SOC 2 Audit FAQ - Part 3

Written By Ruth Romano

In part 3 of our SOC 2 audit FAQ series we look at the role of the sub service organisation in the SOC 2 audit and we consider the age-old question, should sub service organisations be carved out or inclusive in your SOC 2 report?

What is a sub service organisation?

A sub service organisation is an organisation that provides a system, service or services to the service organisation, such as data hosting or security monitoring. You could also think of a subservice organisation as an entity that the service organisation has outsourced some of their operations to. The AICPA defines a subservice organisation as “a service organisation used by another service organisation to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal controls.” 

Basically the sub service organisations controls or design of their controls may have an impact on the service that the service organisation provides to their customers; and ultimately this has an impact or a bearing on the service provided to the service organisations customers. 

Consideration must be given by the service organisation as to how sub service organisations are treated in the scope of the SOC 2 audit and if the carve out audit or the inclusive audit methods are used for their sub service organisations.

Amazon who provide Amazon Web Services (AWS) or Microsoft Azure are common examples of sub service organisations. Subservice organisations have often undergone SOC 2 audits themselves and make their SOC reports available to their clients and customers. Both Amazon and Microsoft have SOC 2 Type 2 reports available for their data hosting environments. 

What is the carved out and inclusive audit method? 

Service organisations often face a dilemma when determining how best to report on their control environment to clients who use their services as they have a reliance on these sub service organisations and subsequently the controls that the sub service organisation has in place. Service organisation must decide on whether they use the carve-out audit or the inclusive audit method for subservice providers? 

The carve-out audit and inclusive audit methods are the two ways for a service organisation to report the services performed by the subservice organisations within its system description and subsequently in the SOC 2 audit report. 

The carve-out audit method allows a service organisation to describe services performed by a subservice organization within its system description, but actually excludes the controls from being audited. While this approach excludes subservice organisations controls, the service organisation must document within its system description the controls used to effectively monitor the subservice organisation such as service reviews and audits. 

If you choose the inclusive audit method, the service organisation’s system description must document the services performed by the subservice organisation (same as the carve-out audit method) as well as the control objectives and related controls of the subservice organisation. 

What SOC 2 Audit Method Should You Use?

You will need to consider the following to determine the best course of action for you and whether to use the carve-out or inclusive method for your sub service organisations.

1.  Are the services performed by the subservice organization relevant to the services offered to your clients? 

2.  If the services are applicable, does the subservice organization receive a SOC report or another form of certification such as ISO 27001, that will allow you to easily monitor its control environment. 

3.  Can the subservice organization can provide an up to date SOC 2 report?

4.  Did the sub service organisation receive a good clean audit opinion in their last report?

5.  Were there any control exceptions noted in the report that would impact the service to your clients? 

6.  Were there complementary user entity controls (CUECs) noted in the report? CUECs effectively outline, within the SOC report, the specific internal control requirements that are the responsibility of the user entity and not the responsibility of the service organisation.

7.  If there were CUECs noted in the report, do you have controls to address them? 

8.  If the subservice organisation cannot provide a SOC report, does your organisation have another effective approach to monitor the subservice organisation’s control environment such as service review meetings and audits.

SOC 2 Audit Key Questions

A few key questions to consider and help you determine whether the inclusive audit method should be utilised are: 

1.  Would the subservice organization be willing to have your SOC 2 auditor test the controls within their environment? 

2.  Would the subservice organisation be willing to provide an assertion letter to be included in the SOC 2 report, along with the service organisation’s assertion letter, to document and confirm the controls they have in place?

3.  How easy is it to coordinate and work with the subservice organisation? The two organisations will need to be able to coordinate schedules for the SOC audit to be performed and this could be for a lengthy period of time for a SOC 2 Type 2 report. Additionally, the two organisations will have to work together in reviewing and revising the system description within the report to accurately document the sub service organisations controls.

4.  Do you really want the subservice organisation’s results in your report? If the organisation historically has control exceptions, there is a possibility that their performance may impact your clients’ perception of your organisation. 

No matter what your responses to these questions above, your final decision should generally come down to which method will best meet the needs of your organisation and ultimately your clients’ needs and expectations. 

Conclusion  

While the inclusive audit method is probably the best approach to obtaining the most complete SOC report, it is often not very practical. 

It can often be a big challenge with some large sub service organisations such as AWS or Microsoft Azure to be able to utilise the inclusive method and for these sub service organisations to willingly participate in your SOC 2 audit them in the first place. 

There needs to be a good solid working relationship between the service organisation’s management and the subservice organization’s management in order for the inclusive method to be effective, as it requires a great deal of coordination between both parties involved in the SOC 2 audit. 

Consequently, and in practice, the carve-out audit method is the most popular method to manage and report on sub service organisations in SOC 2 audit reports.

Need Help With SOC 2?

Please click here to find out more about our SOC 2 consultancy services.

Ruth Romano
Previous

Strong and Secure Password Guidance and Tips
Next

G Cloud 12 Approved Consultancy Services