What Are Carve-Out and Inclusive Auditing Methods for SOC Reporting?


SOC audits are some of the most common non-regulatory audits in the U.S. These attestations provide companies with a way to demonstrate their dedication to transparent and secure financial reporting and protecting consumer information. Accordingly, SOC reporting can become an in-depth and complicated task that is rendered even more complicated when factoring in subservice providers. 

We’ll cover two ways to account for subservice provider services in your financial and IT infrastructure: carve-out and inclusive reporting. 


What Are the Purposes of SOC Reports?

SOC reports are attestations that your organization meets minimum requirements as lined out through the security, privacy and financial reporting tools outlined by the American Institute of Certified Public Accountants (AICPA). There are three different types of reports that break down as follows:

  • SOC 1 Report: SOC 1 reports focus primarily on financial reporting, the controls related to financial reporting, and the processes in place to manage both. Partners and customers that require SOC 1 reporting usually do so because they either want to know they can trust your financials, or have their own financial reporting requirements that partners and vendors must meet. 
  • SOC 2 Report: The most common report under this standard, SOC 2 pertains to the different technical, administrative and physical security controls your organization deploys. This standard applies to measures that fall under 5 Trust Services Criteria: Security, Confidentiality, Processing Integrity, Privacy and Availability. At a minimum, all SOC 2 attestations will include a Security audit. 
  • SOC 3 Report: These reports are abbreviated SOC 2 reports, covering the same criteria with less detail so that an organization can provide more comprehensive public documentation of their attestation status directly linked to their certified audit. 

While these are the most common, some additional attestations are offered under the SOC umbrella:

  • SOC for Cybersecurity: This report attests to the state and effectiveness of your organization’s cybersecurity risk management program. 
  • SOC for Supply Chain: This report attests to the state of your organization’s supply chain risk management. 

SOC reports aren’t mandatory under government regulations, but they do serve as an essential part of compliance and assessment in the private sector. 

More broadly, the truth of modern supply chain infrastructure and business is that most organizations work directly or indirectly with third-party vendors. This fact can complicate SOC reporting because if your organization shares financial data, personal identifiable information (PII) or security infrastructure with a subcontractor, then those aspects of your business can fall under a SOC audit should you undergo one. 

Two ways that are generally accepted approaches to handling these situations: carve-out and inclusive reporting


What Is the Carve-Out Method of SOC Reporting?

carve out inclusive

The carve-out method focuses on how to report on the services included from a subservice provider.

A quick note on subservice providers: These organizations are more than third-party vendors leveraged by financial institutions for specific business operations. A subservice provider offers critical controls that your organization uses to manage financial reporting–that is, the exact controls that are of interest under SOC audits. 

Obviously, the relationship between your organization’s financial reporting, SOC audits and subservice providers calls for a way to account for those services offered by the provider. Carve-out is such a way. 

Under the carve-out method, your organization would identify all relevant services provided by a subservice provider, define them in relation to your overall infrastructure and exclude them from the scope of your SOC audit. It is then up to your organization to describe the types of controls provided by the subservice provider, the level of SOC compliance expected by that subservice provider and the monitoring controls you have in place to ensure those controls stay compliant. 


What Is the Inclusive Method of SOC Reporting?

As the name suggests, the inclusive method includes the subservice provider’s services within the SOC report as if they were part of your infrastructure. The scope of the audit will consist of the provided services, the success or failure of those services under audit, and any opinions on the implementation of those services from the auditor. The provider’s services will be included in the SOC report as if they were your own. 

Under inclusive reporting, the provider would include management assertion and representation letters demonstrating that the provider has provided accurate compliance and financial reports. The assertion letter will appear in your final SOC report. 


When Should My Organization Use Carve Out or Inclusive Methods of Reporting?

Each of these approaches serves specific purposes. With the increasingly complex ways in which service providers and businesses interact with one another, carving out or including certain controls can ease audits. 

There are a few business cases where carve-out measures are suitable:

  • Existing SOC Attestation: It isn’t necessary for them to undergo additional audits if the subservice provider has a current SOC 1 or SOC 2 (Type I or Type II) attestations that cover the services. 
  • Unwillingness: The subservice provider doesn’t provide contractual permission for their controls to undergo a SOC assessment. They may not be willing to undergo outside audits for another company (your own) as part of their offered services. They would not be willing to provide management assertion or representation letters. 

Conversely, there are additional situations where inclusive audits would be more suitable:

  • Lack of SOC Compliance: If the subservice provider does not have attestation on files as required by your systems, it might be easier or more expedient to include the relevant controls within your own audit. 
  • Extensiveness: If the subservice provider’s technologies or services are deeply enmeshed in several aspects of your business, it could be detrimental to your overall audit to exclude them. 

It benefits you to conduct a thorough assessment of the different controls provided by your subservice partners. If you have several such partners, then you must decide who to include and who to carve out of the audit. 


Preparing for Complex SOC Audits with Lazarus Alliance

If your organization is considering a SOC audit and must decide on subservice providers, you’re already in a complicated place. You’ll want to have an auditing organization in place that understands the complex landscape of audits and attestations and that can help you prepare for the process. We are an authorized CPA certified for SOC audits, but we are first and foremost a security firm dedicated to making audits accurate and easy. 


Are You Getting Ready for Your SOC Audit?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

Lazarus Alliance