Many service organizations outsource aspects of their business activities to third-party vendors. The functions performed by these vendors assist the service organizations in achieving service commitments to user entities.

One activity a service organization must undergo when completing a System and Organization Controls (SOC) examination through a service auditor is determining which of their vendors are classified as vendors and which are classified as subservice organizations. Those organizations identified as a subservice need to be reported differently within the SOC 1 and 2 reports, as summarized below. 

How do I determine if a vendor is a subservice organization? 

To answer this question, let’s consider an example. A service organization that offers online bookkeeping services named Jack’s Fast Books  uses a vendor named Payroll ABC to provide payroll processing services. 

If Payroll ABC is responsible for calculating payroll taxes, ensuring correct deductions, distributing payroll checks and notifying Jack’s Fast Books of any anomalies, this indicates that controls at Payroll ABC are important to meeting the Jack’s Fast Books’ commitments. 

  • Payroll ABC would be a classified as a subservice organization because they are performing the key controls necessary for appropriate calculations, deductions and distribution

But what if Payroll ABC provides summary reports of calculations and deductions for Jack’s Fast Books to review and approve, and Jack’s Fast Books maintains responsibility for final sign-off of a payroll batch and its associated payroll distribution? 

  • Payroll ABC would be classified as a vendor only and not a subservice organization, because Jack’s Fast Books is not relying on Payroll ABC for the performance of Jack’s Fast Books’ key controls related to payroll processing.  

I have identified a vendor that should be classified as a subservice organization. What does this mean for my SOC report? 

Per the definition of the American Institute of Certified Public Accountants (AICPA), there are two methods for reporting subservice organizations in an SSAE 18 compliant SOC report:

Carve-Out Reporting Method:

In this method, management’s description of the service organization’s (Jack’s Fast Books) system identifies the nature of the services performed by the subservice organization (Payroll ABC) and excludes the subservice organization’s relevant control objectives [or criteria] and related controls. 

  • For example: “Jack’s Fast Books uses Payroll ABC for payroll processing services. This report description includes only the control objectives and related controls of Jack’s Fast Books and excludes the control objectives and related controls at Payroll ABC.”

For this method of reporting, the service organization (Jack’s Fast Books) does not disclose the specific controls at the subservice organization (Payroll ABC) but instead discloses the types of controls assumed to be implemented by the subservice organization (Payroll ABC).The controls at the subservice organization are not in scope for testing during the SOC audit.

Inclusive Reporting Method:

In this method, management’s description of the service organization’s (Jack’s Fast Books) system includes a description of the nature of the services provided by the subservice organization (Payroll ABC) as well as the subservice organization’s (Payroll ABC) relevant control objectives [or trust services criteria] and related controls. 

  • For example: “Jack’s Fast Books uses Payroll ABC for payroll processing services. This report includes a description the control objectives and related controls of Jack’s Fast Books and Payroll ABC. The controls and control objectives included in the description are those that management of Jack’s Fast Books and management of Payroll ABC believe are likely to be relevant to user entities.”

For this method of reporting, the service organization (Jack’s Fast Books) will include the controls at the subservice organization (Payroll ABC) as a part of the system description and as being in scope for testing during the SOC audit.

What does this mean for my SOC report?

In summary, the main distinction between a vendor and a subservice organization is that a vendor’s controls are not necessary for the service organization to meet the SOC control objectives (SOC 1) or trust services criteria (SOC 2), while a subservice organization’s controls are necessary

Some questions that service organizations can ask when determining whether their vendor is a subservice organization can include:

  • Are controls at the vendor necessary (Payroll ABC), along with the service organization’s (Jack’s Fast Books) controls, to provide assurance that the SOC objectives or criteria are met?
  • Is the inclusion of the services provided by the vendor (Payroll ABC) necessary to provide a clear understanding of our system (Jack’s Fast Books) to user entities?

If the answers to the above questions are yes, then it is likely the vendor should be considered as a subservice organization within the SOC 1 or 2 report.

While a service auditor is allowed to provide insight into determining if a third party should be classified as a vendor or subservice organization, the determination is ultimately the responsibility of service organization’s management.

Have additional questions?

SSAE compliant SOC reports remain a complex topic for many organizations. We understand you might still have some questions: If that’s the case, please feel free to contact us.

contact an expert»


SOC for Cybersecurity - Journet Greene Journet Greene is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.

 

 

 

Facebooktwitterredditpinterestlinkedinmail

Contact Us

Contact Form Footer

  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • This field is for validation purposes and should be left unchanged.