The Best SOC 1 Reporting Approach for Subservice Organizations and Vendors

Over the past several decades, outsourcing certain functions of a business has become standard operating procedure for many of today’s efficiency-focused organizations.

Your company is probably part of this global business revolution, to some degree. If so, you may continually find yourself searching for the best ways to ensure maximum accountability on all fronts. From your in-house teams to your outsourced service organizations and their internal controls, you may wonder if you have everything covered for the benefit and security your clients and stakeholders, as well as for your own business’s health.

Keep in mind that—like your company—some of your most indispensable outsourced businesses benefit by relying on outsourcing specialized tasks for peak efficiency and savings, which they likely pass on to your business.

But how do you account for these additional parties in your Service Organization Control 1 (SOC 1) reporting?

How Can You Distinguish a Vendor Versus As a Subservice Organization For SOC 1 Reporting?

The first step toward ensuring optimal SOC 1 reporting—also known as SSAE 18—for parties associated with your engaged service organizations is to sort out who is who when it comes to vendors and subservice organizations.

On the surface, the differences may seem minor, but vendors and subservice organizations are in fact distinct entities. It is important that your company understands and acknowledges the distinction between the two for the most accurate SOC 1 reporting possible.

Vendors

Vendors are independent parties in the supply chain, providing specific goods or services to a primary organization (client) without any intermediary. Vendors may include office supplies sellers, utilities providers and custodial businesses.

It is important that you insist that each of your vendors offers a SOC 1 report to streamline your due diligence analysis of their operations each time you report to your stakeholders. Upon engagement, inform your vendors of your organization’s due diligence criteria and their need to comply.

Subservice Organizations

A subservice organization is engaged by a service organization to perform some of the services provided to clients (user entities). Subservice organizations feature controls that would ordinarily be included and implemented in the service organization’s description if that service organization had performed the subservice organization’s tasks themselves.

A common example of a subservice organization is a data center that is engaged by a cloud service provider, contracted by a user entity.

The SOC 1 report for subservice organizations is critical to allow that organization to define and include complimentary subservice organization controls (CSOCs) in their report. The CSOCs they provide are relevant to their control environment and serve as a map to the relevant control objectives.

Why Is It Important to Distinguish A Vendor From A Subservice Organization?

Properly distinguishing a vendor from a subservice organization is particularly important since subservice organizations are subject to SOC 1 reporting while vendors are not.

It is also important to note that the recent attestation standards update from SSAE 16 to SSAE 18 specifically addresses the importance of describing this specific relationship and fairly disclosing it for each SOC 1 report as a matter of fair presentation.

Accounting Today shares that fair presentation for subservice organizations includes “a description of any controls (complementary subservice organization controls) that the service organization assumed in the design of its controls.”

Using the common example of a service organization moving its data center operations to a colocation facility, it is ordinarily assumed by the service organization that the facility, also known as the subservice organization, has implemented controls to ensure the physical and logical safeguarding of their operating environment. The subservice organization is held accountable to these assumed controls. These controls are usually included in the service organization’s system description.

The Carve-Out Method or The Inclusive Method Of SOC 1 Reporting: Which One Is Best For Your Organization?

Any time that your service organization engages a subservice organization or a vendor, there are two methods for reporting on the respective controls. You have two distinct options to pursue in your SOC 1 reporting, which are the Carve Out Method and the Inclusive Method.

The Carve Out Method

Basically, with the Carve Out Method for SOC 1 reporting, the processes and controls can be excluded from the report. There are certain considerations that need to be made to determine whether this is the best method for your SOC 1 report, and they include:

  • Are the services performed by relevant to the services offered to the client?
  • Does the subservice organization or vendor issue a SOC 1 report on the services that are not included as a part of the service organization’s own report?
  • Does the service organization report, or the subservice organization or vendor report, contain any exceptions?
  • Are certain objectives excluded from company descriptions? If so, the company should include its own methods of monitoring vendors or subservice organizations in its company description, without naming the vendors or subservice organizations.

These considerations, along with others, must be evaluated by your organization to decide if it is the appropriate reporting method for your SOC 1 reporting.

The Inclusive Method

When using the Inclusive Method of SOC 1 reporting, the processes and controls are an integral part of the report.

Considerations that you need to make when trying to determine if the Inclusive Method is the right reporting approach for your company include:

  • Is there a separate assertion letter for the subservice organization or vendor in addition to the service organization assertion letter?
  • Are there any exceptions noted within the SOC 1 report?

Sometimes Determining the Appropriate Method Uncovers a Reporting Surprise for the Subservice Organization

Sometimes, during the process of sorting out the appropriate subservice organization reporting method, you will discover that the extent of their services actually makes them a primary service organization by another user entity, possibly subject to their own SOC 1 examination and report.

Are You Trying to Determine The Best SOC 1 Reporting Method For Subservice Organizations And Vendors?

The more outsourcing your organization does, the more confusing it can become when it comes to SOC 1 reporting. At I.S. Partners, LLC., we can help you sort it all out to protect your customers, stakeholders and your organization’s reputation.

Call us at 215-675-1400, request a quote, or launch a live chat to get an estimate today on your SOC 1 audit!

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (New Site)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.