Subservice Organizations: Their Role and Impact on Your SOC Report

In today’s interconnected business landscape, understanding the role of subservice organizations in SOC (System and Organization Controls) reports is paramount.

Subservice organizations are third-party entities utilized by service organizations to perform key functions, necessitating scrutiny to ensure comprehensive risk management and regulatory compliance.

Through a detailed examination of subservice organizations’ roles, 责任, 以及对SOC报告的影响, organizations can enhance their ability to effectively manage risk and uphold the integrity of their assurance processes.

This article delves into the significance of subservice organizations within SOC reports, exploring how to identify a subservice organization, and what that means for your SOC report.  


2022 AICPA SOC 指南 defines a subservice organization as a "vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved". 

To elaborate on the AICPA’s definition of a subservice organization, a vendor is a subservice organization if the following are true:

  • You need the vendor’s controls to achieve service commitments and meet system requirements for SOC 1 objectives or SOC 2 criteria.
  • It is necessary to describe the vendor’s services for customers to understand your core system and how it relates to applicable Trust bet9平台游戏 criteria.
  • A contract is in place with the vendor that stipulates the vendor’s obligations to execute certain controls to address risks related to their service.

When adding a subservice organization to your report, all of the subservice organization’s complementary controls (csoc) and each user entity’s complementary user entity controls (CUECs), must be evaluated to be in alignment with the operating effectiveness of the service organization controls.

One of the most typical scenarios seen for adding a subservice organization is for cloud-based hosting services. 亚马逊网络bet9平台游戏(AWS), Azure, and the Google Cloud Platform (GCP) are typical service providers for this specific type of service.

One of the csoc for a subservice organization like AWS, Azure, or GCP for providing cloud-based hosting services would be providing physical and environmental security over the production servers being used.

Choosing the Inclusive or Carve-Out Method for Reporting

When a service organization chooses to add a subservice organization to their SOC report, they can choose to use either the inclusive or carve-out method to present the subservice organization.

使用包含方法时, the auditor will audit the subservice organization for the controls that the service organization relies on them for.

选择这种方法时, it’s important to consider whether the subservice organization is willing to allow the auditor to test the controls within their environment.

当使用雕刻方法时, the auditor does not audit the subservice organization for the controls that the service organization relies on them for. 选择这种方法时, it’s important to consider if the subservice organization receives a SOC report or another certification that will allow you to monitor their control environment.

Monitoring Your Subservice Organization

When choosing to rely on the controls that a subservice organization is performing, it is important to consistently review the control reports (e.g., SOC reports) as they are made available.

When reviewing the subservice organization’s SOC reports, check to see if the subservice organization received a clean opinion or any exceptions on controls that could have an impact to the service you are providing to your clients.

If the subservice organization does not have a SOC report, it’s important to find an alternate approach to monitor the controls that are being relied on. This could mean requesting vendor questionnaires or even setting up recurring meetings with the subservice organization for monitoring.


It is important to note that whether you use the inclusive or carve-out reporting method, you must disclose any use of services provided by a subservice organization in your audit report.

用于下次SOC审核, do you need to decide whether to have an inclusive or carve-out report to represent your subservice organization?

After considering the positives and negatives of both methods, you can now make an informed decision on what is best for you and your customers.

If you need help determining subservice organizations, have questions on audit reporting methods, 或任何其他SOC问题, feel free to contact our team directly at (电子邮件保护).


About Schneider Downs Risk Advisory 

Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

探索我们的全部 风险咨询bet9平台游戏 提供或与团队联系 (电子邮件保护)

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs 我们对 blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the 我们对 blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. 电邮至 (电子邮件保护).

Material discussed is meant for informational purposes only, and it is not to be construed as investment, 税, 或法律建议. Please note that individual situations can vary. 因此, this information should be relied upon when coordinated with individual professional advice.

©2024施耐德唐斯. 版权所有. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without 书面许可.

8 Key Considerations When Reviewing User Access
Enhancing Focus on Risk 管理 and Consumer Protection
The Top Risks Internal Audit Leaders Need to Know for 2024
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
Did Poor Change 管理 Contribute to the AT&T无线和麦当劳的停电?
Register to receive our weekly newsletter with our 最近的 columns and insights.
有问题吗?? 问我们!

我们很乐意听到你的消息. Drop us a note, and we’ll respond to you as quickly as possible.


This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our 隐私政策.