Picture this. It’s the middle of a SOC 2 readiness assessment, and a SaaS company – let’s call them BrightCloud – discovers that their cloud provider’s physical security controls aren’t auditable. The team panics. Suddenly, they’re staring down the decision: carve out method vs inclusive method. It’s not a theoretical question anymore. It’s a fire drill.
Anecdote: The Unexpected Cloud Control Catch
We’ve seen this situation more than once. In one case, a fintech startup was eager to use the inclusive method to show end-to-end control coverage. But their cloud provider didn’t support third-party testing, and the provider’s SOC report was too high-level to rely on. Ultimately, the client had to shift midstream, carving out the subservice and bolstering their own monitoring procedures to close the gap. It wasn’t ideal, but it worked.
This is a classic carve-out move: acknowledge the subservice in your description, leave their controls out of scope, and make sure you’ve got oversight on your end.
What is a Subservice Organization?
In plain terms, a subservice organization is anyone outside your company who helps deliver a key part of your service. That could be your cloud host, payment processor, or data center. The AICPA has a more formal definition, but that’s the practical view.
What matters is this: if their performance affects your customers, then how you handle their inclusion (or exclusion) in your SOC audit matters too.
Wondering about oversight after carving out subservice organizations? Explore our guidance on how to monitor subservice organization controls for SOC reports.
The Inclusive Method vs. Carve-Out: Real-World Considerations
It’s one thing to define the inclusive vs carve-out method on paper. It’s another to live through the consequences.
If you use the inclusive method, you’re saying: “Our subservice provider’s controls are part of our system, and we’ll provide evidence for them.” That means deeper documentation, more coordination, and sometimes delays if the provider isn’t responsive.
If you go with the carve-out method, you’re opting to exclude their controls, but you’re still responsible for understanding them and managing any risk they create. This often involves reviewing their SOC report, sending periodic questionnaires, or establishing internal monitoring routines.
Anecdote: The Payroll Provider That Over-Promised
A tech company we worked with assumed their outsourced payroll platform would fully support the inclusive method. But when audit time came, the provider had limited documentation, and their SOC report didn’t map well to client control objectives. That misalignment turned into extra testing, reporting delays, and hard lessons learned.
For many clients, especially those without strong subservice SLAs or cooperative vendors, a carve-out audit can sidestep a lot of pain.
Choosing Between the Two: What Actually Works?
Rather than chasing a theoretical ideal, the decision often comes down to a few questions:
- Can you actually get detailed control info from the provider?
- Do they issue a reliable SOC report with clear CUECs?
- Are their timelines compatible with yours?
- Do you have enough leverage to request evidence or walkthroughs?
Most smaller companies don’t, which is why many default to carve-out by necessity, not by preference.
Struggling with scoping decisions? Learn more about navigating your SOC 2 audit scope in our comprehensive guide. For a foundational understanding of what auditors are evaluating in your environment, explore our article on types of controls and learn about the limitations of internal control to better prepare for your audit.
Carve-Out vs Inclusive FAQs: Let’s Clear a Few Things Up
The following briefly addresses a few questions that are frequently asked about these two approaches.
So What’s the Difference Between Inclusive & Carve-Out Again?
Think of inclusive as “we’re taking ownership of the provider’s controls” and carve-out as “they’re on their own—we’ll just monitor.”
Is One Better Than the Other?
Not necessarily. Inclusive offers more transparency, but only if you have the access and alignment to support it. Otherwise, carve-out is the safer path.
Is Carve-Out Risky?
It can be, especially if you skip monitoring. But with strong CUEC mapping and internal oversight, it’s very manageable.
Making the Right Choice: Carve-Out vs Inclusive Method
There’s no one-size-fits-all. The carve-out method vs inclusive method debate really comes down to your audit readiness, your subservice relationships, and your bandwidth. We’ve seen both paths work, depending on how well companies prepare.
If you’re not sure where your environment fits, Linford & Company can walk you through the trade-offs. We’ve helped organizations at every stage, from first-time SOC reports to multi-audit environments with complex subservice stacks. Contact us if you’d like a sanity check or just a second set of eyes.
See the following blogs for more related information on SOC reports and controls:
- SOC 1 vs. SOC 2 – How They Are Different & Which Report You Need
- Trust Services Criteria (TSCs) for SOC 2 Reports
- SOC 3 Reports: Do You Need One?
This article was originally published on 4/18/2028 and was updated on 6/25/2025.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.