The SOC 1 SSAE 18 inclusive method, according to the AICPA publication, "Attestation Standards: Clarification and Recodification" (April, 2016) is the following:
Method of addressing the services provided by a subservice organization whereby management’s description of the service organization’s system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization’s relevant control objectives and related controls.
Inclusive vs. Carve-Out
As CPA's, we've been told that the inclusive method is generally feasible and proper to use if the service organization and the subservice organization are actually related. The term "related" can mean many things, thus it's important to gain a strong understanding of what the actual subservice organization is doing for the service organization - that is - what services are they performing. And remember that if the service auditor (i.e., the CPA performing the actual SOC 1 SSAE 18 engagement) is unable to obtain an actual written statement of "assertion" from the subservice organization, then the inclusive method cannot be used, and must instead opt for the "carve-out" method.
The carve-out method is where management's description of its "system" discusses the nature of the services performed by the actual subservice organization, but does NOT include the subservice organization's relevant control objectives and the related controls.
Quite a bit to take in, isn't it? That's why you need to confer with a well-qualified CPA firm who has years of experience in performing these types of engagements. They'll essentially be able to assist you regarding the use of the "inclusive" or "carve-out" method for purposes of subservice organization reporting.
The Importance of Subservice Organization Reporting is Growing
Regardless if it's the SOC 1 SSAE 18 inclusive method or the SOC 1 SSAE 18 carve-out method that is utilized, what's fundamentally important to understand is that there's now a greater emphasis placed on subservice organizations. After all, many entities outsources to other entities to perform a certain task or function, so shouldn't these organizations have to undergo certain test procedures or validation requirements - of course they should. Often times in the world of SSAE 16 you'll find that these subservice organizations may have already gone through a SOC 1 SSAE 18 Type 1 or Type 2 assessment process, because these actual organizations may consider themselves an actual service organization for somebody else, and "just" a subservice organization for purposes of your SOC 1 SSAE 18 nclusive method reporting.
Other topics of notable interest relating to the SOC 1 SSAE 18 inclusive method and SOC 1 SSAE 18 reporting include the following:
The SSAE 16 management assertion is a requirement whereby management of the service organization provides the practitioner (i.e., the CPA performing the actual SSAE 16 engagement) with a written assertion that essentially "asserts" to a number of clauses and provisions for purposes of SSAE 16 compliance. And it's also important to note that this written assertion is identified by any number of similarly related phrases, such as the following:
An SSAE 16 report is often issued after the completion of all assessment activities undertaken in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16. And an SSAE 16 report can be either a Type 1 or a Type 2, depending on the needs of the service organization itself. With that said, it's important to understand the contents of an SSAE 16 report and what each section means. This ultimately will provide you with a much greater understanding about SSAE 16 Type 1 and Type 2 assessments, and the accompanying reports that are issued for them.
SSAE 16 controls form a critical component of any type of SSAE 16 assessment, as they play a large role in ultimately determining what areas within a service organization's control environment are going to be evaluated and possibly tested (SSAE 16 Type 2 assessments) for compliance. But much like the historical SAS 70 auditing standard, SSAE 16 allows for a high degree of flexibility regarding SSAE 16 controls, specifically in regards to the actual language of the control objectives themselves, the areas they evaluate and test, along with other critical issues. And because unlike PCI DSS compliance, which is prescriptive in nature as defined by the 12 specific PCI DSS "Requirements" and supporting tests, SSAE 16 relies on the service organization to ultimately assess and determine what controls are to be included. That's easier said than done, so take note of the following 5 important points to know about regarding SSAE 16 controls.
SSAE 16 Type 2 reports are being issued for many service organizations from a wide and varied list of industries these days. And much of this has to do with the passing of the torch from the SAS 70 auditing standard to the SSAE 16 attestation standard, along with more and more service organizations simply being required to undertake SSAE 16 Type 2 compliance. With that said, an introduction to SSAE 16 Type 2 reports will help all interested parties (i.e., service auditors, service organizations, etc.) gain a greater understanding of Statement on Standards for Attestation Engagements (SSAE) No. 16. So take note of the following points regarding SSAE 16 Type 2 reports.
The AICPA has officially published "Statement on Standards for Attestation Engagements - Reporting on Controls at a Service Organization", which now becomes the essential guide for all parties interested in learning more about the SSAE 16 AICPA attestation standard. And though the guide is extremely helpful to many practitioners, it can seem a little dry to the average reader. With that said, let's pull out what are considered the essential and critical points from this publication in hopes of giving individuals a comprehensive and thorough understanding of SSAE 16.