In today’s interconnected business landscape, understanding the role of subservice organizations in SOC (System and Organization Controls) reports is paramount.
Subservice organizations are third-party entities utilized by service organizations to perform key functions, necessitating scrutiny to ensure comprehensive risk management and regulatory compliance.
Through a detailed examination of subservice organizations’ roles, 责任, 以及对SOC报告的影响, organizations can enhance their ability to effectively manage risk and uphold the integrity of their assurance processes.
This article delves into the significance of subservice organizations within SOC reports, exploring how to identify a subservice organization, and what that means for your SOC report.
什么是子bet9平台游戏组织?
2022 AICPA SOC 指南 defines a subservice organization as a "vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved".
To elaborate on the AICPA’s definition of a subservice organization, a vendor is a subservice organization if the following are true:
When adding a subservice organization to your report, all of the subservice organization’s complementary controls (csoc) and each user entity’s complementary user entity controls (CUECs), must be evaluated to be in alignment with the operating effectiveness of the service organization controls.
One of the most typical scenarios seen for adding a subservice organization is for cloud-based hosting services. 亚马逊网络bet9平台游戏(AWS), Azure, and the Google Cloud Platform (GCP) are typical service providers for this specific type of service.
One of the csoc for a subservice organization like AWS, Azure, or GCP for providing cloud-based hosting services would be providing physical and environmental security over the production servers being used.
Choosing the Inclusive or Carve-Out Method for Reporting
When a service organization chooses to add a subservice organization to their SOC report, they can choose to use either the inclusive or carve-out method to present the subservice organization.
使用包含方法时, the auditor will audit the subservice organization for the controls that the service organization relies on them for.
选择这种方法时, it’s important to consider whether the subservice organization is willing to allow the auditor to test the controls within their environment.
当使用雕刻方法时, the auditor does not audit the subservice organization for the controls that the service organization relies on them for. 选择这种方法时, it’s important to consider if the subservice organization receives a SOC report or another certification that will allow you to monitor their control environment.
Monitoring Your Subservice Organization
When choosing to rely on the controls that a subservice organization is performing, it is important to consistently review the control reports (e.g., SOC reports) as they are made available.
When reviewing the subservice organization’s SOC reports, check to see if the subservice organization received a clean opinion or any exceptions on controls that could have an impact to the service you are providing to your clients.
If the subservice organization does not have a SOC report, it’s important to find an alternate approach to monitor the controls that are being relied on. This could mean requesting vendor questionnaires or even setting up recurring meetings with the subservice organization for monitoring.
为下一次SOC审核做准备
It is important to note that whether you use the inclusive or carve-out reporting method, you must disclose any use of services provided by a subservice organization in your audit report.
用于下次SOC审核, do you need to decide whether to have an inclusive or carve-out report to represent your subservice organization?
After considering the positives and negatives of both methods, you can now make an informed decision on what is best for you and your customers.
If you need help determining subservice organizations, have questions on audit reporting methods, 或任何其他SOC问题, feel free to contact our team directly at (电子邮件保护).
相关资源
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
探索我们的全部 风险咨询bet9平台游戏 提供或与团队联系 (电子邮件保护)
