SOC standards are frameworks that give companies advice on handling services that are provided by subservice organizations. Within the SOC standards the main service organization should aim to achieve.
Understanding SOC Auditing
What is a Subservice Organization?
A subservice organization is simply an outsourcing company to the main service organization. For example, if the main service organization is a medical office and outsources its billing to another company, the billing company is the subservice organization and the medical company is the service organization.
Why be Concerned with Sub-service Organizations?
It is the job of the service organization to keep an eye on how the subservice organization is performing and report on it. After all, the subservice organization is closely tied to the operations of the service organization, and how it performs will reflect on the quality and reputation of the service organization. You likely have clients who want assurance regarding the control environment around the services your provide, right? It’s not enough to just focus on in-house operations, if you use subservice organizations.
SOC Audit Options
There are two different methods advised by the AICPA for monitoring and keeping high-quality standards in subservice organizations with which your service organization works. These methods are the carve out method and the inclusive method. Here are the descriptions of each method, so you can decide which method is the best approach for your company.
The Carve Out Method
With the carve out method, the service organization includes the services of the subservice organization in its description of its own services, as if the subservice organization were part of the main company. At the same time, the service organization excludes any control objectives used by the subservice organization from its own company description. Even though these objectives are excluded from company descriptions, the company should include its own methods of monitoring subservice organizations in its company description, without actually naming the subservice organizations.
As an example, the management of the service organization could monitor the control objectives of the subservice organization by using the subservice organization’s own SOC compliance guidelines, or possibly a SOC 3. Using some description of how the control objectives of the subservice organization are monitored by the main company is an important part of SOC compliance.
The Inclusive Method
The inclusive method is another method approved of by the AICPA. In this method, your description of your organization’s methods of operating should include a list of descriptions of services performed by the subservice organizations you use. They should be clearly identified as subservice organizations, and not made to seem like they don’t exist, as in the carve out method. You should also include descriptions of the control objectives of the subservice organizations with whom you do business.
Which Method is Better?
Are your companies related?
Most companies use the inclusive method if their company and the subservice organization are related in some way. However, the word “related” can mean a lot of different things in the business world. You must be able to obtain a written statement of assertion from the subservice organization in order to use the inclusive method and still be in compliance with SOC 1 or SOC 2, whatever applies. If you, or your company’s auditor cannot get the statement of assertion, then you must use the carve out method.
Ensuring Compliance from all Companies
Whichever method your company uses, it is important to remember that there is an important emphasis placed on subservice organizations now with companies that are subject to SOC compliance. A lot of companies outsource to other companies for all kinds of different tasks. These tasks are important to the operations of the main company. Therefore, it only stands to reason that the subservice organizations should be subject to the same standards as the companies for whom they work. They must be vetted and required to operate to equally high standards to the main companies. It only makes sense, and it makes for excellent business operations on both sides. This ensures clients get the best level of service possible from all companies involved in the operations of the company with whom they are doing business.
Related article: How to Prepare for a SOC 1 Audit.
Find the Best SOC Audit Process for Your Company
If you are not sure which method your company should be using, you should talk to a qualified third-party auditing company like I.S. Partners, LLC. They have many years of experience in advising companies on these things. They will look carefully at how your company does business, and be able to recommend the proper method for your organization, as well as give you a clear and understandable explanation of why it is the best method for your company to use. Each organization is different, and your SOC compliance needs may be different than similar companies in your industry. Make sure your company gets it correct by contacting I.S. Partners, LLC for a consultation. Call 215-675-1400 or fill out our contact form!