Episode 9 — Subservice Orgs: Inclusive vs Carve-Out
Subservice organizations are the often-unseen backbone of modern digital operations. They are third-party providers that perform key functions on behalf of the audited organization—activities so integral that their reliability directly affects the assurance outcome. These include cloud hosting services like AWS or Azure, payment processors that handle financial transactions, and email delivery or analytics platforms that enable communication and insights. Because these providers influence the security, availability, and integrity of the primary system, their operations must be considered within the SOC 2 scope. The extent of that consideration defines how trust is distributed across boundaries—what is owned, what is inherited, and what is merely monitored. Understanding this linkage between commitments and reliance boundaries ensures that assurance extends beyond the organization’s own walls to its entire operational ecosystem.
The inclusive method offers the most transparent and comprehensive approach to handling subservice organizations. Under this model, the provider’s relevant controls are fully included in the scope of the audit. Management’s system description covers both the organization’s own controls and those operated by the subservice entity. The auditor tests these controls directly whenever feasible, verifying design and operation as if they were internal. The benefit of this approach lies in its end-to-end visibility—customers gain assurance that not only the service organization’s systems but also its critical dependencies meet the same trust criteria. Inclusivity strengthens accountability and fosters integrated risk management, though it requires deeper coordination and access to evidence from the provider.
The carve-out method, by contrast, excludes the provider’s controls from direct audit testing. The organization still describes the subservice’s role and importance but relies on the provider’s own assurance reports—often their own SOC 2 Type II—for validation. This method is more practical when direct testing is not feasible due to contractual or logistical constraints. Carve-out maintains clear ownership boundaries, emphasizing that while the provider contributes to service delivery, the organization retains responsibility for how it integrates those services. Customers receive assurance through layered trust—the provider’s report plus the organization’s description of how those services are used securely. This balance between transparency and manageability makes carve-out the most common approach across industries.
Choosing between inclusive and carve-out approaches depends on several decision drivers. The first is materiality—whether the outsourced activity represents a core function whose failure would significantly impact commitments. The second is access: does the organization have contractual rights to review evidence and interview provider personnel? Next comes feasibility—whether testing provider controls is technically and logistically possible within audit timelines. Finally, customer expectations and industry norms influence direction: financial or healthcare services, for example, may lean toward inclusivity due to regulatory scrutiny. Ultimately, the chosen method should reflect both operational reality and assurance needs, ensuring that trust is substantiated through feasible, defensible evidence.
Contractual prerequisites are the foundation of effective subservice oversight. Without audit rights or data access clauses, even well-intentioned organizations cannot demonstrate control assurance. Contracts should include security and privacy addenda specifying how the provider protects data, cooperates during incidents, and supports compliance inquiries. Data processing terms should align with privacy regulations, while confidentiality obligations protect proprietary information exchanged during audits. Timelines for incident notifications must be explicit, ensuring that neither organization nor customer learns of issues too late. Finally, agreements should guarantee access to assurance artifacts—SOC reports, penetration test results, or bridge letters—on a predictable schedule. These provisions transform vendor relationships from blind trust into verifiable accountability.
Under the inclusive method, evidence collection becomes a joint exercise between the organization and its subservice provider. Auditors may obtain configuration records, logs, or screenshots directly from provider systems to validate controls. Walkthroughs with provider control owners help confirm understanding of processes like change management or access provisioning. Sampling may extend to transactions that traverse both entities, such as data replication or monitoring alerts. Corroborating evidence from tickets, performance metrics, and provider dashboards ensures that controls operate consistently. The inclusive method requires meticulous coordination but yields unparalleled transparency—a unified assurance narrative that reflects the real interconnectedness of modern service delivery.
By contrast, evidence gathering under the carve-out method centers on reviewing the provider’s existing SOC 2 report and related materials. Auditors examine the provider’s management assertion to confirm the scope and time period align with the organization’s reliance. They verify that the report covers relevant Trust Services Criteria and note any exclusions or limitations. Complementary controls—those the organization must implement to make the provider’s controls effective—are carefully evaluated to ensure no dependency gaps remain. If the provider’s report includes findings or exceptions, the organization tracks remediation efforts and follow-ups. This layered evidence approach balances thoroughness with efficiency, recognizing that direct access is not always practical.
Bridge letters close assurance gaps between the end of a provider’s report period and the current audit timeline. These letters, issued by the provider’s management, affirm whether any significant changes or incidents have occurred since their last SOC report. While not equivalent to a full audit, bridge letters maintain assurance continuity for short gaps—typically a few months—until the next report becomes available. Organizations should review these statements carefully, understanding their limitations and any disclosed events. When gaps are lengthy or material changes occur, additional verification—such as questionnaires or security reviews—may be necessary. Bridge letters are a practical tool, but they require contextual judgment to preserve assurance integrity.
Maintaining ongoing oversight of subservice organizations ensures that trust persists long after the audit concludes. Service-level agreements (SLAs) define measurable expectations—uptime, response time, and incident handling—that can be tracked regularly. Risk-tiering helps determine the frequency of due diligence reviews, with higher-risk vendors monitored more closely. Performance metrics, combined with escalation thresholds, create accountability loops. Documenting meetings and follow-up actions ensures a defensible audit trail of oversight. This cadence transforms vendor management from a contractual formality into a living process of shared responsibility and continuous assurance.
