Practical Steps for Monitoring Subservice Organizations

A subservice organization is a third-party vendor that performs essential functions on behalf of a service organization — functions critical enough that their failure could directly disrupt operations or customer service delivery. Monitoring subservice organizations is a requirement under the AICPA’s SOC 1 and SOC 2 frameworks and a key component of effective third-party risk management. 

This guide outlines practical, structured steps for identifying subservice organizations, reviewing vendor-provided documentation, conducting internal assessments, and building an ongoing monitoring program that holds up to auditor scrutiny. 

Key Takeaways 

• Subservice organizations are critical third parties whose control failures can directly impact your operations and SOC audit results. 

• A vendor risk assessment identifies which vendors qualify as subservice organizations and determines appropriate monitoring frequency. 

• SOC reports, certifications, and policy documents remain the primary tools for evaluating a subservice organization’s control environment. 

• When vendor documentation is unavailable, security questionnaires and site visits provide alternative assessment methods. 

• Service-level agreements (SLAs), key performance indicators (KPIs), and scheduled performance reviews form the backbone of ongoing subservice organization oversight. 

What Is a Subservice Organization? 

A subservice organization is a third party that performs functions so integral to a service organization’s operations that any lapse in their performance can directly affect the service organization’s customers or control environment. This distinguishes subservice organizations from ordinary vendors. 

For example, if your organization provides a cloud-based Software as a Service (SaaS) platform, your cloud infrastructure provider qualifies as a subservice organization. An outage or security incident on their end can directly disrupt your service delivery. The American Institute of Certified Public Accountants (AICPA) recognizes this in its SOC 1 and SOC 2 guides, which instruct service auditors to assess how organizations monitor their subservice organizations. Unmanaged subservice organization risks can introduce control deficiencies that affect user entities and compromise your own SOC report. 

Why Does Monitoring Subservice Organizations Matter? 

Inadequate oversight of subservice organizations creates compliance gaps, operational vulnerabilities, and audit findings that can negatively affect your SOC report. During a SOC audit, your auditor reviews how well your organization identifies, evaluates, and manages risks introduced by subservice organizations. Negative opinions issued against a subservice organization’s own SOC report can affect your audit outcome if the auditor determines those issues were not recognized or appropriately managed. 

Effective monitoring demonstrates control, supports compliance, and protects your organization’s ability to serve customers without interruption. 

Step 1: Conduct a Vendor Risk Assessment 

Vendor monitoring begins with a structured vendor risk assessment. This process identifies all vendor relationships within your organization and assigns each a risk rating based on standardized attributes. 

Relevant attributes include: 

• Risk categories: Reputation, compliance, and financial risk 

• Operational factors: Vendor spend, nature of data handled, and criticality to daily operations 

The risk rating determines which vendors qualify as subservice organizations — and how intensively each should be monitored. Most organizations structure review frequencies as follows: 

• Critical subservice organizations: Monitored annually 

• Moderate-risk vendors: Reviewed every two years 

• Low-risk vendors: Reviewed every three years or at contract renewal 

This tiered approach concentrates time and resources where the risk is greatest, while still maintaining visibility across all vendor relationships. 

Step 2: Review Vendor-Provided Documentation 

SOC Reports 

SOC reports are the most widely accepted tool for evaluating a subservice organization’s control environment. Reviewing subservice organization SOC reports allows you to assess the effectiveness of their controls and understand your own responsibilities within that environment. 

When reviewing these reports: 

• Avoid common review mistakes that can result in missed findings (see Are You Guilty of These 3 SOC Report Review Mistakes?) 

• Identify complementary user entity controls (CUECs), which define the control responsibilities your organization must fulfill to support the subservice organization’s control objectives (see Understanding Complementary User Entity Controls) 

• Document CUEC compliance in a checklist or software platform, recording how your organization addresses each relevant control 

• Flag negative opinions or significant findings, as these will be reviewed by your service auditor and may affect your own SOC report (see SOC Report Opinions — Understanding Your Results) 

Certifications 

When a subservice organization does not issue a SOC report, other certifications can provide comparable assurance. ISO 27001, PCI-DSS, and HITRUST each offer structured assessments of a vendor’s control environment and can serve as credible alternatives when evaluating subservice organization risk. 

