Dealing with Suppliers
(Sub-Service Organizations) in 4 steps.
This article provides 4 steps to better oversee the audit process and work more efficiently.
Step 1. Is there a subservice organization?
The so-called subservice organizations represent a special class of suppliers. These are defined as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.”
Subservice organizations may appear in an SOC 1 or SOC 2 report, and this may determine whether it is a Type 1 or a Type 2 report. The following providers are typical examples of a subservice organization:
- Datacenter
- IT service providers
- -Software als service of platform als serviceprovider
Step 2. Split or inclusive reporting?
Once the organization has been able to identify whether there is a subservice organization, that is actually just the tip of the iceberg. For the report, it still needs to be decided whether to use the carve-out method or the inclusive method.
Carve-out method
This method involves CSOCS coming into play. The controls performed by the subservice organization are not included in the report. Only an overview of what the subservice organization means for the service organization and how it interacts with it in combination with your system and the different expected controls so that you can achieve control objectives for trust services.
Inclusive method
With this method, the relevant aspects of the subservice organization’s operations and related internal control measures at the subservice organization are fully included in the report. The inclusive method can also be seen as a merger of separate SOC reports from two entities. What is important is that the same level of work that is used for the service organization must also be used for the subservice organization. This can be discouraging and therefore the use of the inclusive method is rarely seen in practice. Entities of the brother/sister type, such as an operational unit supported by a separate IT department, both from the same parent company, are an example of when inclusive could be used. Another example would be when the subservice organization carries out almost all its activities with an unrelated service organization.
Step 3. Demonstrate how your organization manages the split subservice organizations
Now you need to ensure that if there is a split subservice organization, the organization documents well how it is managed. With subservice organizations, a typical supplier management program where you evaluate the services, quality, policy, and procedures (e.g., IT security) and insurance coverage of the supplier is not sufficient. With a subservice organization, as a service organization, you need to take steps to determine whether the types of CSOCS you expect the subservice organization to have are actually present. This is done by one of the easiest ways is to obtain the subservice organization’s SOC report, assuming they have one.
If there is no SOC report available, the organization should gather information from the management of the subservice organization, read other internal reports that the subservice organization may produce, and/or conduct on-site visits to assess your required CSOCS.
Step 4. Understand and comply with complementary controls over user entities Arriving at the final step.
Most service organizations have expectations of their user entities, which auditors also refer to as CUECs. CUEC stands for “Complementary User Entity Controls.” The subservice organization also expects the organization as a user entity to engage in certain types of internal control measures. And now the final step is to understand and determine how the organization complies with these.
