Service providers often face a common question when determining how best to report on their control environment to clients who use their services—should we use the carve-out audit or the inclusive audit method for subservice providers? As a service auditor, I’ve been asked this question multiple times by different service organizations. The short answer is—it depends.
This blog will provide you the background and basics surrounding this question and map out the factors you should consider in determining the best approach for your organization.
What is a Subservice Organization?
The AICPA defines a subservice organization as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” You could also think of subservice organizations as the entities that service organizations outsource some of their operations to.
An example of this is a company that offers its clients a Software as a Service (SaaS) solution that is hosted by a cloud service organization, which provides physical security, environmental control, and monitoring services for the SaaS company. In this case, the SaaS company is the service organization and the cloud services provider is the subservice organization.
Why be Concerned with Your Subservice Organizations?
Information technology has created a more interconnected business world. This has fostered more inter-reliance between entities around the globe. Accordingly, standards (SSAE 18) have been revised to focus more on subservice organizations impacting the delivery of critical services.
If you are reading this blog, chances are you have clients who require your organization to provide them assurance regarding the control environment surrounding the services provided to them. They are asking you for a SOC report because their auditors are asking for it. If your clients are SEC registrants, they are likely asking for a SOC 1 report on your organization’s controls that are relevant to their internal controls over financial reporting. Otherwise, they are probably asking for a SOC 2 report to gain comfort that you have adequate controls in place to safeguard their data and systems that interact with your system.
The bottom line is that, as a service provider, it is not enough to just focus on your in-house operations. You need to have assurance that your subservice providers have controls in place and your organization is addressing any complementary user entity controls (CUECs) that are expected to be addressed by your company. See another one of our blogs for more information on CUECs.
What are the Carve-Out Audit and Inclusive Auditing Methods?
The carve-out audit and inclusive audit methods are two ways for a service organization to report the services performed by subservice organizations within the description of its “system” included in a SOC report.
The carve-out audit method allows a service organization to describe services performed by a subservice organization within its system description, but excludes the controls and, in the case of SOC 1 reports, control objectives of the subservice organization. While this approach excludes subservice organization’s controls, the service organization is required to note within its description of its “system” the controls used to effectively monitor the subservice organization.
For the inclusive audit method, the service organization’s description of its “system” includes the services performed by the actual subservice organization (same as the carve-out audit method) as well as the control objectives and related controls of the subservice organization.
How to Determine the Best Method for You?
Before we jump to a conclusion one way or another, there a few things that you should consider.
The following are considerations that must be evaluated before deciding whether or not to use the carve-out audit method in a SOC report.
- Are the services performed by the subservice organization relevant to the services offered to your clients?
- If the services are applicable, does the subservice organization receive a SOC report or another form of certification that will allow you to easily monitor its control environment?
- If the subservice organization can provide a SOC report:
- Did they get a clean opinion in their last report?
- Were there control exceptions noted in the report that would impact the service to your clients?
- Were there CUECs called out in the report?
- If there were CUECs in the report, do you have controls to address them?
- If the subservice organization cannot provide a SOC report, does your organization have another effective approach to monitor the subservice organization’s control environment (e.g., periodic meetings, questionnaires, etc.)?
A few key items to consider to determine whether the inclusive audit method should be utilized are:
- Would the subservice organization be willing to have your service auditor test the controls within their environment?
- Would the subservice organization be willing to provide an assertion letter to be included report—along with the service organization’s assertion letter?
- How easy is it to coordinate and work with the subservice organization? The two organizations will need to be able to coordinate schedules for the audit to be performed. Additionally, the two organizations will have to work together in reviewing and revising the system description within the report.
- Do you want the subservice organization’s results in your report? If the organization historically has control exceptions, there is a possibility that their performance may impact your clients’ perception of your organization.
No matter your responses to the earlier questions, your final decision should generally come down to which method will best meet the needs of your clients.
While the inclusive audit method is probably the best approach to obtaining the most complete SOC report, it is often not very practical. There needs to be a solid working relationship between the service organization’s management and the subservice organization’s management in order for the inclusive method to be effective, as it requires a great deal of coordination between both entities involved in the SOC audit. Consequently, in practice, the carve-out audit method is the most commonly used method in SOC reports.
Linford & Company is a CPA firm that specializes in SOC 1 and SOC 2 assessments. If you have questions about the best method (carve-out audit or inclusive audit) for your organizations report or regarding any of our services, please contact us.
See the following blogs for more related information on SOC reports and controls: