Carve-out vs inclusive method in ISAE 3402

What counts as a subservice

Carve-out vs inclusive is the decision service organisations consistently make incorrectly, then try to fix in the second year. By then the system description has been out to 40 user entities, every one of their auditors has built a file around it, and unwinding the choice costs more than sitting with the wrong one.

A subservice is any third party that performs part of the service the primary service organisation (SO) provides to its clients. ISAE 3402.9(j) defines it as an organisation used by the SO to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting.

The distinction matters because not every vendor an SO uses qualifies. An office cleaning company is a vendor but not a subservice. A cloud hosting provider that runs the servers where your client's financial data is processed qualifies. The test is whether the third party's services are relevant to the control objectives in the ISAE 3402 report.

Common subservices include data centre operators, IT infrastructure providers, and outsourced software development firms that maintain production environments. When I read an ISAE 3402 report and see a reference to "subservice organisations," I check the system description to understand exactly which services have been delegated and to whom.

How the carve-out method works

Under carve-out, the SO describes the services the subservice performs, but excludes the subservice's control objectives and controls from the scope of the ISAE 3402 engagement. ISAE 3402.A14 allows this approach.

The system description will state something like: "Rijnhart Asset Management B.V. uses CloudNord B.V. for data centre hosting. The controls at CloudNord related to physical security, environmental controls, network infrastructure, and backup availability are carved out of this report."

The service auditor does not test CloudNord's controls. What the service auditor does test is the primary SO's own monitoring controls over the subservice. In our experience, these monitoring controls amount to reviewing CloudNord's own ISAE 3402 or SOC 2 report annually and maintaining contractual SLAs with defined performance thresholds. On about half the engagements we've seen, that review is the "appears reasonable. Waive further pursuit." kind, where the user entity signs off on the subservice's own report without reading the testing exceptions.

For the user entity auditor, a carve-out means you have a gap. The primary SO's report gives you evidence about its own controls but tells you nothing about whether the subservice's controls are operating effectively. You need to fill that gap yourself, typically by obtaining and reviewing the subservice's own assurance report, or by performing alternative procedures if no such report exists.

How the inclusive method works

Under the inclusive method, the subservice's controls are included within the scope of the primary SO's ISAE 3402 engagement. The service auditor tests both the primary SO's controls and the subservice's controls, and the opinion covers both.

ISAE 3402.A4 notes that the inclusive method generally is feasible only when the SO and the subservice are related entities, or when the contract between them specifically provides for access by the service auditor. This is a practical constraint, not a theoretical one. Most independent third-party subservices will not grant access to another firm's auditor. They have their own assurance report and their own auditor, with no incentive to coordinate with yours. That is when inclusive testing quietly becomes ticking and bashing: the subservice emails over a spreadsheet of control evidence, the service auditor ticks the sample without walking the process, and the file carries an opinion that technically covers both entities but tests one and a half of them.

When the inclusive method is used, the system description identifies the subservice and describes both entities' controls. The service auditor performs procedures at both organisations. The subservice's management must also provide a written assertion alongside the primary SO's assertion.

For the user entity auditor, an inclusive report is simpler to work with. The service auditor's opinion covers the full chain, from the primary SO through the subservice. You still need to test any CUECs, but you don't need to separately obtain and review a second assurance report for the subservice's controls.

What changes in the report under each method

The system description is where the difference is most visible. Under carve-out, the description names the subservice and explicitly says its controls are excluded. Under inclusive, the description integrates the subservice's controls into the relevant control objective sections, often with clear labelling to distinguish which controls sit at which entity.

The service auditor's opinion letter also changes. Under carve-out, the opinion states that the subservice's controls are excluded from scope. Under inclusive, the opinion covers both organisations without carving anything out.

The control testing section (Section IV in a Type II report) reflects the same split. Under carve-out, you'll see tests of the primary SO's monitoring controls over the subservice, but no tests of the subservice's own controls. Under inclusive, you'll see tests of both entities' controls, and the results table will indicate which entity operates each control.

One thing that does not change between methods is the CUECs. Both carve-out and inclusive reports will list CUECs where the user entity is responsible for controls that complete the control objectives. The method only affects how subservice controls are handled, not how user entity controls are disclosed.

How each method affects the user entity auditor

Carve-out vs inclusive is the discussion that happens on day three of the engagement and should have happened before the letter was signed. By the time a senior is staring at the second SOC report, the scope is fixed and the budget isn't.

