Key takeaways
- The carve-out method excludes the subservice organisation's controls from the report. The user entity auditor must separately obtain evidence about those controls.
- The inclusive method includes both entities' controls in the report. The service auditor tests both and the opinion covers both.
- Most ISAE 3402 reports use carve-out because independent subservice organisations rarely grant audit access.
- The method choice affects how much work falls on the user entity auditor and how many assurance reports you need to review.
What counts as a subservice organisation
A subservice organisation is any third party that performs part of the service the primary service organisation provides to its clients. ISAE 3402.9(j) defines it as an organisation used by the service organisation to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting.
The distinction matters because not every vendor a service organisation uses qualifies. An office cleaning company is a vendor but not a subservice organisation. A cloud hosting provider that runs the servers where your client's financial data is processed qualifies. The test is whether the third party's services are relevant to the control objectives in the ISAE 3402 report.
Common subservice organisations include data centre operators, IT infrastructure providers, payment processing platforms, and outsourced software development firms that maintain production environments. When you read an ISAE 3402 report and see a reference to "subservice organisations," check the system description to understand exactly which services have been delegated and to whom.
How the carve-out method works
Under the carve-out method, the service organisation describes the services the subservice organisation performs, but excludes the subservice organisation's control objectives and controls from the scope of the ISAE 3402 engagement. ISAE 3402.A14 allows this approach.
The system description will state something like: "Rijnhart Asset Management B.V. uses CloudNord B.V. for data centre hosting. The controls at CloudNord related to physical security, environmental controls, network infrastructure, and backup availability are carved out of this report."
The service auditor does not test CloudNord's controls. What the service auditor does test is the primary service organisation's own monitoring controls over the subservice organisation. These monitoring controls might include reviewing CloudNord's own ISAE 3402 or SOC 2 report annually, performing periodic site visits, or maintaining contractual SLAs with defined performance thresholds.
For the user entity auditor, a carve-out means you have a gap. The primary service organisation's report gives you evidence about its own controls but tells you nothing about whether the subservice organisation's controls are operating effectively. You need to fill that gap yourself, typically by obtaining and reviewing the subservice organisation's own assurance report, or by performing alternative procedures if no such report exists.
How the inclusive method works
Under the inclusive method, the subservice organisation's controls are included within the scope of the primary service organisation's ISAE 3402 engagement. The service auditor tests both the primary service organisation's controls and the subservice organisation's controls, and the opinion covers both.
ISAE 3402.A4 notes that the inclusive method generally is feasible only when the service organisation and the subservice organisation are related entities, or when the contract between them specifically provides for access by the service auditor. This is a practical constraint, not a theoretical one. Most independent third-party subservice organisations will not grant access to another firm's auditor. They have their own assurance report, their own auditor, and no incentive to coordinate with yours.
When the inclusive method is used, the system description identifies the subservice organisation and describes both entities' controls. The service auditor performs procedures at both organisations. The subservice organisation's management must also provide a written assertion alongside the primary service organisation's assertion.
For the user entity auditor, an inclusive report is simpler to work with. The service auditor's opinion covers the full chain, from the primary service organisation through the subservice organisation. You still need to test any CUECs, but you don't need to separately obtain and review a second assurance report for the subservice organisation's controls.
What changes in the report under each method
The system description is where the difference is most visible. Under carve-out, the description names the subservice organisation, states what services it provides, and explicitly says its controls are excluded. Under inclusive, the description integrates the subservice organisation's controls into the relevant control objective sections, often with clear labelling to distinguish which controls sit at which entity.
The service auditor's opinion letter also changes. Under carve-out, the opinion states that the subservice organisation's controls are excluded from scope. Under inclusive, the opinion covers both organisations without carving anything out.
The control testing section (Section IV in a Type II report) reflects the same split. Under carve-out, you'll see tests of the primary service organisation's monitoring controls over the subservice organisation, but no tests of the subservice organisation's own controls. Under inclusive, you'll see tests of both entities' controls, and the results table will indicate which entity operates each control.
One thing that does not change between methods: the CUECs. Both carve-out and inclusive reports will list CUECs where the user entity is responsible for controls that complete the control objectives. The method only affects how subservice controls are handled, not how user entity controls are disclosed.
How each method affects the user entity auditor
Under carve-out, your ISA 402 work increases. You need to:
- Identify which subservice organisations are carved out and what services they provide
- Assess whether those services are relevant to your audit assertions
- Obtain evidence about the subservice organisation's controls (usually by reviewing its own ISAE 3402 or SOC 2 report)
- Evaluate any exceptions or gaps in the subservice organisation's report and determine the impact on your audit
If the subservice organisation does not issue its own assurance report, you have a problem. ISA 402.17 requires you to consider whether sufficient appropriate audit evidence can be obtained through alternative procedures, or whether you need to modify your opinion under ISA 705.
Under inclusive, the service auditor has already done this work. Your procedures are limited to:
- Confirming the inclusive report covers the subservice organisation's controls relevant to your assertions
- Evaluating the service auditor's findings for both entities
- Testing relevant CUECs at the user entity
The time and cost difference is real. On a typical engagement where the user entity relies on a service organisation that carved out its data centre provider, reviewing the second assurance report and mapping it to your assertions can add four to eight hours of senior-level work. If that subservice organisation has exceptions in its report, the analysis takes longer.
| Factor | Carve-Out | Inclusive |
|---|---|---|
| Subservice controls tested? | No (excluded from scope) | Yes (tested by service auditor) |
| Service auditor opinion covers | Primary service org only | Both entities |
| User auditor extra work | Must obtain and review second report | None (one report covers all) |
| Common usage | Most reports (independent subservice orgs) | Related entities or contractual access |
| Typical additional time | 4–8 hours senior-level per subservice org | Minimal |
Worked example: Rijnhart Asset Management B.V. and its data centre
Rijnhart Asset Management B.V. manages €2.1 billion in assets for institutional clients across the Netherlands. It outsources its portfolio accounting and NAV calculation to FinServPro B.V., which holds an ISAE 3402 Type II report.
