For purposes of SSAE 16 compliance, the carve-out method is the method utilized for addressing the services provided by an actual subservice organization. In this scenario, management of the service organization will include within their description of its "system" the services performed by the subservice organization, but will exclude the actual control objectives and related controls from the description of the "system" and from the scope of the engagement itself.  However, management of the service organization does have a responsibility to include within their "system" description what controls are in place to monitor the effectiveness of the controls at a subservice organization.  For example, management could review the subservice organization's very own SOC 1 (SSAE 16), SOC 2 (AT 101), or even a SOC 3 (SysTrust/WebTrust) report.  Thus, stating this within the description of the "system" is an important component of SSAE 16 reporting and for the carve-out method, if it were to be used.

Subservice organization reporting also includes that of the inclusive method.

Along with gaining an understanding of subservice organization reporting requirements for SSAE 16 compliance, you'll also benefit from learning about SSAE 16 controls and the Internal Control over Financial Reporting (ICFR) concept.

Please contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, if you are interested in learning more about NDNB's services and our competitive, fixed-fee assessments.