A service organization may have a number of vendors and subservice organizations engaged to assist them in meeting their objectives or achieving the service commitments to their user entities along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips on how the service organization should consider assessing and managing the risks associated with them. Additionally, this article will touch upon the system and organization controls (SOC) reporting methods for disclosures related to a subservice organization as well as complementary subservice organization controls (CSOCs).
Considerations for a Vendor Risk Assessment
Service organizations should perform a vendor risk assessment at least annually to assess and manage risks associated with their vendors. The initial step in performing a vendor risk assessment is to obtain a list of vendors utilized and categorize them according to the products or services provided. An evaluation of the products or services provided should be assessed to determine the likelihood and impact to the organization if the quality of the products or delivery of services were not acceptable.
Doing this should help to determine which vendors are non-critical and critical to the service organization for meeting their SOC 1 objectives or achieving their SOC 2 trust services criteria covering their service commitments and system requirements. Vendors who are deemed critical to the organization should undergo a due diligence process before they are onboarded to ensure the quality of their products or service delivery adequately meets the service organization’s needs. Thereafter, the vendor should be evaluated at least annually to ensure that the quality of the products or services delivered continues to be satisfactory.
The manner in which a service organization performs a review of its critical vendors to address the risks posed in the vendor relationship varies based upon the nature or risk of the products or services provided. For example, the service organization may directly monitor the activities of the vendor, review monthly service level agreement reports, or review controls reports that are made available. In any case, the service organization should be sure to establish specific requirements for the product specifications or scope of services provided; roles and responsibilities; compliance requirements; and service levels.
What is a Vendor?
A vendor provides goods and/or services to another organization. For a vendor not to be further distinguished as a subservice organization, the controls at the vendor would not be relied upon by the service organization to meet its SOC 1 objectives or achieve its SOC 2 trust services criteria covering the service commitments and system requirements with their user entities.
Many times, a vendor may provide individuals to help carry out duties for the service organization where they may be understaffed or not have the resources or skills necessary to meet demand. In this manner, the service organization manages the activities performed by the individual internally. The service organization may require the individual to sign a non-disclosure agreement and to complete security awareness training prior to granting access to the service organization’s system.
In this manner, for this type of activity, the service organization is not relying on the controls at the vendor to meet its SOC 1 objectives or achieve its SOC 2 trust services criteria covering their service commitments and system requirements with their user entities. The service organization is relying upon its own internal system of controls and none of the vendor’s controls. Therefore, this type of vendor would not be considered a subservice organization.
What are Subservice Organizations?
In many cases, it is not feasible for the service organization to perform all the controls necessary to meet their SOC 1 objectives or achieve their SOC 2 trust services criteria covering their service commitments and system requirements with their user entities. When this occurs, certain functions of the overall system of internal control are outsourced to a third party. Here, the service organization is relying upon the controls at the subservice organization because the functions executed by the subservice organization impacts the service organization’s service delivery to their user entities. Subservice organizations are critical to the success of the service organization.
A typical scenario for the use of a subservice organization is for cloud-based hosting services. Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) are typical service providers for this type of service. With this outsourced service, the service organization is relying upon the controls at the subservice organization to perform certain functions that support their services provided to their user entities. For this, the service organization should be reviewing the control reports when they are made available, such as their SOC report. The SOC report should be reviewed for the control design and operating effectiveness of the controls in place at the subservice organization to ensure that they can rely upon them for their overall system of controls in providing their services to their user entities.
When reviewing the SOC report from the subservice organization, the three main areas of the report to focus on are the opinion; what, if any, deficiencies were identified; and what are the complementary user entity controls (CUECs) that need to be in place at the service organization in order for the overall system of controls to be functioning effectively.
If the opinion is unqualified, then it is a clean opinion with no material deficiencies. If the opinion is qualified, then the reasons for the qualification will need to be investigated and evaluated by the service organization to determine the potential impact on their service delivery to their user entities.
If there are any deficiencies identified in the SOC report, the service organization will need to evaluate the significance of the deficiency to their service delivery and whether they have any mitigating controls to reduce the risk of the deficiency to their service delivery to their user entities.
If the subservice organization has identified any CUECs in their SOC report, then the service organization will need to ensure that those controls are in place internally in order for the overall system of controls to operate as intended. A typical CUEC requires that the user entity grants access to only those individuals who require such access to perform their job responsibilities.
What are Reporting Methods for Subservice Organizations?
It may not be feasible for the control objectives to be covered solely by the service organization. As a result, the controls of the service organization for the services provided may cover only a portion of the overall controls of each user entity. Each subservice organization’s complementary subservice organization controls (CSOCs) as well as each user entity’s complementary user entity controls (CUECs) must be evaluated in conjunction with the operating effectiveness of the service organization’s controls.
The service organization takes into account the related CSOCs expected to be implemented at the subservice organization and reports upon them using either the Inclusive or the Carve-Out reporting method. In addition, the service organization identifies the CUECs expected to be implemented by the user entity. The service organization controls, CSOCs, and CUECs cover off the overall system of controls for the services provided.
Inclusive Reporting Method
When the inclusive reporting method is used for subservice organizations, the service organization discloses the specific controls at the subservice organization in combination with their own controls that provide reasonable assurance for meeting the SOC 1 objectives or the SOC 2 trust services criteria covering the service commitments and system requirements for their delivery of services. An inclusive reporting method is most useful when the subservice organization does not already have a controls report (e.g., SOC report) of their own readily available or when the services relied upon by the service organization are extensive. For this method of reporting, the service auditor will include the controls at the subservice organization as being in scope for the examination.
Carve-Out Reporting Method
When the carve-out reporting method is used for subservice organizations, the service organization does not disclose the specific controls at the subservice organization. Instead, it discloses the types of controls assumed implemented by the subservice organization that are necessary in combination with the controls at the service organization that provides reasonable assurance for meeting the SOC 1 objectives or the SOC 2 trust services criteria covering the service commitments and system requirements for their delivery of services. A carve-out reporting method is useful when the subservice organization has its own controls report (e.g., SOC report). The controls at the subservice organization are not in scope for the service auditor’s examination when the carve-out reporting method is used.
What are Complementary Subservice Organization Controls?
When the service organization chooses the carve-out method of reporting for their subservice organization, the types of complementary subservice organization controls (CSOCs) assumed to be implemented by the subservice organization are disclosed within their own SOC report. A couple of typical CSOCs for a subservice organization providing cloud-based hosting services, for example, are the responsibility to provide physical security as well as environmental protection over the production servers.
A service organization may engage various types of vendors to assist them in meeting their SOC 1 objectives or SOC 2 trust services criteria covering their service commitments and system requirements. When business functions are outsourced and controls are relied upon as with a subservice organization, the vendor relationship is critical to the success of the service organization in meeting their SOC 1 objectives or SOC 2 trust services criteria covering their service commitments and system requirements.
Subservice organizations are integral to the service organization’s overall system of controls for their service delivery to their user entities and their performance should be assessed at least annually. As such, the nature of the services provided by the subservice organization must be disclosed in the service organization’s own SOC report through either the Inclusive reporting method or Carve-out reporting method along with the CSOCs that are relied upon.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.