FinServPro, in turn, hosts its production environment at CloudNord B.V., a data centre operator in Frankfurt. The question is whether FinServPro's ISAE 3402 report uses carve-out or inclusive for CloudNord.
Scenario A: Carve-out
FinServPro's system description states: "FinServPro uses CloudNord B.V. for data centre hosting services including physical security, environmental controls, network availability, and disaster recovery. The controls at CloudNord are not included in the scope of this report."
You're auditing Rijnhart. You've obtained FinServPro's report and noted the carve-out. Your next step is to assess whether CloudNord's controls are relevant to your assertions. They are, because if the data centre has an availability failure, NAV calculations could be delayed or corrupted, affecting the accuracy of Rijnhart's reported portfolio valuations.
You request CloudNord's own SOC 2 Type II report. CloudNord provides one covering the same period. You review the report and note that CloudNord received an unqualified opinion with one exception: a physical access badge was not deactivated for 12 days after a contractor's engagement ended. You assess whether this exception affects Rijnhart's data (it does not, because the contractor had no logical access to FinServPro's application layer). You document this assessment in your ISA 402 workpaper.
Documentation note (carve-out)
CloudNord B.V. SOC 2 Type II reviewed per ISA 402.15. One exception noted (badge deactivation, 12-day delay). Exception assessed as not impacting FinServPro's application-layer controls or Rijnhart's financial data. No additional procedures required.
Scenario B: Inclusive
FinServPro's system description integrates CloudNord's controls directly. Section III lists CloudNord's physical access controls, environmental monitoring, backup procedures, and network segmentation alongside FinServPro's own application-level controls. The service auditor tested both. The opinion covers both entities.
Your work as Rijnhart's auditor is simpler. You read one report. The service auditor already tested CloudNord's controls and reported the results. You evaluate the findings, test the CUECs at Rijnhart, and move on. No second report to obtain, no separate assessment to perform.
The difference in your workpaper: under carve-out, you have a full page documenting your review of CloudNord's report and your assessment of the exception. Under inclusive, you have a paragraph confirming the inclusive report covers the relevant controls and noting the service auditor's findings.
When to expect each method in practice
Most ISAE 3402 reports use the carve-out method. The inclusive method requires cooperation from the subservice organisation, including agreeing to let the primary service organisation's auditor perform procedures at its premises. Independent subservice organisations rarely agree to this. They already invest in their own assurance report and see no reason to participate in someone else's audit.
You'll typically see the inclusive method in two situations. The first is when the service organisation and subservice organisation are related entities (same parent company, same group). If FinServPro and CloudNord were both subsidiaries of the same holding company, the inclusive method becomes straightforward because group management can mandate cooperation. The second is when the contract between the service organisation and subservice organisation explicitly grants audit access rights, which sometimes happens in heavily regulated sectors like financial services.
ISAE 3402.A12 acknowledges that a change from inclusive to carve-out mid-engagement can be justified when the service organisation cannot arrange access to the subservice organisation. This happens in practice when a subservice organisation is acquired by a new parent that restricts third-party audit access, or when a contractual relationship deteriorates.
Cloud providers are almost always carved out
The carve-out method is near-universal for major cloud infrastructure providers (AWS, Azure, Google Cloud). These providers issue their own ISAE 3402 or SOC 1 reports separately, and the service organisation using their infrastructure carves them out. User auditors then evaluate two reports: the service organisation's and the cloud provider's.
Get practical audit insights, weekly.
No exam theory. Just what makes audits run faster.
No spam — we're auditors, not marketers.
Related Ciferi content
Related guides:
Put audit concepts into practice with these free tools:
Frequently asked questions
What is the carve-out method in ISAE 3402?
Under the carve-out method, the service organisation describes the services the subservice organisation performs but excludes the subservice organisation's control objectives and controls from the scope of the engagement. The service auditor does not test the subservice organisation's controls. The user entity auditor must separately obtain evidence about the subservice organisation's controls.
What is the inclusive method in ISAE 3402?
Under the inclusive method, the subservice organisation's controls are included within the scope of the primary service organisation's ISAE 3402 engagement. The service auditor tests both entities' controls, and the opinion covers both. This method is feasible only when the two organisations are related entities or the contract grants audit access.
Which method is more common in practice?
The carve-out method is far more common. Independent subservice organisations rarely agree to let the primary service organisation's auditor perform procedures at their premises. The inclusive method is typically seen only when the entities share the same parent company or when contractual provisions explicitly grant audit access rights.
How does each method affect the user entity auditor?
Under carve-out, you must obtain and review a separate assurance report for the subservice organisation, adding four to eight hours of senior-level work. Under inclusive, one report covers both entities, so your procedures are limited to evaluating the combined findings and testing CUECs at the user entity.
Further reading and source references
- ISAE 3402.A14: Treatment of subservice organisations in the system description.
- ISAE 3402.A4: Feasibility of the inclusive method and access requirements.
- ISAE 3402.A12: Changing from inclusive to carve-out mid-engagement.
- ISA 402.15–17: User entity auditor's responsibilities when subservice organisations are involved.
- ISA 705: Modifications to the audit opinion when evidence cannot be obtained.