Site icon

What Are Carve-Out and Inclusive Auditing Methods for SOC Reporting?

fedramp

SOC audits are some of the most common non-regulatory audits in the U.S. These attestations provide companies with a way to demonstrate their dedication to transparent and secure financial reporting and protecting consumer information. Accordingly, SOC reporting can become an in-depth and complicated task that is rendered even more complicated when factoring in subservice providers. 

We’ll cover two ways to account for subservice provider services in your financial and IT infrastructure: carve-out and inclusive reporting. 

 

What Are the Purposes of SOC Reports?

SOC reports are attestations that your organization meets minimum requirements as lined out through the security, privacy and financial reporting tools outlined by the American Society of Certified Professional Accountants (AICPA). There are three different types of reports that break down as follows:

While these are the most common, some additional attestations are offered under the SOC umbrella:

SOC reports aren’t mandatory under government regulations, but they do serve as an essential part of compliance and assessment in the private sector. 

More broadly, the truth of modern supply chain infrastructure and business is that most organizations work directly or indirectly with third-party vendors. This fact can complicate SOC reporting because if your organization shares financial data, personal identifiable information (PII) or security infrastructure with a subcontractor, then those aspects of your business can fall under a SOC audit should you undergo one. 

Two ways that are generally accepted approaches to handling these situations: carve-out and inclusive reporting

 

What Is the Carve-Out Method of SOC Reporting?

The carve-out method focuses on how to report on the services included from a subservice provider.

A quick note on subservice providers: These organizations are more than third-party vendors leveraged by financial institutions for specific business operations. A subservice provider offers critical controls that your organization uses to manage financial reporting–that is, the exact controls that are of interest under SOC audits. 

Obviously, the relationship between your organization’s financial reporting, SOC audits and subservice providers calls for a way to account for those services offered by the provider. Carve-out is such a way. 

Under the carve-out method, your organization would identify all relevant services provided by a subservice provider, define them in relation to your overall infrastructure and exclude them from the scope of your SOC audit. It is then up to your organization to describe the types of controls provided by the subservice provider, the level of SOC compliance expected by that subservice provider and the monitoring controls you have in place to ensure those controls stay compliant. 

 

What Is the Inclusive Method of SOC Reporting?

As the name suggests, the inclusive method includes the subservice provider’s services within the SOC report as if they were part of your infrastructure. The scope of the audit will consist of the provided services, the success or failure of those services under audit, and any opinions on the implementation of those services from the auditor. The provider’s services will be included in the SOC report as if they were your own. 

Under inclusive reporting, the provider would include management assertion and representation letters demonstrating that the provider has provided accurate compliance and financial reports. The assertion letter will appear in your final SOC report. 

 

When Should My Organization Use Carve Out or Inclusive Methods of Reporting?

Each of these approaches serves specific purposes. With the increasingly complex ways in which service providers and businesses interact with one another, carving out or including certain controls can ease audits. 

There are a few business cases where carve-out measures are suitable:

Conversely, there are additional situations where inclusive audits would be more suitable:

It benefits you to conduct a thorough assessment of the different controls provided by your subservice partners. If you have several such partners, then you must decide who to include and who to carve out of the audit. 

 

Preparing for Complex SOC Audits with Lazarus Alliance

If your organization is considering a SOC audit and must decide on subservice providers, you’re already in a complicated place. You’ll want to have an auditing organization in place that understands the complex landscape of audits and attestations and that can help you prepare for the process. We are an authorized CPA certified for SOC audits, but we are first and foremost a security firm dedicated to making audits accurate and easy. 

 

Are You Getting Ready for Your SOC Audit?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version