Auditing Basics: Carve-Out vs. Inclusive Vendors

by Joseph Kirkpatrick / May 10th, 2019

During the initial scoping phases of an organization’s audit engagement, your auditor will partner with you to help you narrow down the third-party vendors to be included in your engagement. In order to ensure that your organization’s security posture is and remains strong, you need to consider the impact that the third-party vendors you’ve entrusted sensitive data with could have on your organization. This means that you’ll need to be able to list who your third-party vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Knowing this information will help you determine whether or not you need to carve them out of your audit or include them. What’s the difference between carving out or including third-party vendors in an audit? Let’s take a look.

Carve-Out vs. Inclusive Method: What’s the Difference

When an organization opts to use the inclusive method for their third-party vendors, this means that they will be included in the scope of the audit. This also implies that the third-party has not had an audit of their controls performed, and the organization being audited wants to make sure that the third-party vendors they’ve partnered with are doing what they say they’re doing to protect their sensitive assets. When using the inclusive method, auditors will perform a site visit, test personnel, interview them, and collect evidence on their controls. On the other hand, when an organization opts to carve-out their third-party vendors, this means that they will not be included in the audit and your audit firm will not issue an opinion on any controls that they have in place that you rely upon to deliver your services. Typically, this implies that the third-party vendor has their own audit report to provide to your audit firm for review and no further action is required on their behalf.

Need help determining if you should carve-out or include your third-party vendors in your audit? Contact us today.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

One of the decisions that needs to be made for your audit is how to treat your third-party service providers. There are two methods – carve-out and inclusive – and I’m going to explain the difference between the two. If you carve-out your third-party service provider, that means that we do not issue an opinion on any controls that they have in place that you rely upon to deliver your services. When you hand your report to your client, they are very likely going to ask how they can validate the controls of that third-party service provider. They often want to know if they have an audit report that they’ve had performed so they can review it. If they haven’t had an audit report, they might question how they can be sure if that third-party you’re partnered with is doing what they say they’re doing to protect their data. The inclusive method is where we include the third-party service provider in your audit. We visit them, test them, interview them, collect evidence from them – just like we do for the service organization. In the report then, it would talk about the controls that were in place at not only the service organization but the sub-service organization, or third-party service provider, as well. So, think about which third parties you work with and whether or not they have their own audit report, and whether or not they should be included or carved-out as part of your audit process.