SOC 2 and Subservice Organizations


After a review of the new SOC 2 guide, Reporting on Controls at a Service Organization, I noticed that the responsibilities of the service auditor, service organization and subservice organization all seem to have increased when it comes to how subservice organizations may be considered / treated under the new standard.  Trying to get all three parties on the same page is a daunting feat in itself and I wanted to take a moment to share some of the highlights. The inclusive and carve-out method can still be used for subservice organizations just as in SOC 1.

The service organization needs to determine if it has implemented controls to monitor the effectiveness of the controls at the subservice organization.  Evidence of monitoring of the vendor would include periodic visits to the vendor and assessments, review and approval of vendor output, and tests of the vendor’s controls by the internal audit department.  If these controls have been put in place by the service organization then the service organization’s controls alone meet the trust services criteria and the subservice organizations controls do not need to be included in the description.

Should the subservice organization be included within the scope of the review and the service organization does not formally monitor the controls, then the service auditor should perform procedures at the subservice organization.  The relevant aspects of the subservice organization’s infrastructure, software, people, procedures, and data are to be considered a part of the service organization’s system and should be included and the portions applicable to the subservice organization should be identified as such.  Written representation and assertion letters must be obtained from the subservice organization should the inclusive method be used.

The methodology of inclusive and carve-out for subservice organizations has not changed drastically but the SOC 2 guidance does give the service organization the opportunity to include the controls without the onerous task of obtaining representations and assertion letters from the subservice organization if the service organization can demonstrate their oversight of the subservice organization.

By Sean Widdoes – Senior Consultant at A-LIGN