By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.
It is interesting to see the reveal of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped. At times, there is a fog placed on the identities of fourth parties; phrases like "industry-recognized third party" or "subservice organization" are inserted in place of the names of the companies your vendors have outsourced responsibilities to.