When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon.
Today we will discuss the Carve-out Method.
When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.
Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.
This information is also consistent with SSAE-18 which is effective as of May 1, 2017.