SOC Reporting: Vendor or Subservice Organization?

Many service organizations outsource functions of their business to third-party organizations (vendors).  The functions performed by vendors may impact the service organization’s delivery of services to user entities.  When completing a SOC 1 or SOC 2 examination, the service organization must determine if any of it’s vendors are considered subservice organizations and therefore in-scope for the SOC examination. 

The difference between a vendor and a subservice organization is that a vendor’s controls are not necessary for the service organization to meet the SOC 1 objectives or SOC 2 criteria, while a subservice organization’s controls are likely to be necessary to meet the objectives or criteria.  A vendor is likely to be considered a subservice organization if the following points apply:

  • If user entities’ understanding of the service organization’s system requires the services provided by the vendor to be included in the service organization’s system description; and
  • If controls at the vendor are necessary, in combination with the service organization’s controls, to provide assurance that the SOC 1 objectives or SOC 2 criteria are met; or
  • A service organization’s contract with the vendor stipulates that the vendor perform certain controls  to address risks related to the vendor’s service.

As an example, consider a vendor that monitors a service organization’s IT logs for events that could indicate unauthorized activities.  If the vendor is responsible for analyzing the logs for notable activities and alerting the service organization to suspicious activities, then controls at the vendor would be relevant to meeting the service organization’s security commitments, and the vendor would be a subservice organization because the vendor is performing the control to monitor the logs.  The same vendor would not be considered a subservice organization if the service organization was reviewing summary reports of logged events generated by the vendor, since the service organization would be responsible for monitoring the reports and would not be relying on the vendor for identifying suspicious activity.  The service auditor is allowed to assist with determining if a third party should be classified as a vendor or subservice organization, but the determination is ultimately the responsibility of the service organization’s management.

Once the necessary subservice organizations are identified, the service organization will need to determine if the inclusive or carve-out method will be used to present the subservice organizations in it’s SOC report.  Look for our upcoming article titled “Inclusive or Carve-Out:  How Subservice Organizations Are Presented in SOC Reports” for guidance on choosing the appropriate method.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

How Risk Management and Internal Audit Can Add Value in Light of the Current Pandemic: COVID-19 Risk Considerations
AICPA Provides Guidance for COVID-19 Considerations in a SOC Examination
The Value of Business Process Analysis in your Succession Plan
Audit, SOC, Technology BY Troy Fine
Amazon Web Services (AWS) Best Practices For a Successful SOC 2 Examination
Audit, SOC, Technology BY Sara Hudak
SOC 2 + HITRUST vs. HITRUST Certified CSF reports - the Fundamentals

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102