During our review of our critical vendors that are within scope we document subservice organization. Our external auditors are requesting we document how the subservice organization is applicable to us on our review. Does anyone have suggested verbiage you use to document how the subservice organizations are applicable to the services provided.
Usually, the SOC report lists what the subservice is used for.
We track how many of our vendors use the same subservice organization (e.g. X number use AWS, Y number use Azure, etc.). We use this information to identify concentration risk, and perform due diligence. Often the big subservice organizations have a lot of information available publicly.
We also track how many subservice organizations each of our critical and/or high-risk vendors use. We use this information to identify where we need to do a deeper dive on our vendor's VM process.
We note the subservice organizations on our review from the SOC report. We are trying to determine how to word what is applicable to us. Such as a data center. We start by saying XYZ uses subservice organization ABC for data center hosting and is applicable to our services. We review ABC in conjunction with with XYZ's SOC report due to financial reporting and GLBA controls. I am just questioning if this would be enough for an external auditor. Has anyone else experienced having to be more specific for external auditors?
Why did you start documenting the subservice organizations? What do you do with the information once you have it? Your answers are your narrative.
Or you can ask the auditor what they are looking for.