What Role Do Subservice Organizations Play in the SAS 70 Audit?
By definition, subservice organizations perform at least some function of the service organizations’ outsourcing activities. If the subservices perform functions that are relevant to the user organizations, then the report needs to disclose and describe role that the subservice organization plays. The intersection with the SAS 70 is when the subservice organizations’ functions are required to meet a particular control objective. If this is the case, then the subservice organization is going to play an important role in the SAS 70 audit.
Which Method Should the Service Auditor Use, the Carve-out or Inclusive Method?
This is a good question. In practice, when subservice organizations are used, most of the time the service auditor uses the carve-out method. It’s easier for the service auditor to avoid having to coordinate with another service organization to perform—what is essentially—a secondary reduced scope audit. When this approach is used, the report disclaims the role of the subservice organization. Is this a cop-out for the SAS 70 audit? Yes (most of the time) , though it usually because the service organization does not to incur the expense of the secondary audit. The inclusive method takes a great deal of coordination between all the parties involved in the SAS 70 audit. There has to be a solid working relationship between the service organization’s management and the subservice organization’s management. The inclusive method is the best way to have a complete SAS 70 audit though it is not always practical.