Get A Fixed Fee Quote Today Request a Free Quote

SOC 1 SSAE 18 provides guidance on addressing services provided by a "subservice organization" for which service organization should strive to adhere to. First and foremost, what is a service organization? It's simply a service organization that is used by another service organization that assists in or participates in providing services to the actual user entity.

For example, if a use entity outsource medical claims processing to company A, and in turn, company A outsources various aspects of the claims processing, such as billing of medical claims, to company B, then company B would be identified as the subservice organization in this scenario. As such, company A would have an obligation to address the services provided by the subservice organization. This can be done for SOC 1 SSAE 18 reporting by utilizing the carve-out method or the inclusive method. Alternatively, a subservice organization could also undergo their very own SOC 1 SSAE 18 Type 1 or Type 2 engagement in further helping facilitate reporting requirements for the service organization.

For the carve-out method, the service organization's description of its "system" is to include the services performed by the actual subservice organization, but excludes the control objectives and related controls of the subservice organization. And though the actual control objectives and related controls of the subservice organization are excluded, management of the service organization should include within their description of its "system" the controls that are used to effectively monitor the subservice organization.

For the inclusive method, the service organization's description of its "system" is to include the services performed by the actual subservice organization, and to also include the control objectives and related controls of the subservice organization.

What's interesting to note is that many subservice organizations may in fact be deemed an actual primary service organization by another user entity, thus they may very well have to undergo SOC 1 SSAE 18 compliance themselves.

For assistance on understanding reporting requirements for subservice organization regarding SOC 1 SSAE 18 compliance, contact a well-qualified, IR CPA firm today.  Receive a competitive, fixed-fixed fee for SSAE 16 today. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, ore email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Since 2006, NDNB has been setting the standard for security & compliance regulations