SOC 2 Carve-out vs. Inclusive Subservice Organizations

There is no doubt as you begin your SOC2 pre-assessment or readiness phase you will be asked by your SOC2 service auditor which of your vendors are subservice organizations and what type of subservice organization are they. It really doesn’t have to be as confusing as it sounds.

The first step is to do a vendor risk assessment and classify vendors as either critical or non-critical to the organization. If your vendor had a security incident or business interruption, would it negatively affect your ability to meet the SOC 2 trust services criteria? If so, then it’s probable that vendor is a subservice organization for your Company.

Trust Service Principles

This assessment may change as you add additional Trust Services Principles to your SOC2 audit:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Once you identify those vendors that are subservice organizations, you will need to identify whether those subservice organizations should use the carve-out method or the inclusive method.

For carve-out subservice organizations, the subservice organizations controls are not disclosed in the report. The service organization’s controls that are monitoring the subservice controls are important and are included in the report. The report also discloses the controls assumed to be designed and operating effectively at the subservice organizations. Those controls are referred to as complementary subservice organization controls. A carve-out reporting method is useful when the subservice organization has its own controls report (e.g., SOC report). The controls at the subservice organization are not in scope for the service auditor’s examination when the carve-out reporting method is used.

For inclusive subservice organizations, the controls of the subservice provider are included directly in the report. The report includes the service auditor’s assessment of the design and operating effectiveness of the subservice organization’s controls. The results of the service auditor’s tests of operating effectiveness of the subservice organization’s controls are included in section four of the SOC report. Management of the subservice organization would also be required to sign management assertion and management representation letters, and the assertion letter would be included in section two of the SOC report after the service organization’s assertion.

AICPA Definitions of both types of subservice organizations

Carve-out method. Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor’s engagement, the subservice organization’s relevant control objectives and related controls. Management’s description of the service organization’s system and the scope of the service auditor’s engagement include controls at the service organization that monitor the effectiveness of controls at the subservice organization, which may include management of the service organization’s review of a service auditor’s report on controls at the subservice organization.

Inclusive method. Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization’s relevant control objectives and related controls.

Please please reach out to David Hammarberg, leader of the firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology practices at dhammarberg@macpas.com if you would like to discuss your service organization’s SOC2.

About the Author

Related Services

Related Industries