Can I include multiple subservice organizations within my SOC 1?

July 20, 2015 Lauren Edmonds

Can I include multiple subservice organizations within my SOC 1?

Absolutely. The services and controls at each subservice organization should be reviewed to determine their impact to the internal control over financial reporting to the user entity of the service organization, and evaluated to determine if each subservice organization should be carved out or included within the service organization’s SOC 1 report.

The audit opinion letter can carve-out all applicable subservice organizations, include all applicable subservice organizations, or use a combination approach to carve-out certain subservice organizations and include others, as applicable and necessary based on the scope of the examination and services provided.

About the Author

Lauren Edmonds

Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.

More Content by Lauren Edmonds
Previous Article
Disaster Recovery Controls Within My SOC 1?
Disaster Recovery Controls Within My SOC 1?

Can I Have Disaster Recovery Controls Within My SOC 1 Test of Controls Matrix?

Next Article
SOC 1 / SSAE 16 - What is the Difference?
SOC 1 / SSAE 16 - What is the Difference?

When referring to SSAE16 or SOC 1, what is the difference and how do you use these acronyms appropriately? ...



Risk Assessment Requirements For SOC

Webinar on August 17th @ 1pm EDT

REGISTER