This message was posted by a user wishing to remain anonymous
Why did you start documenting the subservice organizations? What do you do with the information once you have it? Your answers are your narrative.
Or you can ask the auditor what they are looking for.
Original Message:
Sent: 07-19-2023 02:06 PM
From: Anonymous Member
Subject: Subservice Organizations
This message was posted by a user wishing to remain anonymous
We note the subservice organizations on our review from the SOC report. We are trying to determine how to word what is applicable to us. Such as a data center. We start by saying XYZ uses subservice organization ABC for data center hosting and is applicable to our services. We review ABC in conjunction with with XYZ's SOC report due to financial reporting and GLBA controls. I am just questioning if this would be enough for an external auditor. Has anyone else experienced having to be more specific for external auditors?
Original Message:
Sent: 07-19-2023 01:25 PM
From: Anonymous Member
Subject: Subservice Organizations
This message was posted by a user wishing to remain anonymous
Usually, the SOC report lists what the subservice is used for.
We track how many of our vendors use the same subservice organization (e.g. X number use AWS, Y number use Azure, etc.). We use this information to identify concentration risk, and perform due diligence. Often the big subservice organizations have a lot of information available publicly.
We also track how many subservice organizations each of our critical and/or high-risk vendors use. We use this information to identify where we need to do a deeper dive on our vendor's VM process.
Original Message:
Sent: 07-19-2023 11:59 AM
From: Anonymous Member
Subject: Subservice Organizations
This message was posted by a user wishing to remain anonymous
During our review of our critical vendors that are within scope we document subservice organization. Our external auditors are requesting we document how the subservice organization is applicable to us on our review. Does anyone have suggested verbiage you use to document how the subservice organizations are applicable to the services provided.