By: Peter Clarke, Managing Consultant at A-LIGN
A subservice organization is an entity that is used by the service organization to perform some of the services provided to customers (user entities). An example of a common service provided by a subservice organization would be a company that offers their data center to a cloud provider (the service organization). The service organization relies on processes and controls implemented at the subservice organization to meet the Control Objectives or Trust Services Principles of the SOC report.
When a subservice organization is utilized by the service organization, there are two methods for reporting on the processes and controls at the subservice organization. First, the processes and controls can be included as a part of the report. This is the Inclusive method. Second, the processes and controls can be excluded from the report. This is the Carve Out method. Each method requires that the service organization take steps to determine whether controls are in place and operating effectively to meet the needs of the end user (customer).