What Role Do Subservice Organizations Play in the SAS 70 Audit?
By definition, subservice organizations perform at least some function of the service organizations’ outsourcing activities. If the subservices perform functions that are relevant to the user organizations, then the report needs to disclose and describe role that the subservice organization plays. The intersection with the SAS 70 is when the subservice organizations’ functions are required to meet a particular control objective. If this is the case, then the subservice organization is going to play an important role in the SAS 70 audit.
Which Method Should the Service Auditor Use, the Carve-out or Inclusive Method?
This is a good question. In practice, when subservice organizations are used, most of the time the service auditor uses the carve-out method. It’s easier for the service auditor to avoid having to coordinate with another service organization to perform—what is essentially—a secondary reduced scope audit. When this approach is used, the report disclaims the role of the subservice organization. Is this a cop-out for the SAS 70 audit? Yes (most of the time) , though it usually because the service organization does not to incur the expense of the secondary audit. The inclusive method takes a great deal of coordination between all the parties involved in the SAS 70 audit. There has to be a solid working relationship between the service organization’s management and the subservice organization’s management. The inclusive method is the best way to have a complete SAS 70 audit though it is not always practical.
The #1 question is – does the services provider evaluate the adequacy of controls at sub-services providers? If that is not happening in any way, shape, or form, there are big monitoring concerns to address in the provider’s SAS 70. The client should not turn their SAS 70 auditor into their monitoring control; the auditor should not be the first to find out that there is a problem at a sub-services provider. Sub-services providers need to be monitored by the provider purchasing services when they sub-source services. It is the sub-services provider’s job to provide evidence of adequate controls – just like the services provider does for their customers by obtaining a SAS 70 for them.
1 – Correct. The service organization is not relieved of their responsibilities for monitoring the sub-service organizations. Especially sub-service organizations that perform moderate to extensive functions for the service organization. Monitoring in this scenario usually takes the form of monitoring service-level agreements or other relevant metrics and following up on deviations.