Overview of subservice organizations
As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment and forms part of the SOC 1 or SOC 2 scope.
Essentially, a subservice organization is a certain type of vendor that is used by the organization to perform some of the services relevant to those user entities’ internal controls over financial reporting(SOC 1) or to the Trust Services Criteria (SOC 2).
Examples of subservice organizations most commonly seen in SOC 1 and SOC 2 reports are:
- Cloud service providers (AWS, GCP, Azure)
- Software as a service or platform as a service provider
- Datacenter providers
Understanding the controls performed by the subservice organization
In order to achieve SOC 1 objectives or SOC 2 Trust Services Criteria, an organization might need to find a vendor or a subservice organization to perform certain services in order to assist the organization in becoming SOC 1 or SOC 2 compliant. The organization will therefore need to rely upon the controls performed by the subservice organization because these controls have an impact on the service delivery to the user entities. A typical scenario would be when an organization uses a cloud service provider, like AWS. The organization will be relying upon the controls performed at AWS (subservice organization) in order to perform certain functions that support the services provided to their user entities.
The following are examples of these controls:
- Controls to enable security and monitoring tools within the production environment
- Implement logical access security measures to infrastructure components including native security or security software and appropriate configuration settings.
- Restrict access to the virtual and physical servers, software, firewalls, and physical storage to authorized individuals and review the list of users and permissions on a regular basis.
Reviewing the subservice organization controls in SOC 1 and SOC 2 reports
The example OF controls given above would typically be documented in a SOC report. In this case, AWS will have a SOC 2 report.
The organization should be reviewing this report primarily for two reasons:
- Understanding the control design and operating effectiveness of the controls ensures that organizations can rely on them in providing their services to their user entities.
- Understanding what are the complementary user entity controls (CUECs), which means, understanding what controls the organization is responsible for.
It is important to understand that if the subservice organization has identified any CUECs in its SOC report, then the organization will need to ensure that those controls are in place.
A subservice organization plays an important role in the SOC 1 or SOC 2 process. It's important for the service organization to understand that role, in order to properly report on their system and control environment. When business functions are outsourced and the service organization needs to rely on the subservice organization's controls, the vendor relationship becomes critical to manage appropriately. If this relationship is managed appropriately, then subservice organizations can greatly assist service organizations in achieving their SOC 1 objectives or SOC 2 Trust Services Criteria.