Subservice Organization Will Not Provide Management Assertion Letter
What if my subservice organization will not provide me a management assertion letter for my SOC examination?
Inclusion of subservice organizations should be agreed to by the service organization and subservice organization (SSO) prior to the start of the SOC engagement. If the SSO will not provide an assertion letter, the service organization can use the carve-out method and exclude the controls provided by the SSO from the scope of their SOC report. In this case, it is recommended that the service organization request a copy of the SSO’s SOC report.