Subservice organizations are defined as an entity that is used by the service organization to perform some of the services provided to user entities (customer or clients). Service organizations use subservice organizations to perform specific processes and controls that may impact user entities of the service organization. Some examples of subservice organizations would be: 1) data centers that host service organization software or systems; and 2) a subservice organization that manages data backup and recovery for the service organization’s system. In both examples, the subservice organization performs services, processes, and controls on behalf of the service organization and the service organization’s user entities. The service organization relies on processes and controls that are being performed at the subservice organization to meet the control objectives (SOC 1) or Trust Services Principles (SOC 2) of the SOC report.
Reporting on a Subservice Organization
When a service organization uses a subservice organization as part of their processes and controls, there are two methods for reporting on the controls at the subservice organization. The inclusive method is used when the service organization chooses to incorporate the specific controls performed at the subservice organization into its SOC report. The carve-out method is used when the subservice organization’s controls are excluded from the service organization’s SOC report. The two methods require the service organization to perform very specific procedures over the controls being performed by the subservice organization to ensure that user entities’ objectives and controls are being adequately met.
When a service organization elects to use the inclusive method for presenting the controls of the subservice organization in their SOC report; they must take several steps to be certain that the service organization appropriately presents the subservice organization’s controls. First, the service organization is required to clearly indicate the processes and controls performed by the subservice organization in the description of controls as well as within the tests of controls in the SOC report. The presentation within the SOC report of the subservice organization controls requires additional effort to ensure that all processes and controls performed by the subservice organization are clearly delineated within the various areas of the report. In addition to identifying the processes and controls within the report, the service organization will need to obtain an assertion from management of the subservice organization to include within the SOC report. This assertion of the subservice organization presents the description of the controls of the subservice organization as well as the suitability of the design and operating effectiveness (Type II only) of the controls. Obtaining the subservice organization’s management assertion will require additional effort on behalf of the service organization to ensure the SOC reporting requirements are met.
Service organizations that present their SOC report using the carve-out method have several additional procedures and presentation issues that must be addressed. The service organization must provide an explanation within the description of controls identifying the subservice organization that has been carved-out of the report and the specific services performed by that subservice organization. In addition, the service organization should determine whether the subservice organization obtains a SOC report. If the subservice organization receives a SOC report, the service organization should be obtaining the report and reviewing the report for exceptions. The service organization should also be reviewing the subservice organization’s SOC report for complimentary user entity controls (CUEC). The service organization should be evaluating the CUEC’s within the subservice organization report to ensure that, as a user entity, those CUEC’s are being addressed. Finally, if the subservice organization being carved-out does not currently have a SOC report, the service organization should be performing periodic monitoring of the subservice organization and its controls to verify that the controls are functioning adequately to meet the user entities’ objectives.
Whether using the carve-out or inclusive method, the user entities of a service organization’s SOC report must evaluate the controls being performed by the subservice organization. Typically, the most common method within SOC reports is the carve-out method, as it does not require the same level of coordination between management of the service organization and the subservice organization to issue a combined inclusive report. The service organization’s reporting of subservice organizations will require time and effort mapping the subservice organizations as well as determining the appropriate reporting method. Additionally, the process will need to be an ongoing effort performed periodically to ensure that as the business environment and user needs change, the appropriate subservice organizations are adequately reported within the SOC report.
If you have any questions about the carve-out or inclusive methods associated with reporting Service Organization Controls, or to learn more about McKonly & Asbury’s System and Organization Controls (SOC) services, please contact our team.