Vendor Compliance Management: Carve-Out vs Inclusive Method
by Joseph Kirkpatrick / December 18th, 2017
Vendor Compliance Management
As you’re preparing your service organization for a SOC 1 audit, you want to identify who your third parties or vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Any control that governs the vendors you utilize will be reviewed in a SOC 1 engagement. Your vendors might include a data center, an application service provider, a managed IT provider, or another type of third party that may have access to client information or your critical systems. When you’re scoping your SOC 1 engagement there’s a decision you must make: utilize the carve-out method or the inclusive method? Each method is a way to handle outsourced services in your SOC 1 report.
The Carve-Out Method
Using the carve-out method would be appropriate if your vendor has undergone an audit themselves. If using the carve-out method, the vendor’s activities and controls are excluded from the scope of the audit. An auditor would request the vendor’s audit report and review that as part of your engagement, resulting in that vendor being carved out of your report. The service organization’s description of its system would include the services performed by the vendor and what controls are used to monitor the vendor, but exclude the control objectives related to the vendor. If you wanted to communicate your vendors’ commitment to security to your clients, then your client would review your report for your controls as well as the vendor’s report for their controls.
The Inclusive Method
The inclusive method is utilized when the third party is in scope for your audit. The auditor would require assertions from management, visit them, involve them in the audit, ask them questions, and collect evidence. It’s important to note that if an auditor cannot obtain a written statement of assertion from a vendor, then the inclusive method cannot be used. The service organization’s description of its system would include the services performed by the vendor and include the control objectives related to the vendor.
Lately, there has been a greater focus put on vendor compliance management. The decision to use the carve-out or inclusive method usually comes down to one thing: your clients’ needs. To learn more about vendor compliance management or KirkpatrickPrice’s SOC 1 services, contact us today.
For a SOC 1 report, one of the controls that would be reviewed would be any controls that you’ve put into place in order to govern the third parties that you utilize. Your vendors might be a data center, or an application service provider, a managed IT provider, or some third party that may have critical access to client information or your critical systems. In the audit report, there are two methods for evaluating these sub-service organizations.
The first one is using the carve-out method. This would be appropriate, in our opinion, if your third party has undergone an audit themselves. We would request their audit report, we would review that as part of your engagement, and that subservice organization could be carved-out of your report. So, if you wanted to communicate what your subservice organizations are doing to your clients, then your client would review your report for your controls and the subservice organization’s report for their controls.
The other approach would be inclusive. This is where the third party is in scope for audit. We as the auditor would visit them, we would involve them in the audit, we would ask them questions, and we would collect evidence as part of the inclusive method.
This is one thing to be aware of as you prepare for your audit. Identify who your third parties are and whether they’ve gone through audits themselves, because the decision whether to carve out or apply the inclusive method would have to be discussed.
