SOC Reporting Controls of Subservice Organization – Inclusive vs Carve Out Method

This article is written for service organizations that are going through or are considering a SOC report. The purpose of this text is to help explain how to handle controls of subservice organizations (1 A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting.). There are two methods for handling subservice organizations’ controls: Inclusive and Carve-Out.  

Inclusive Method 

The inclusive method is when the subservice organization’s controls and functions are included in the service organization’s description of the system. These controls and functions will be included in the scope of the report and therefore tested just as the service organization’s controls are tested. A written assertion from management must be signed by the subservice organization to state the accuracy of the controls as they pertain to the subservice organization’s services. The subservice organization must also be involved in the fieldwork, which makes communications and the ability to work together very important.  

Carve-Out Method 

The carve-out method allows an organization to “carve-out” or exclude the controls of the subservice organization from the scope of the engagement and report. However, it is the service organization’s responsibility to have controls in place to monitor the subservice organization to ensure their controls are functioning as intended. The monitoring of these controls will be included in the SOC examination and description of services.  

Which SOC Reporting Controls Method Should Be Used? 

When determining the best method for your organization, start by checking if the subservice organization has a type 1 or type 2 report that covers the outsourced services. The key here is to make sure the exact services you are using are covered in the SOC report. Organizations often have different SOC reports for various aspects of their business. If the subservice organization has a SOC report that covers the correct services, use the carve-out method. 

If the organization does not have a SOC report that covers the services your organization utilizes you will most likely want to use the inclusive method. As stated above, communication and cooperation with this subservice organization will be critical in a successful audit. They have to be willing to have their control environment tested as well as provide a written assertion from management. Most organizations are willing to do this as they don’t want to lose your business. If they aren’t cooperative and don’t have or plan to implement acceptable security controls, it may be time to consider a new subservice provider. 

Although the inclusive method is the preferred method for subservice organizations without a SOC report, the carve-out method can be used in this scenario as well. However, the controls covered by the subservice organization would then have to be excluded from the report and as a result your organization would not have a complete report to provide to customers. The gaps in the report may reduce the value of your SOC report and customers may raise questions regarding the completeness. 

In summary, if you can use the carve-out method, use it. It will save time, money and the hassle of including another organization into the conversations. If you have any uncertainty about which method is best for your organization, please contact us.