Can I include multiple subservice organizations within my SOC 1?
Absolutely. The services and controls at each subservice organization should be reviewed to determine their impact to the internal control over financial reporting to the user entity of the service organization, and evaluated to determine if each subservice organization should be carved out or included within the service organization’s SOC 1 report.
The audit opinion letter can carve-out all applicable subservice organizations, include all applicable subservice organizations, or use a combination approach to carve-out certain subservice organizations and include others, as applicable and necessary based on the scope of the examination and services provided.
About the Author
Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.More Content by Lauren Edmonds