SOC Reports: An Evaluation of the Inclusive Method vs. Carve-Out Method

White Paper

By: Jamie Kilcoyne CPA CISA, Managing Director of Coalfire Controls & Carlos Pelaez CISA PRINCE2, National Practice Leader of Coalfire Systems Inc.

There are various factors that contribute to the overall scope and cost of Service Organization Controls (SOC) Reports. This includes the size and complexity of the organization, the number of service offerings, the number of in-scope locations, and the use of subservice organizations. Many organizations outsource a part of their service to subservice organizations and should recognize the importance of understanding this relationship. When an organization uses a hosting company, cloud infrastructure provider, or logging management, they are essentially using a subservice organization. The implications for a SOC report can vary depending on whether or not the Inclusive Method or the Carve-Out Method is applicable.

This document requires registration. Please fill out the form to receive access.