By successfully completing a SOC audit a company is demonstrating to current and potential customers that it has the proper internal controls in place to deliver superior and secure services. Moreover, it indicates these controls are in place in totality. Often service providers will outsource a part of the deliverable to another company that specializes in a function. Such a company is known as a subservice organization. For example, many software-as-a-service providers utilize Amazon Web Services (AWS). AWS is a subservice organization.
So, how exactly are subservice organizations examined? Either by the carve out method or the inclusive method. Let’s take a closer look at both.
When utilizing the carve out method, the subservice organization’s control systems are excluded from the description of the service organization’s system and from the report, itself. You might be thinking red light, do not pass go, do not collect $200. Simply, excluding these critical aspects sounds like a bad idea. However, consider what is included in the description – a) an explanation of the services performed by the service organization b) examples of controls that are expected to be performed by a subservice organization to ensure requirements are met and c) the controls that the service organization employs to monitor the subservice organization’s controls.[i] Another item to consider is the subservice organization may have completed its own SOC audit. In this case, the subservice organization’s SOC report can be requested.
Conversley, if the inclusive method is the chosen method, the service organization’s system description recognizes that a subservice organizations is used and describes the services provided by the subservice organization as well as the controls the subservice organization has in place.i Because the subservice organization’s services and controls are included in the service organziation’s system description they are fair game for the auditor to inspect. It’s very important to understand that you can only use the inclusive method if you are able to get a statement of assertion from the subservice organization.
Not sure what method is right for you? It’s usually best to consult with an auditing firm to understand which method is the best fit for your situation. As the inclusive method essentially requires the cooperation of the subservice organization, this may not be an option. For example, many of our clients utilize AWS to house their software. Given Amazon’s size and their unwillingness to cooperate with a customer’s audit, the default is to utilize the carve out method.
[i] AICPA Guide SOC2 January 1, 2018