The Role of SOC Reports for Subservice Organizations

If a subservice organization (e.g., payroll processors, software firms, IT support, or medical billing functions) processes sensitive data, handles financial transactions, or provides critical services to clients, it may require a System and Organization Controls (SOC) report to demonstrate its commitment to internal controls and compliance. Subservice organizations are third-party entities such as process outsourcers and tech companies contracted by service organizations to perform specific functions or to provide services on behalf of the primary organization.

Many companies simply function more efficiently and profitably by outsourcing tasks or entire functions to outside entities that can provide more robust infrastructure and specialized personnel, e.g., payroll processors, software firms, IT support, or medical billing functions. While an organization may outsource key functions, it cannot outsource its responsibilities. This is where a SOC report can help facilitate trust and transparency with its customers about its relationship with subservice organizations.

Which SOC report do you need?

SOC reports provide management with a comprehensive overview of a subservice organization’s control structure. In short, it helps in assessing and addressing any risk associated with the outsourcing of that service.

There are two main types of SOC reports, SOC1 and SOC2. SOC1 reports cover internal controls over financial reporting for use by auditors and customers, whereas SOC2 reports cover security, availability, processing integrity, confidentiality, or privacy for use by user entities, potential customers, regulators, business associates, and others. One major difference between the two is that a SOC2 report is not used by auditors because it does not provide assurance over internal controls related to financial reporting.

To determine your need, ask yourself:

• What am I contractually obligated to do? AAFCPAs has seen many situations where sales teams check the boxes on a Request for Proposal response and the rest of the organization does not know what they committed to.
• What services do we provide? Do they directly impact the financial reporting of our clients (SOC1), or do they involve the processing, storage, or transmission of clients’ sensitive data (SOC2)?
• What are our clients’ requirements? Do they require assurance regarding internal controls over financial reporting (SOC1) or are they more concerned about the security, availability, processing integrity, confidentiality, and privacy of their data (SOC2)?
• Which regulations apply to our industry that are also important to our clients but not required? Are we subject to specific regulatory requirements such as Sarbanes-Oxley (SOC1) or adherence to industry specific standards like GDPR, HIPAA, PCI DSS, SOC2, or LADMF? AAFCPAs has worked with many clients who go down the SOC2 path but also need to comply with a multitude of standards. SOC2 can be the basis for complying with other standards and, of special note, HIPAA can be attested to in a SOC2+HIPAA.
• What are our business objectives? Do we seek to align with demonstrating the effectiveness of financial reporting controls (SOC1) or with showcasing a strong security, confidentiality, availability, processing integrity, and/or privacy posture to attract and retain customers (SOC2)?
• What risks do we manage? Do they include financial misstatement risks (SOC1) or risks related to data breaches, system outages, unauthorized access, and compliance failures (SOC2)?

Within the SOC1 and SOC2, organizations can opt for Type 1 or Type 2. Type 1 reports cover controls in place at one set point in time, while Type 2 reports delve a step further to ensure controls were designed and operating effectively for a period of time. Oftentimes we recommend that clients begin with a Type 1 and move into Type 2. Because clients see the Type 1 as the preparation for the Type 2, it gives them a way of showing progression to their clients and reduces the risk of controls not being fully implemented during the Type 2 examination.

When you consider controls, you also begin to realize that they don’t exist in a vacuum. Controls in place at a subservice organization only work if the company outsourcing those services has proper controls in place as well. A section on Complementary Subservice Organization Controls (CSOCs) outlines controls that should be put in place to ensure a system of controls between service organization and subservice organization exists to support the objectives in the SOC 1 or criteria in the SOC 2.

Know your responsibilities.

The complementary subservice organization controls section of an SOC report will detail client management responsibilities. While certain sections aren’t applicable, AAFCPAs advises that clients read through their responsibilities to ensure they have controls in place to manage each or indicate that it’s not applicable for some reason. We advise that clients document their process that lists all user controls, which controls are completed by the client, and which controls are completed by their organization. These are called Complementary User Organization Controls (CUECs). Just like CSOCs and service organizations, CUECs and the SOC report from our client form the last link to ensure a full system of controls exists so one can rely on the objective or criterion. When identifying CUECs, it is a good practice to document the name and title of the individual performing the control, control frequency, and how or where evidence is maintained.   

Occasionally, there may be a gap in responsibilities between a service and subservice organization to achieve specific objectives and criteria. For instance, the company you outsource to might use a particular SaaS solution or cloud hosting provider. This is important to know but does not need to be included in the report per se. Instead, the Independent Service Auditor’s Report within the SOC report will identify a carve out signifying which specific service providers are being used by the subservice organization.

How We Help

A SOC report is a valuable exercise that can enhance trust, align with various regulatory requirements and industry standards, streamline due diligence processes, boost customer confidence, provide vendor assurance, and mitigate risk by identifying controls in processes you may not have thought about. They also provide a competitive advantage for companies looking to differentiate themselves and attract more business. Oftentimes, though, businesses aren’t aware they need a SOC report until a large prospect requires it. AAFCPAs can work with you to help you understand your control environment, where you stand, and where you could be to ensure optimal preparation and peace of mind.

If you have questions, please contact Jennifer Le Vine, CPA, Director, Business & IT Consulting at 774.512.4036 or jlevine@nullaafcpa.com—or your AAFCPAs Partner.