SOC 2 Academy: Identifying Vendors as Carve-Out or Inclusive

by Joseph Kirkpatrick / March 22nd, 2019

Common Criteria 9.2

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s discuss the difference between identifying your vendor as carve-out or inclusive and why it matters during a SOC 2 audit.

Should You Identify Your Vendor as Carve-Out or Inclusive?

Third-party vendors often play critical roles in helping businesses perform their day-to-day business operations, but they also can pose major risks to organizations’ security postures. When pursuing SOC 2 compliance, it’s important that third-party vendors not be an afterthought. Why? Because service organizations have a responsibility to keep their customers’ data secure, and if they’re not performing their due diligence to ensure that the third-parties they use are also doing their part to keep that data safe, there could be serious financial, reputation, and operational consequences.

During a SOC 2 audit, organizations will be faced with identifying their vendors as either carve-out or inclusive. If an organization wants to show that they are dedicated to performing their due diligence of verifying that the third parties they use are secure, then identifying that vendor as inclusive would be the best option. By identifying a vendor as inclusive, an organization can have their audit firm perform an assessment of the vendor’s internal controls. On the other hand, some organizations might opt to identify their vendors as carve-out. This could mean one of two things. First, this could mean that the third-party vendor has already undergone an independent attestation and can provide an audit report over their internal controls for review. Second, this could mean that the organization does not want to validate the third-party’s internal controls or doesn’t verify that the vendor does what they say they’re going to do.

How to Comply with Common Criteria 9.2

Identifying your vendor as carve-out or inclusive is only a small factor in complying with common criteria 9.2. During a SOC 2 audit, an auditor will use the following points of focus to determine an organizations compliance with common criteria 9.2.

  • Does the entity establish requirements for vendor and business partner engagements?
  • Does the entity assess vendor and business partner risks?
  • Does the entity assign responsibility and accountability for managing vendors and business partners?
  • Does the vendor establish communication protocols for vendors and business partners?
  • Does the entity establish exception handling procedures from vendors and business partners?
  • Does the entity assess vendor and business partner performance?
  • Does the entity implement procedures for addressing issues identified during vendor and business partner assessments?
  • Does the entity implement procedures for terminating vendor and business partner relationships?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Let’s say that you’re using a third-party service provider to perform a very critical task for you. Let’s say that it is an application development firm, or it is a managed IT provider, or it is outsourced human resources. There’s any number of services that you can get for a third party that are very critical to the achievement of your compliance and information security objectives. This is where these types of things can affect common criteria 9.2. So, try not to have the attitude that your vendors are just vendors or think that they don’t have any access to critical data. We hear that a lot, especially when it relates to a data center provider, IT provider, or an application developer. We hear things like, “They’re just an application developer. They don’t have access to the production database where all of the sensitive data is.” That specific thing might be true, but what if the development company doesn’t follow best practices and secure coding standards, and they introduce code into your environment that introduces a vulnerability into the environment that has access to the secure data base where you have your sensitive data? You would care about that control failing that really was under the jurisdiction and control of the third-party service provider. You need to be more inclusive in your third-party relationships in your audit arrangement with us. I know sometimes our clients are afraid of the fees, time, and trouble for sending us to Europe or Asia to visit someone who is doing coding for them, but it’s a big risk and issue these days. What are they doing at the location where they control these critical tasks for you? There are two ways to handle this third-party relationship during your SOC 2 engagement: you can identify your vendor as carve-out or inclusive. You can carve-out a third-party service provider. You can say that the audit firm is not issuing an opinion on this third-party. The audit firm is not testing any of the controls at the third-party. That’s an appropriate way handle it. The implication is that once you hand that report to your client, the client will ask how you validate the controls of that third-party? The answer might be that you don’t, because you didn’t send your auditor to do it and you’re not doing it yourself, and so you don’t have any proof that they’re doing what they say they’re doing. The other method of handling it is the inclusive method. That’s where the third-party service provider also provides and assertion, just like management of your organization does. They’re asserting certain things about their controls and their environment, and they are being tested just like you are in your engagement and we, as your auditor, can perform that testing. A third option in the carving out method could be if the third-party has an audit report that’s been executed by their independent auditor, so when you hand in your report that says it’s carved out, and your client asks you how you validate the third parties, you can say that you do it by reviewing the results of their audit engagement. One way or the other, you need to be responsible for these third-parties and that you’re making sure that you understand what they’re doing, how they’re doing it, and that you address that particular risk by making sure that the controls are operating effectively and that you’re satisfied with how they’re operating for you and your business objectives.