Over the past several decades, outsourcing certain functions of a business has become standard operating procedure for many of today’s efficiency-focused organizations.
Your company is probably part of this global business revolution, to some degree. If so, you may continually find yourself searching for the best ways to ensure maximum accountability on all fronts. From your in-house teams to your outsourced service organizations and their internal controls, you may wonder if you have everything covered for the benefit and security your clients and stakeholders, as well as for your own business’s health.
Keep in mind that—like your company—some of your most indispensable outsourced businesses benefit by relying on outsourcing specialized tasks for peak efficiency and savings, which they likely pass on to your business. But how do you account for these additional parties in your SOC 1 reporting?
Vendor vs. a Sub-service Organization: What’s the Difference?
The first step toward ensuring optimal SOC 1 reporting—also known as SSAE 18—for parties associated with your engaged service organizations is to sort out who is who when it comes to vendors and subservice organizations.
On the surface, the differences may seem minor, but vendors and subservice organizations are in fact distinct entities. It is important that your company understands and acknowledges the distinction between the two for the most accurate SOC 1 reporting possible.
Vendors are independent parties in the supply chain, providing specific goods or services to a primary organization (client) without any intermediary. Vendors may include office supplies sellers, utilities providers and custodial businesses.
It is important that you insist that each of your vendors offers a SOC 1 report to streamline your due diligence analysis of their operations each time you report to your stakeholders. Upon engagement, inform your vendors of your organization’s due diligence criteria and their need to comply.
A subservice organization is engaged by a service organization to perform some of the services provided to clients (user entities). Subservice organizations feature controls that would ordinarily be included and implemented in the service organization’s description if that service organization had performed the subservice organization’s tasks themselves.
A common example of a subservice organization is a data center that is engaged by a cloud service provider, contracted by a user entity.
The SOC 1 report for subservice organizations is critical to allow that organization to define and include complimentary subservice organization controls (CSOCs) in their report. The CSOCs they provide are relevant to their control environment and serve as a map to the relevant control objectives.
Why Is It Important to Distinguish Vendors From Sub-service Organizations?
Properly distinguishing a vendor from a sub-service organization is particularly important since sub-service organizations are subject to SOC 1 reporting while vendors are not.
It is also important to note that the recent attestation standards update from SSAE 16 to SSAE 18 specifically addresses the importance of describing this specific relationship and fairly disclosing it for each SOC 1 report as a matter of fair presentation. Accounting Today shares that fair presentation for subservice organizations includes “a description of any controls (complementary subservice organization controls) that the service organization assumed in the design of its controls.”
Using the common example of a service organization moving its data center operations to a colocation facility, it is ordinarily assumed by the service organization that the facility, also known as the subservice organization, has implemented controls to ensure the physical and logical safeguarding of their operating environment. The subservice organization is held accountable to these assumed controls. These controls are usually included in the service organization’s system description.
Related article: Why SOC 1 Can be More Valuable than SOC 2.
Which Method Is Best For Your SOC 1 Efforts?
Any time that your service organization engages a subservice organization or a vendor, there are two methods for reporting on the respective controls. You have two distinct options to pursue in your SOC 1 reporting, which are the Carve Out Method and the Inclusive Method.
The Carve Out Method
Basically, with the Carve Out Method for SOC 1 reporting, the processes and controls can be excluded from the report. There are certain considerations that need to be made to determine whether this is the best method for your SOC 1 report, and they include:
- Are the services performed by relevant to the services offered to the client?
- Does the subservice organization or vendor issue a SOC 1 report on the services that are not included as a part of the service organization’s own report?
- Does the service organization report, or the subservice organization or vendor report, contain any exceptions?
- Are certain objectives excluded from company descriptions? If so, the company should include its own methods of monitoring vendors or subservice organizations in its company description, without naming the vendors or subservice organizations.
These considerations, along with others, must be evaluated by your organization to decide if it is the appropriate reporting method for your SOC 1 reporting.
The Inclusive Method
When using the Inclusive Method of SOC 1 reporting, the processes and controls are an integral part of the report.
Considerations that you need to make when trying to determine if the Inclusive Method is the right reporting approach for your company include:
- Is there a separate assertion letter for the subservice organization or vendor in addition to the service organization assertion letter?
- Are there any exceptions noted within the SOC 1 report?
Sometimes, using a different approach uncovers a reporting surprise for the sub-service organization. It happens that, during the process of sorting out the appropriate subservice organization reporting method, you will discover that the extent of their services actually makes them a primary service organization by another user entity, possibly subject to their own SOC 1 examination and report.
What’s the Best SOC 1 Reporting Method for You?
The more outsourcing your organization does, the more confusing it can become when it comes to SOC 1 reporting. At I.S. Partners, LLC., we can help you sort it all out to protect your customers, stakeholders and your organization’s reputation.