Finally, incident coordination between organizations and their subservice providers tests the strength of collaboration when it matters most. Notification channels and timelines should be predefined, with roles for root cause analysis and corrective actions clearly assigned. Joint postmortems ensure both parties learn from shared failures, while coordinated customer communications prevent confusion or inconsistent messaging. Evidence of these joint responses—meeting minutes, incident logs, and corrective action trackers—proves to auditors that incident management extends seamlessly across organizational boundaries. When handled well, such coordination strengthens trust not only between provider and customer but also within the broader assurance ecosystem.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Describing controls operated by the provider helps demonstrate how external processes integrate with internal governance. Key operational areas—such as access provisioning, change management, and data center operations—often fall under the provider’s purview. The system description should outline these areas, show how outputs (like access logs or incident tickets) feed into the organization’s control environment, and explain how that evidence is reviewed. When a provider manages encryption keys, for example, the organization’s control might involve verifying rotation reports or reviewing audit logs. Any constraints or assumptions—such as limited visibility or delayed reporting—should be transparently disclosed. This documentation ensures that assurance remains credible even when external dependencies exist.
Sampling and population definition vary significantly between inclusive and carve-out methods. Under the inclusive method, the population expands to include transactions, access events, or configuration changes occurring within the provider’s systems. This broader scope increases complexity but offers end-to-end assurance. In a carve-out arrangement, sampling focuses on interface controls—where the organization and provider exchange data or manage joint processes. Completeness checks ensure all relevant records from both sources are included in testing, even if the provider’s internal data remains out of scope. Clearly documenting the rationale for each sampling approach ensures transparency with auditors and stakeholders, proving that testing aligns with the chosen assurance model.
When working with global providers, data residency and sovereignty become central concerns. The organization must identify all regions where data is stored or processed and verify that deployment matches stated commitments. Contracts should specify legal mechanisms for cross-border transfers, such as standard contractual clauses or recognized privacy frameworks. Evidence must demonstrate alignment between contractual promises and technical configurations—for example, verifying that backups or failovers occur only in approved regions. Documentation should also address how data deletion or retrieval requests are handled across jurisdictions. Clarity on residency ensures that customers understand not only where their data lives but how it remains protected under varying legal regimes.
In complex environments, shared service incident responsibilities require precise coordination. The organization and its provider must agree on what constitutes a “major incident” and outline roles for detection, communication, and remediation. Regular joint tabletop exercises test readiness and clarify decision-making under pressure. After real incidents, both sides should share postmortem findings and verify that action items are tracked to completion. Lessons learned often lead to updates in contracts, SLAs, or technical controls. These activities not only improve operational resilience but also serve as audit evidence that the partnership is mature, disciplined, and aligned under real-world stress conditions.
Effective change management at the interface ensures stability when either the organization or its provider modifies systems affecting shared controls. Providers must give advance notice for material updates—such as API version changes, infrastructure migrations, or altered logging schemas. The organization, in turn, should validate these changes through testing and obtain approvals before deployment. If adverse impacts occur, rollback procedures and contingency plans prevent extended disruptions. All steps—notifications, approvals, validations, and outcomes—should be recorded in tickets or change logs for audit traceability. This structured communication ensures that even when independent entities evolve, they do so without compromising assurance integrity.
Access governance dependencies often arise when subservice providers grant privileged console or administrative access to the organization’s systems, or vice versa. The system description should specify expectations for joiner, mover, and leaver timelines, ensuring prompt account provisioning and revocation. Regular reviews confirm that access privileges remain appropriate, while segregation of duties prevents any single entity from wielding unchecked authority across both environments. Evidence such as approval records, role definitions, and access review attestations demonstrates that governance remains active and controlled. Managing these dependencies carefully reinforces mutual accountability and helps prevent one party’s oversight from becoming another’s vulnerability.
Ensuring availability and disaster recovery alignment with providers completes the assurance chain. The organization must obtain and review evidence of provider backup, restore, and failover tests, verifying that results meet contractual recovery objectives. Dependency mapping identifies critical points where an outage at the provider could cascade to the organization’s service. Single points of failure should be mitigated through redundancy or alternate providers where possible. Providers must also communicate planned maintenance and unplanned outages promptly, with status updates aligning to customer commitments. This transparency enables proactive communication with end users and maintains trust during disruptions.
Privacy and confidentiality overlays extend assurance into legal and ethical territory. Providers handling personal or confidential data must define processing purposes, lawful bases, and retention schedules consistent with the organization’s own commitments. Contracts should mandate minimum safeguards—encryption, access controls, and pseudonymization—and require provider support in handling data subject requests. Audit evidence may include logs of rights request fulfillment or incident reports involving personal data. Breach notification clauses must align not just on timing but on escalation processes and communication templates. Integrating privacy and confidentiality governance across provider boundaries ensures that protections promised to customers remain intact throughout the data supply chain.
Recognizing common pitfalls helps organizations preempt weaknesses in subservice oversight. One frequent issue is misaligning the chosen method—using a carve-out where material dependencies demand inclusion, or vice versa. Another is relying on outdated or irrelevant provider reports that don’t align with current systems or audit periods. Unclear interface controls often lead to assurance gaps, where neither party’s controls fully address a shared risk. Remedies include updating contracts, refreshing mappings between controls, and enhancing monitoring programs. The best assurance outcomes come from continuous dialogue, documented accountability, and adaptability when the external landscape changes faster than audit cycles.
In conclusion, managing subservice organizations through either the inclusive or carve-out approach defines the clarity and credibility of a SOC 2 report. The inclusive method offers transparency and completeness but requires significant collaboration and access. The carve-out method provides practicality and efficiency, relying on layered assurance from provider reports. The choice depends on risk, access, and customer expectations—but regardless of method, success rests on rigorous evidence, strong contracts, and ongoing oversight. Disclosing these relationships clearly in the system description and aligning them with customer responsibilities ensures that assurance remains both defensible and understandable. With subservice clarity established, the next logical step in the SOC 2 journey is refining how CUECs and shared accountability are communicated to customers with precision and confidence.
