efficient method, is the review of SOC reports issued by subservice organizations. For each activity performed, it is important that documentation be created and/or saved to evidence the performance of the controls related to the monitoring of subservice organizations.
Linford & Company is an independent CPA firm that specializes in SOC 1 and SOC 2 assessments, as well as a number of other audit services. If you have questions about monitoring your subservice organizations or how to evidence your controls related to monitoring the effectiveness of controls at the subservice organization, please contact us.
Kevin has over ten years of experience in internal controls, audit, and advisory work. Kevin started his career in public accounting at Deloitte focusing on internal controls, SOC audits, and IT assurance work. After Deloitte, Kevin filled a leadership role in the SOX Compliance group at a financial services company. Kevin is a CPA and holds a Bachelor of Science degree in Accounting from Brigham Young University and a Master of Business Administration degree from Ohio University.