Can I include multiple subservice organizations within my SOC 1?
Absolutely. The services and controls at each subservice organization should be reviewed to determine their impact to the internal control over financial reporting to the user entity of the service organization, and evaluated to determine if each subservice organization should be carved out or included within the service organization’s SOC 1 report.
The audit opinion letter can carve-out all applicable subservice organizations, include all applicable subservice organizations, or use a combination approach to carve-out certain subservice organizations and include others, as applicable and necessary based on the scope of the examination and services provided.
About the AuthorMore Content by Lauren Edmonds