The A-LIGN Blog

Back to Blog

Does Your SOC Report Address Subservice Organizations Using the Carve Out or Inclusive Method?

By: Peter Clarke, Managing Consultant at A-LIGN

SOC Report: Carve Out or Inclusive Method?A subservice organization is an entity that is used by the service organization to perform some of the services provided to customers (user entities).  An example of a common service provided by a subservice organization would be a company that offers their data center to a cloud provider (the service organization).  The service organization relies on processes and controls implemented at the subservice organization to meet the Control Objectives or Trust Services Principles of the SOC report.

When a subservice organization is utilized by the service organization, there are two methods for reporting on the processes and controls at the subservice organization.  First, the processes and controls can be included as a part of the report.  This is the Inclusive method.  Second, the processes and controls can be excluded from the report.  This is the Carve Out method.  Each method requires that the service organization take steps to determine whether controls are in place and operating effectively to meet the needs of the end user (customer).

In a SOC report where the Inclusive method is utilized, the following considerations must be evaluated:

  • Is the subservice organization assertion letter included along with the service organization assertion letter?
  • Are there any exceptions noted within the report?
    • If so, what compensating or mitigating controls are in place to eliminate or reduce the risk associated with the exception?

In a SOC report where the Carve Out method is utilized, the following considerations must be evaluated:

  • What services are performed by the subservice organization that are relevant to the services offered to the customer?  Normally, these services are explained briefly as part of the carve out language within the SOC report.
  • Does the subservice organization issue a SOC report on the services not included as part of the service organization report?
  • Does the service organization report or the subservice organization reports contain any exceptions in it?
    • If so, what compensating or mitigating controls are in place to eliminate or reduce the risk associated with the exception?
  • Have you reviewed the service organization CUEC’s to determine whether there are controls within the subservice organization report that address the CUEC’s?
    • If not, what additional controls are in place at the user entity (customer) that would mitigate the absence of controls for all of the CUEC’s?

Each of the considerations noted above for the Carve Out or Inclusive methods must be evaluated by the user entity (customer), depending on the method used in the report.  The most common method within SOC reports is the Carve Out method, as it does not require the same level of review between management from the service organization and the subservice organization to issue a combined Inclusive report.  Many organizations will not issue an Inclusive report due to the level of coordination involved, the scrutiny of the review of the report by both entities legal department, and because management from both organizations must assert to the contents within the SOC reports.

If you have additional questions about the Cave Out or Inclusive method or how A-LIGN can provide a SOC assessment for your organization, please call: 888-702-5446 or email us at info@a-lign.com.

We Are Qualified