Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


What are complementary subservice organization controls, and why do they matter?

Aug 18, 2020

Whether it’s with your customers or your third-party vendors, long-lasting relationships are built on trust and assurance.

Customers come to understand the effectiveness of a service organization’s controls through reports, such as SOC reports, assertion letters and various testing. This allows your customers to have a high level of confidence that you follow practices that can be relied on and that your organization protects what the customer feels is important and potentially sensitive and relies on your organization to deliver. In turn, this level of confidence assists your customers so they can deliver their products and services to their customers. It’s a relationship built on trust. 

It is also the responsibility of customers to verify that what they trust in their relationship with your organiation is provided as it is stated. This reciprocal relationship benefits everyone involved and solidifies continued strong relationships while each organization provides their unique part of the puzzle (i.e., a reliable product or service offering). Similar to a relationship a contractor may have with a subcontractor, your organization may rely on a subservice organization. 

It is the purpose of this article to help you identify relationships that you rely on where the third-party would be identified as a subservice organization. In addition, we will help you identify the degree that you need to perform this level of due diligence and ongoing monitoring to ensure the trust relationship is maintained.

What is a subservice organization?

Organizations may work with several third parties to maintain their environment and provide their product or service to customers. When you rely on a third party to meet your organization’s objectives as they pertain to supporting the controls your organization is asserting to within your SOC report, the third party is considered to be a subservice organization. 

The AICPA defines a subservice organization as a supporting vendor, contractor or service provider that delivers or assists in the delivery of a service relied upon to support the organizations’ service commitments and system requirements. In an update to the Statements on Standards for Attestation Engagements (SSAE) No. 18, which was released in April of 2016, additional requirements relating to the use of subservice organizations have been expanded. Based on the relationship, your organization may want to include the subservice organization within your attestation, rely on the existence of a SOC report from the subservice or otherwise carve out the existence of the subservice organization within the scope of your examination.

Why does it matter to those who read your report or matter to you?

In a manner of speaking, if your organization is directly in control of the attributes that address the operation of the in-scope system and/or service commitments or requirements, then you do not rely on the subservice organization’s controls. However, if you rely on the organization, you contract with to manage all or a portion of the controls, and your organization should obtain assurance that the controls the subservice organization has will result in assurance to the reader of your SOC report and their customers.

The reliance on the subservice organization’s controls are reliant on relationship that your organization has with the subservice organizations you work with. The following are things you should take into consideration when determining your reliance on third parties and whether or not to include the subservice organization in scope of your assessment:

Review the subservice organization controls: If your organization relies on the subservice organization to maintain the security of information you physically store or transmit to the subservice organization, then you will want to ensure that the controls you expect to be in place are satisfied by any assurances you receive from the subservice organization.

Determine controls within the organization to support subservice organizations: Review the controls that you are asserting to and determine which controls are provided by the subservice organization. Depending on the amount of reliance or the extent of controls the subservice organization is associated with, work to determine whether the subservice organization will be able to provide reasonable assurance related to the scope of your assessment.

Review controls to ensure your trust can be validated: It is important to know if the subservice organization’s SOC report contains the controls that you rely on to provide a system or service related to the scope of your assessment. If you are relying on their expertise, then you want to show they are performing the control so you can be assured the control is implemented. Some controls can be physical access to the building where your information is stored, access controls to systems that host your information, or even a maintenance provider that the organization relies on to ensure availability is maintained.

To summarize, the subservice organizations you work with support the assurance you provide to your customers. A subservice organization represents you for the controls you rely on the subservice organization for. If a subservice organization you use handles your information, it’s important to know they have the controls that are expected of your organization in place, and that your organization receives its own assurances in the form of SOC reports or other testing to ensure that they best represent you.

If you would like to learn more about SOC for Service Organizations, click here. Or continue reading on:

SOC exams for service organizations

How to read a SOC report

SOC for Cybersecurity vs. SOC 2: 5 key differences


Wipfli logo square

Wipfli Editorial Team