Practical Steps for Monitoring Subservice Organizations

What Are Subservice Organizations & Why Do They Matter?

If your organization is considering a SOC report, you’ve likely encountered the term “subservice organization,” and wondered what it means and how it impacts you. Subservice organizations are third parties that play a crucial role in supporting your business by performing essential functions.

Unlike traditional vendors, a subservice organization’s failure to meet commitments can directly impact your operations or your ability to serve customers. For example, if you provide a cloud-based Software as a Service (SaaS) platform, your cloud provider would be considered a subservice organization, as any outage or issue on their end could significantly disrupt your business.

Although subservice organizations are essential to your business, they also introduce additional cybersecurity, privacy, financial, and/or operational risks that need to be managed. The American Institute of Certified Public Accountants (AICPA) recognizes this in their SOC 1 and SOC 2 guides, used by service auditors to assist organizations seeking SOC reports.

These guides emphasize the importance of monitoring subservice organizations to avoid risks or control deficiencies that could negatively impact user entities. In this article, we detail the following practices for effective management of subservice organizations, which can be used in conjunction with each other.

Vendor Risk Assessment

Vendor reviews typically begin with a vendor risk assessment, identifying all vendor relationships within your organization. For each identified vendor, it’s important to assess the associated risks using standardized attributes that apply across all vendors. These attributes might include specific risk categories such as reputation, compliance, and financial risk, or more basic attributes like vendor spend, the nature of data handled, and their critical role in daily operations. Overall, the attributes help evaluate various risks presented by each vendor and support in assigning an appropriate risk rating.

The assigned risk rating should help identify which vendors are subservice organizations (and therefore more critical) and which are less significant with lower risks. This enables you to prioritize your monitoring efforts, focusing time and resources on those vendors that are more essential to your organization. Most organizations will set review frequencies based on vendor risk levels: critical subservice organizations are monitored annually, moderate-risk vendors every two years, and low-risk vendors every three years or at contract renewal. Similarly, you can alter the thoroughness of review performed based on the assigned risk ratings.

Below, we will outline the materials vendors provide for monitoring, as well as internal steps to track vendors that may not offer such materials. These items should always be considered for subservice organizations, and can be evaluated as needed for vendors with lower risk.

Vendor Provided Documentation

SOC Reports

Similar to your own organization, your subservice organizations should be issuing their own SOC reports on a defined frequency. SOC reports remain the most widely accepted and common tool for understanding vendor control environments and assessing the effectiveness of their controls. It’s crucial to carefully review the SOC reports issued by your subservice organizations while avoiding common mistakes. These reports will also highlight complementary user entity controls (CUECs), which outline your control responsibilities to ensure the effectiveness of their control environments.

Organizations should review all CUECs detailed in the reports and document in a checklist (or software) how your organization is achieving all relevant CUECs. Finally, it is important to review their SOC reports to determine if a negative opinion has been issued or any significant findings have been identified. These items will be reviewed by your service auditor during your own SOC audit. Negative opinions by subservice organizations can impact your own report if the auditor feels such issues were not recognized or properly managed from a vendor management perspective.

Certifications

If your subservice organizations don’t issue SOC reports, they may have other certifications that provide assurance about their control environment, such as ISO 27001, PCI-DSS, and HITRUST. While these aren’t SOC reports, they offer similar insights into the controls in place at the subservice organization and their effectiveness.

Policies, Procedures & Other Reports

Many subservice organizations understand that an attestation report alone may not meet customer monitoring requirements. To address this, they often provide excerpts from policies, procedures, or other overview documents related to specific practices. Additional reports, such as those from a contracted penetration tester or internal audit department, may also be available upon request. Accessing these documents typically requires executing a non-disclosure agreement.

Internal Review

Security Questionnaire

If your subservice organizations lack necessary attestation reports or won’t provide other documents, you can create your own security questionnaire for them to complete. This approach offers flexibility, allowing you to tailor the questionnaire to your specific needs, including control and compliance requirements based on your industry and regulatory expectations.

Site Visits & Audits

A less common method of monitoring involves conducting a site visit or audit at a subservice organization’s location. This approach is typically not pursued due to the costs and need for cooperation from the subservice organization. A site visit is most beneficial for data centers, where concerns about physical security and environmental controls may not be fully addressed in vendor reports. An on-site audit is also useful when red flags in vendor materials or performance require further clarification.

Monitoring Against Service-level Agreements (SLAs) & Key Performance Indicators (KPIs)

If SLAs are included in your contract, it may be beneficial to consider whether the vendor is meeting those defined SLAs. The vendor should provide reports verifying their performance, and you should regularly review these to identify any discrepancies. If an SLA is not met, the vendor should explain why and how the issue was addressed. Many organizations schedule recurring meetings with subservice organizations to proactively manage performance and discuss these metrics.

Mitigate Third-Party Risk & Streamline Monitoring With a Strong Vendor Management Program

Monitoring subservice organizations doesn’t have to be a daunting task. By conducting a vendor risk assessment to identify where your organization faces the most risk, you can prioritize where to focus your efforts. From there, a formal vendor management program provides direction on who is responsible for gathering and reviewing documentation, and how that review should be performed and recorded. These practices support a strong oversight framework and help you demonstrate control to auditors during your SOC audit.

If you have any questions regarding monitoring subservice organizations or want to discuss your organization’s vendor management program, reach out to a member of our SOC Reporting team today.