The SOC 1 SSAE 18 inclusive method, according to the AICPA publication, "Attestation Standards: Clarification and Recodification" (April, 2016) is the following:
Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization’s relevant control objectives and related controls.
Inclusive vs. Carve-Out
As CPA's, we've been told that the inclusive method is generally feasible and proper to use if the service organization and the subservice organization are actually related. The term "related" can mean many things, thus it's important to gain a strong understanding of what the actual subservice organization is doing for the service organization - that is - what services are they performing. And remember that if the service auditor (i.e., the CPA performing the actual SOC 1 SSAE 18 engagement) is unable to obtain an actual written statement of "assertion" from the subservice organization, then the inclusive method cannot be used, and must instead opt for the "carve-out" method.
The carve-out method is where management's description of its "system" discusses the nature of the services performed by the actual subservice organization, but does NOT include the subservice organization's relevant control objectives and the related controls.
Quite a bit to take in, isn't it? That's why you need to confer with a well-qualified CPA firm who has years of experience in performing these types of engagements. They'll essentially be able to assist you regarding the use of the "inclusive" or "carve-out" method for purposes of subservice organization reporting.
The Importance of Subservice Organization Reporting is Growing
Regardless if it's the SOC 1 SSAE 18 inclusive method or the SOC 1 SSAE 18 carve-out method that is utilized, what's fundamentally important to understand is that there's now a greater emphasis placed on subservice organizations. After all, many entities outsources to other entities to perform a certain task or function, so shouldn't these organizations have to undergo certain test procedures or validation requirements - of course they should. Often times in the world of SSAE 16 you'll find that these subservice organizations may have already gone through a SOC 1 SSAE 18 Type 1 or Type 2 assessment process, because these actual organizations may consider themselves an actual service organization for somebody else, and "just" a subservice organization for purposes of your SOC 1 SSAE 18 nclusive method reporting.
Other topics of notable interest relating to the SOC 1 SSAE 18 inclusive method and SOC 1 SSAE 18 reporting include the following: