One of the discussions brought up at this year’s AICPA Service Organization Controls (SOC) School was the issue of cloud computing and the effects it has on industries that are subjected to a SOC 1 or SOC 2 audit. When it comes to cloud computing, subservice organizations may be involved in providing the operations that a service organization might perform. This relationship is where the service organization and user entity could find themselves at risk.
As experienced service auditors, we are able to look at the risks involved with the subservice organizations footprint and determine the best course of action for our service organization, i.e. our clients.
Specifically, we examine whether or not the carve-out or inclusive method is the best reporting method. If the carve-out method is utilized, we ask ourselves, what type of report does the subservice organization have and/or what type of report does our client’s vendor have and consequently what should our client be doing based upon that? Does that change the type of audit they perform as well, or do they go back to their subservice organization and request another type of audit? All in all, the risk that a subservice organization presents is still the same.
With that being said, the use of subservice organizations is more prevalent in a cloud computing environment and for that reason, having experienced auditors that have been around these situations before is of utmost importance.
Should you have any questions regarding this topic or would like additional information about this topic, please feel free to reach out to me via email: firstname.lastname@example.org