Resources - Our Blog

Learn more about the latest news and information regarding audits, accounting, and IT consulting for various industries in our blog, reports, and whitepapers.

Contact Us Today!


The Tale of the SOC Audit & Subservice Organization Carve Out vs Inclusive Method

Author: AICPA Guide SOC2
Category: SOC 2 and SOC 3 Audit
The Tale of the SOC Audit & Subservice Organization Carve Out vs Inclusive Method

By successfully completing a SOC audit a company is demonstrating to current and potential customers that it has the proper internal controls in place to deliver superior and secure services. Moreover, it indicates these controls are in place in totality. Often service providers will outsource a part of the deliverable to another company that specializes in a function. Such a company is known as a subservice organization. For example, many software-as-a-service providers utilize Amazon Web Services (AWS). AWS is a subservice organization. 

So, how exactly are subservice organizations examined? Either by the carve out method or the inclusive method. Let’s take a closer look at both.

When utilizing the carve out method, the subservice organization’s control systems are excluded from the description of the service organization’s system and from the report, itself. You might be thinking red light, do not pass go, do not collect $200. Simply, excluding these critical aspects sounds like a bad idea. However, consider what is included in the description – a) an explanation of the services performed by the service organization b) examples of controls that are expected to be performed by a subservice organization to ensure requirements are met and c) the controls that the service organization employs to monitor the subservice organization’s controls.[i] Another item to consider is the subservice organization may have completed its own SOC audit. In this case, the subservice organization’s SOC report can be requested.

Conversley, if the inclusive method is the chosen method, the service organization’s system description recognizes that a subservice organizations is used and describes the services provided by the subservice organization as well as the controls the subservice organization has in place.i Because the subservice organization’s services and controls are included in the service organziation’s system description they are fair game for the auditor to inspect. It’s very important to understand that you can only use the inclusive method if you are able to get a statement of assertion from the subservice organization.

Not sure what method is right for you? It’s usually best to consult with an auditing firm to understand which method is the best fit for your situation. As the inclusive method essentially requires the cooperation of the subservice organization, this may not be an option.  For example, many of our clients utilize AWS to house their software.  Given Amazon’s size and their unwillingness to cooperate with a customer’s audit, the default is to utilize the carve out method.

[i] AICPA Guide SOC2 January 1, 2018

Sign up for our newsletter to get the latest information from Assure Professional. We provide industry analysis and helpful information to help you run your business better.
Certificate Logo
Assure Professional © . All Rights Reserved