Do you remember how, in grade school gym class, there was a tradition of picking teams to play games?
If you were lucky enough to be doing the picking, you probably selected your friends first, and then whoever was going to help you win in the next pivotal game of dodgeball. The point is that you were strategic then.
You should also be strategic now, in choosing what to include in your SOC report.
There are lots of decisions you have to make ahead of your SOC examination, and one of them is whether to include your subservice organizations—if you want to be “inclusive” or “carve [them] out.”
So which direction should you go? Which is more common?
Having been in the SOC business for two decades now, Schellman has seen thousands of organizations consider the same quandary. Just like we helped them, we now want to help you.
Grade-school dodgeball games are over—you’re trying to provide assurances to your customers and prospects now. There’s business on the line, and so in this article, we will explain the differences between the inclusive and carve-out methods, which of the two is more common, and considerations to make for each.
As you shape the many facets of your SOC report, you’ll have the knowledge to check this one regarding subservice organizations off the list.
The Differences Between the Carve-Out and Inclusive Methods
When defining the scope of your SOC examination, you’ll be asked which approach you’d like in reporting your subservice organizations. These organizations can include:
- Data center hosting organizations; or
- Managed services organizations (e.g., network monitoring services), among others.
You can carve these out, or you can include them. But what does that really mean?
- The carve-out method is all in the name. You would not include any controls from your subservice organizations—i.e., you’d carve those controls out of the description of your system and controls testing.
- You’d do that if getting the full cooperation of your subservice organization to be audited as part of your SOC examination is not assured. This is common, as your subservice organization would not want the hassle or expense of being part of your audit. Besides, your subservice organization likely has a SOC report of their own.
- Your customers would then need to review your report for your controls as well as the subservice organization’s own report.
- Since your auditor will not be reviewing the subservice organization’s controls after you carved them out, you would need to have a method of monitoring the subservice organization in place to ensure their control environment is up to standard.
- As you’ve probably guessed, the inclusive method is the opposite—you would include all the controls from the subservice organization in the description of the system and the report.
- If you include these organizations, then both you and your subservice organization(s) have agreed to both be audited as part of your audit. This is not very common, as they likely are performing a standalone audit of their own, and have a separate report to deliver to you and your customers.
- As part of the process, your assessor will review, describe, and test those controls. Your customers could then review your report for a complete listing of controls.
- Of course, if you go this route, you will need to obtain a written assertion from that organization’s management, as well as a system description of theirs.
Considerations to Make When Choosing the Carveout Method
In our experience, most of our clients choose the carve-out method when representing their subservice organization(s) in their description of their system and in their reports because their subservice organizations have their own SOC report that customers can review.
However, you should consider these key points when choosing the carve-out method.
- Relevance of Those Services: Are the services performed by your subservice organization relevant to the services or application offered to your customers? If the services are applicable, does the subservice organization receive a SOC report or another internal control assessment that will allow you to monitor its control environment easily?
- The Subservice Organization’s SOC Report: Did the subservice organization get an unqualified opinion in their report? Did the auditor note any control exceptions that would impact your service or your application? Were any complementary user entity controls (CUECs) noted in the report? Are these CUECs in place at your organization, and is your organization performing these CUECs effectively?
- Monitoring of Subservice Organizations: Does your organization have an effective manner of monitoring the subservice organization’s control environment? How often does your organization monitor the subservice organization’s control environment?
The answers to these questions can solidify whether or not you really should exclude these controls from your SOC report, or if you should opt for the other direction.
Considerations to Make When Choosing the Inclusive Method
That other direction being the inclusive method, which organizations rarely choose. Those that do usually go this route because their subservice organization is smaller and doesn’t have its own SOC report that can be reviewed by its customers, at which point it becomes more advantageous to include those controls for evaluation.
But when considering this approach, consider these points:
- Organization Cooperation: Do you think your subservice organization be willing to have an auditor come in and test the controls within their environment? Would they willingly sign a management representation letter, provide a management assertion letter to be included in the report along with assisting with the system description?
- Previously Established Communication: How easy would it be to coordinate and obtain evidence from the subservice organization, which would be necessary for the completion of the audit?
- Your Responsibility: Are you prepared to communicate the subservice organization’s results in your report? If your auditors discover control exceptions in that environment, are you ready to address them with your customers?
Whether it’s easier or necessary to include your subservice organizations within your SOC audit will depend a lot on your answers. So that you get everything you need from the examination you pay for, ensure you consider all these angles before selecting your subservice organizations (or not).
Next Steps for Your SOC Examination
Having said all that about both methods, here’s something important you also need to know: regardless of whether you choose the carve-out or inclusive method, you must disclose the existence of any services provided by any subservice organizations in your report. The question of including or carving out is instead about how the subservice organizations controls are included in your report or not at all.
Having read all that, it’s clear that this isn’t the middle school gym anymore. Worse than that, SOC examinations are complex and much less fun than the games we all used to play back then.
But now you’ve got all the information to make one of the most crucial decisions regarding your future SOC report. Each method comes with its caveats, but you’re in a position to choose the best one for you and your customers.
As you continue to shape your SOC examination, check out our other content detailing other components that will help determine your experience:
- What Does a SOC Audit Cost? (article)
- What is the Process of a SOC Examination? (video)
- Do You Need a SOC 2 With Additional Criteria? 3 Frameworks to Consider (article)
If you take a look around our Learning Center, we’ve produced a lot of content around our staple service. But even if you read and watch every single piece, there’s a chance you may still have some lingering concerns regarding your SOC audit. If that’s the case, please go ahead and contact us. We’d love to have a conversation that would allow us to lend our expertise in answering any questions you may have.
About the AuthorMore Content by Hiren Patel