What Is a Subservice Organization in a SOC Report?
Discover how a service organization's reliance on vendors is disclosed in a SOC report and what this means for evaluating the full scope of your risk.
A subservice organization is a company hired by one of your vendors to help deliver the final service to you; it is your vendor’s vendor. This relationship creates a chain of dependencies where the quality and security of the service you receive can be affected by a company with which you have no direct contract. Understanding this layered relationship is important for managing risk.
The American Institute of Certified Public Accountants (AICPA) provides specific definitions for a subservice organization, which vary depending on the type of SOC report. For a SOC 1 report, which focuses on internal controls over financial reporting, a subservice organization’s activities are relevant to a user’s financial statements. For a SOC 2 report, which centers on trust services criteria like security and availability, a subservice organization performs controls necessary for the primary vendor to meet its service commitments.
The Role of a Subservice Organization
The service delivery chain involves three parties: the user entity (the customer), the service organization (the primary vendor), and the subservice organization. The user entity contracts with the service organization, which may in turn outsource a component of that service to a subservice organization.
A common example is a company that hires a payroll processor. The payroll processor (the service organization) provides the software and service to manage employee payments but might use a cloud infrastructure provider, like Amazon Web Services (AWS), to host its application and store data. In this scenario, the cloud provider is the subservice organization.
The service organization remains accountable for the overall service provided to its clients, including the components handled by the subservice organization. This means the primary vendor must monitor the controls and performance of its subservice provider, as a failure at the subservice level could directly impact their own operations and data security.
Identifying Subservice Organizations in SOC Reports
To understand a vendor’s dependencies, a company must review the vendor’s System and Organization Controls (SOC) report. Both SOC 1 and SOC 2 reports are required to disclose the use of any subservice organizations whose functions are relevant to the services being provided. This disclosure is a mandatory part of the report’s narrative, ensuring transparency for the user entity.
This information is found in a specific section of the SOC report, often titled “Subservice Organizations” or within the “Description of the System.” This section identifies the subservice organization and describes the services it performs. The report must clearly identify which services are performed by the subservice organization, allowing the user entity to understand the extent of the reliance.
Reporting Methods for Subservice Organizations
A SOC report must address the controls of a subservice organization using one of two distinct approaches: the inclusive method or the carve-out method. The choice of method significantly impacts the scope of the audit and the information available to the user entity. The service organization must decide which method to use before the reporting period begins.
The inclusive method includes the subservice organization’s relevant controls within the primary service organization’s SOC report. This means the auditor for the primary vendor also tests the design and operating effectiveness of the controls at the subservice organization. For this to occur, the subservice organization must be willing to provide a written assertion of its controls and allow the auditor access for testing. This approach provides a comprehensive view in a single document but is less common due to the logistical complexity, cost, and high degree of coordination required.
The more prevalent approach is the carve-out method. With this method, the subservice organization’s services are described in the report, but its controls are explicitly excluded, or “carved out,” from the scope of the audit. The report will not contain an opinion on the effectiveness of the subservice organization’s controls. Instead, it will list the controls the primary vendor assumes are in place and operating effectively at its vendor.
When a vendor uses the carve-out method, the responsibility shifts to the user entity to perform additional due diligence. Since the subservice organization’s controls are not tested in the report, the user entity may need to request the subservice organization’s own SOC report to gain assurance over its control environment. The primary vendor is still required to have its own controls for monitoring the subservice organization, and the effectiveness of these monitoring controls is tested as part of the audit.