How it works
Your client outsources payroll to Service Organization A. Service Organization A outsources its data hosting to Service Organization B. Service Organization B is the subservice organization. The question for the service auditor (and eventually for you as user auditor) is whether B's controls are in scope.
ISAE 3402.A6 describes two methods for dealing with subservice organizations. Under the inclusive method, the service organization's system description includes the subservice organization's controls, and the service auditor tests them. Under the carve-out method, the description identifies the subservice organization and describes the functions it performs, but excludes its controls from the scope of the report.
ISA 402.A7 requires the user auditor to understand how the service organization uses subservice organizations and whether the subservice organization's controls are included in the SOC report. When the carve-out method is used, you need to determine whether you can obtain sufficient evidence about the subservice organization's controls through other means: a separate SOC report from the subservice organization, direct testing, inquiry of the service organization, or inspection of relevant documentation.
The practical risk is straightforward. If a key processing step happens at a subservice organization that was carved out, the SOC report on your client's primary service organization gives you zero coverage of that step.
Key Points
- A subservice organization is a service provider used by your client's service provider.
- The SOC report either includes the subservice organization's controls (inclusive method) or excludes them (carve-out method).
- If the carve-out method is used, you have no assurance over the subservice organization's controls from the SOC report alone.
- Most mid-tier engagements encounter subservice organizations in cloud hosting and payment processing chains.
Worked example: Alpenhaus Einzelhandel GmbH
Client: Austrian retail chain, FY2024, revenue €60M, Austrian UGB reporter. Uses FinServ GmbH for payment processing. FinServ uses Amazon Web Services (AWS) as its cloud infrastructure provider.
Obtain the SOC 1 Type II report from FinServ. Page 3 of Section II states: "FinServ uses Amazon Web Services (AWS) for production infrastructure hosting. AWS controls are excluded from the scope of this report (carve-out method)."
Evaluate the effect. FinServ processes payment transactions, but the database where transaction records are stored runs on AWS infrastructure. Physical security, network availability, data backup, and disaster recovery at the infrastructure level are all AWS's responsibility.
Obtain evidence over AWS controls. AWS publishes its own SOC 2 Type II report. Request a copy (or confirm your client's contract permits access). Read the AWS SOC 2 for the relevant Trust Services Criteria.
Evaluate the combined coverage. FinServ's SOC 1 covers application-level controls. AWS's SOC 2 covers infrastructure-level controls. Together they provide coverage for the full processing chain.
Conclusion: the carve-out method in FinServ's report required obtaining a separate SOC 2 from AWS. Without it, the infrastructure controls underlying payment processing would have been entirely untested.
What reviewers and practitioners get wrong
- The most frequent issue is not identifying the subservice organization at all. Teams read the SOC report opinion and Section III but skip the system description in Section II where subservice organizations are disclosed. ISAE 3402.A6 requires the system description to identify subservice organizations regardless of the method used. If you don't read it, you don't know they exist.
- A second common error is treating the carve-out method as acceptable without any follow-up. The carve-out means the controls were excluded from testing. ISA 402.A7 requires you to consider what evidence you need over those controls. Accepting the carve-out without further action leaves a gap in your evidence.
Inclusive method vs carve-out method
| Dimension | Inclusive method | Carve-out method |
|---|---|---|
| What the SOC report covers | Both the service organization's and the subservice organization's controls | Only the service organization's controls |
| Service auditor's work | Tests controls at both organisations | Tests controls at the service organization only |
| User auditor follow-up | Usually none (for the subservice organization specifically) | Must obtain separate evidence over the subservice organization's controls |
| Common in practice | Less common (requires cooperation from the subservice organization) | More common (the default for large infrastructure providers like AWS, Azure, GCP) |
Key standard references
- ISAE 3402.A6–A7: Defines subservice organizations and the inclusive and carve-out reporting methods.
- ISA 402.A7: Requires the user auditor to understand subservice organization arrangements and evaluate evidence needs.
Related terms
Related reading
Frequently asked questions
What is the difference between the inclusive method and the carve-out method?
Under the inclusive method, the SOC report covers both the service organization's and the subservice organization's controls, and the service auditor tests both. Under the carve-out method, the SOC report covers only the service organization's controls; the subservice organization's controls are excluded. When the carve-out method is used, you must obtain separate evidence over the subservice organization's controls.
How do I identify subservice organizations in a SOC report?
Subservice organizations are disclosed in Section II (the system description) of the SOC report, regardless of the method used. ISAE 3402.A6 requires the system description to identify subservice organizations. If you skip Section II and only read the opinion and test results, you will not know they exist.