Service organizations typically use subservice organizations (i.e. third parties) to perform key controls that are necessary, in combination with the controls at the service organization, to meet the applicable control objectives (SOC 1) or Trust Services Criteria (SOC 2). Services provided by subservice organizations often relate to infrastructure hosting, application development, security monitoring, offsite storage of backups and disaster recovery services. When these services are included in the SOC report, the service organization has two options for presenting the subservice organization within it’s SOC report: the carve-out method or the inclusive method.
The carve-out method addresses the services provided by the subservice organization by “carving out” (i.e. excluding) such services from the description of the service organization’s system and from the scope of the examination. When using this method, the description of the service organization’s system must include the services performed by the subservice organization, the types of controls expected to be in place at the subservice organization (complementary subservice organization controls) and the controls the service organization has in place for monitoring the effectiveness of the subservice organization’s controls. When using the carve-out method, the service auditor is responsible for determining if the service organization’s monitoring controls are appropriate.
The inclusive method addresses the services provided by the subservice organization by “including” it’s services and related controls in the description of the service organization’s system. The scope of the report would include the service auditor assessing the design and operating effectiveness of the subservice organization’s controls. The results of the service auditor’s tests of operating effectiveness of the subservice organization’s controls would be included in section four of the SOC report. Management of the subservice organization would also sign management assertion and management representation letters and the assertion letter would be included in section two of the SOC report after the service organization’s assertion.
The carve-out method may be appropriate in the following situations:
• If the subservice organization has a Type I or Type II SOC report that covers the applicable services available for management to review.
• If the subservice organization will not provide contractual or other commitments regarding its willingness to be included in the SOC examination.
• If the subservice organization has implemented controls to govern the third party’s services.
The inclusive method may be appropriate in the following situations:
• If a SOC report or other assurance regarding the subservice organization’s applicable services and controls is not available.
• If the subservice organization agrees to be subjected to the examination procedures and is willing to provide the service auditor with a written assertion and representation letter.
• If the subservice organization’s services are extensive, then the usefulness of the SOC report for users of the system may be diminished by excluding the subservice organization’s controls from the examination.
Prior to beginning the reporting period, management should determine what method it should use to present subservice organizations within the report. If multiple subservice organizations are to be included in the scope of the report, management may decide to use the carve-out method for some subservice organizations and the inclusive method for other subservice organizations. Generally, the inclusive method requires more involvement by the subservice organization, and management of the service organization should consider the risks associated with the subservice organization’s refusal to cooperate with the examination when determining which method to use.