The SSAE 16 standard provides guidance on addressing services provided by a "subservice organization" for which service organization should strive to adhere to. First and foremost, what is a service organization? It's simply a service organization that is used by another service organization that assists in or participates in providing services to the actual user entity.
For example, if a use entity outsource medical claims processing to company A, and in turn, company A outsources various aspects of the claims processing, such as billing of medical claims, to company B, then company B would be identified as the subservice organization in this scenario. As such, company A would have an obligation to address the services provided by the subservice organization. This can be done for SSAE 16 reporting by utilizing the carve-out method or the inclusive method. Alternatively, a subservice organization could also undergo their very own SSAE 16 Type 1 or Type 2 engagement in further helping facilitate reporting requirements for the service organization.
For the carve-out method, the service organization's description of its "system" is to include the services performed by the actual subservice organization, but excludes the control objectives and related controls of the subservice organization. And though the actual control objectives and related controls of the subservice organization are excluded, management of the service organization should include within their description of its "system" the controls that are used to effectively monitor the subservice organization.
For the inclusive method, the service organization's description of its "system" is to include the services performed by the actual subservice organization, and to also include the control objectives and related controls of the subservice organization.
What's interesting to note is that many subservice organizations may in fact be deemed an actual primary service organization by another user entity, thus they may very well have to undergo SSAE 16 compliance themselves.
For assistance on understanding reporting requirements for subservice organization regarding SSAE 16 compliance, contact a well-qualified, PCAOB CPA firm today.
Receive a competitive, fixed-fixed fee for SSAE 16 today. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.