Under carve-out, your ISA 402 work increases. You need to:

1. Identify which subservices are carved out and what services they provide
2. Assess whether those services are relevant to your audit assertions
3. Obtain evidence about the subservice's controls (usually by reviewing its own ISAE 3402 or SOC 2 report)
4. Evaluate any exceptions or gaps in the subservice's report and determine the impact on your audit

If the subservice does not issue its own assurance report, you have a problem. ISA 402.17 requires you to consider whether sufficient appropriate audit evidence can be obtained through alternative procedures, or whether you need to modify your opinion under ISA 705 .

Under inclusive, the service auditor has already done this work. Your procedures are limited to:

1. Confirming the inclusive report covers the subservice's controls relevant to your assertions
2. Evaluating the service auditor's findings for both entities
3. Testing relevant CUECs at the user entity

The time and cost difference is real. On a typical engagement where the user entity relies on an SO that carved out its data centre provider, reviewing the second assurance report and mapping it to your assertions can add four to eight hours of senior-level work. If that subservice has exceptions in its report, the analysis takes longer.

Worked example: Rijnhart Asset Management B.V. and its data centre

Rijnhart Asset Management B.V. manages €2.1 billion in assets for institutional clients across the Netherlands. It outsources its portfolio accounting and NAV calculation to FinServPro B.V., which holds an ISAE 3402 Type II report.

FinServPro, in turn, hosts its production environment at CloudNord B.V., a data centre operator in Frankfurt. The question is whether FinServPro's ISAE 3402 report uses carve-out or inclusive for CloudNord.

Scenario A: carve-out

FinServPro's system description states: "FinServPro uses CloudNord B.V. for data centre hosting services including physical security, environmental controls, network availability, and disaster recovery. The controls at CloudNord are not included in the scope of this report."

You're auditing Rijnhart. You've obtained FinServPro's report and noted the carve-out. Your next step is to assess whether CloudNord's controls are relevant to your assertions. They are, because if the data centre has an availability failure, NAV calculations could be delayed or corrupted, affecting the accuracy of Rijnhart's reported portfolio valuations.

You request CloudNord's own SOC 2 Type II report. CloudNord provides one covering the same period. You review the report and note that CloudNord received an unqualified opinion with one exception: a physical access badge was not deactivated for 12 days after a contractor's engagement ended. You assess whether this exception affects Rijnhart's data (it does not, because the contractor had no logical access to FinServPro's application layer). You document this assessment in your ISA 402 WP.

Scenario B: inclusive

FinServPro's system description integrates CloudNord's controls directly. Section III lists CloudNord's physical access controls, environmental monitoring, backup procedures, and network segmentation alongside FinServPro's own application-level controls. The service auditor tested both. The opinion covers both entities.

Your work as Rijnhart's auditor is simpler. You read one report. The service auditor already tested CloudNord's controls and reported the results. You evaluate the findings, test the CUECs at Rijnhart, and move on. No second report to obtain, no separate assessment to perform.

Here is the difference in your WP. Under carve-out, you have a full page documenting your review of CloudNord's report and your assessment of the exception. Under inclusive, you have a paragraph confirming the inclusive report covers the relevant controls and noting the service auditor's findings.

When to expect each method in practice

Most ISAE 3402 reports use the carve-out method. The inclusive method requires cooperation from the subservice, including agreeing to let the primary SO's auditor perform procedures at its premises. Independent subservices rarely agree to this. They already invest in their own assurance report and see no reason to participate in someone else's audit.

At firms like ours, you'll typically see the inclusive method in two situations. The first is when the SO and subservice are related entities (same parent company, same group). If FinServPro and CloudNord were both subsidiaries of the same holding company, the inclusive method becomes straightforward because group management can mandate cooperation. The second is when the contract between the SO and subservice explicitly grants audit access rights, which sometimes happens in heavily regulated sectors like financial services.

ISAE 3402.A12 acknowledges that a change from inclusive to carve-out mid-engagement can be justified when the SO cannot arrange access to the subservice. This happens in practice when a subservice is acquired by a new parent that restricts third-party audit access, or when a contractual relationship deteriorates.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• ISAE 3402.A14. Treatment of subservices in the system description.
• ISAE 3402.A4. Feasibility of the inclusive method and access requirements.
• ISAE 3402.A12. Changing from inclusive to carve-out mid-engagement.
• ISA 402.15 –17. User entity auditor's responsibilities when subservices are involved.
• ISA 705 . Modifications to the audit opinion when evidence cannot be obtained.