Policies, Procedures, and Other Reports 

Many subservice organizations supplement attestation reports with excerpts from policies, procedures, or operational overview documents. Additional third-party reports — such as those from a contracted penetration tester or an internal audit department — may also be available on request. Accessing these materials typically requires executing a non-disclosure agreement. 

Step 3: Conduct Internal Reviews When Documentation Is Unavailable 

When a subservice organization cannot or will not provide sufficient documentation, internal review methods fill the gap. 

Security Questionnaires 

A custom security questionnaire allows your organization to gather targeted information directly from the subservice organization. This approach is especially valuable when standard attestation reports do not address your industry’s specific compliance or regulatory requirements. Questionnaires can be tailored to reflect the precise controls and risk areas most relevant to your operations. 

Site Visits and On-Site Audits 

Site visits are less common due to cost and the need for vendor cooperation, but they serve an important function in specific situations: 

• Data centers: Physical security and environmental controls may not be fully addressed in written reports 

• Red flag situations: When vendor documentation or performance raises concerns that require direct investigation 

An on-site audit provides visibility that no remote review can replicate. 

Monitoring Against SLAs and KPIs 

If your vendor contract includes service-level agreements, regular monitoring of SLA compliance is a straightforward and effective oversight mechanism. Vendors should provide performance reports on a defined schedule. When an SLA is not met, the vendor should document the cause and the corrective action taken. Many organizations schedule recurring meetings with subservice organizations to review these metrics proactively and address performance issues before they escalate. 

How to Build a Formal Vendor Management Program 

A formal vendor management program transforms individual monitoring activities into a structured, repeatable process. The program defines: 

• Who is responsible for gathering and reviewing vendor documentation 

• How reviews are conducted based on assigned risk ratings 

• How findings are recorded and escalated when necessary 

This framework provides auditors with clear evidence that subservice organization risks are actively managed. It also creates accountability internally, reducing the likelihood that monitoring tasks fall through the cracks during busy periods or organizational transitions. 

Frequently Asked Questions 

Q: How do I determine whether a vendor qualifies as a subservice organization? 
A: A vendor qualifies as a subservice organization when their failure to perform could directly disrupt your operations or your ability to serve customers. Conduct a vendor risk assessment and evaluate factors such as the criticality of the function performed, the nature of data handled, and the operational impact of a service failure. 

Q: What happens if my subservice organization has a negative opinion on their SOC report? 
A: A negative opinion on a subservice organization’s SOC report does not automatically result in a negative opinion on your own report. However, your service auditor will assess whether your organization identified the issue and managed it appropriately. Documenting your awareness of the finding and any compensating controls your organization implemented is critical. 

Q: Can I rely on a subservice organization’s ISO 27001 certification instead of a SOC report? 
A: ISO 27001 certification provides meaningful assurance about an organization’s information security management system and can be used as an alternative when a SOC report is not available. However, ISO 27001 and SOC reports assess different things. SOC 2 reports evaluate controls mapped to the AICPA’s Trust Services Criteria, while ISO 27001 focuses on information security management practices. Depending on your audit requirements, your service auditor may require additional documentation to supplement an ISO 27001 certification. 

Q: How often should I review a subservice organization’s documentation? 
A: Review frequency should be based on the risk rating assigned during your vendor risk assessment. Critical subservice organizations typically require annual review, moderate-risk vendors every two years, and lower-risk vendors every three years or at contract renewal. 

Build Oversight That Holds Up to Scrutiny 

Monitoring subservice organizations is not a one-time exercise. A structured vendor risk assessment identifies where risk is concentrated. A formal vendor management program defines how that risk is reviewed, documented, and managed over time. Together, these practices demonstrate control to auditors and reduce the likelihood of findings that affect your SOC report. 

For questions about monitoring subservice organizations or building a vendor management program suited to your organization’s needs, contact Wolf and Company’s SOC Reporting team.