The carve-out vs inclusive method choice is not a contest between competing audit methods. It is a choice between two cost models. Carve-out keeps your audit scope narrow and treats the subservice organization through vendor-risk-management discipline; inclusive expands the audit, requires the subservice provider to deliver an assertion letter, and lifts the audit fee 30 to 50 percent. Most subservice organizations refuse the inclusive method, which is why the decision usually defaults to carve-out. But the four scenarios where inclusive earns its premium are not in any vendor blog.
The phone call that triggers the comparison usually goes like this: a Software-as-a-Service Chief Technology Officer brings on a new payment processor or analytics provider. The procurement team flags it as a subservice organization. The audit firm asks the question: carve-out or inclusive? The vendor blogs explain the mechanics. None of them help the CTO decide which one fits her actual situation, and the decision shapes audit cost, audit timeline, customer assurance posture, and contractual leverage with the subservice provider for years.
This article gives you the decision matrix and the contract language you need to make the inclusive call when it actually pays. It is written for the CTO or compliance lead whose audit firm is asking the question and whose finance team needs the answer in dollar terms.
Bottom Line Up Front. Carve-out and inclusive are not competing audit methods. They are two cost models. Carve-out keeps your audit scope narrow and treats the subservice organization through vendor-risk-management discipline; inclusive expands the audit, requires the subservice provider to deliver an assertion letter, and lifts the audit fee 30 to 50 percent. Most subservice organizations refuse the inclusive method, which is why the decision usually defaults to carve-out. But the four scenarios where inclusive earns its premium are not in any vendor blog. This article gives you the decision matrix and the contract language you need to make the inclusive call when it actually pays.
The Two Methods, In Plain Terms
A subservice organization is a third party whose services are part of your system in a way that affects your ability to meet the Trust Services Criteria commitments to your customers. Cloud hosting providers, payment processors, identity providers, customer-data platforms, and primary database services are typical examples. The subservice organization’s controls are not yours, but the failure of those controls would affect your customers.
The carve-out method states that the subservice organization exists, identifies the services it performs, and explicitly excludes its controls from the scope of your audit. Your description of your system includes the services performed by the subservice organization, the types of controls expected to be in place at the subservice organization (the “complementary subservice organization controls” or CSOCs), and the controls you maintain to monitor the effectiveness of the subservice organization’s controls. Your audit firm tests your monitoring controls, not the subservice organization’s underlying controls.
The inclusive method extends the audit boundary to cover the subservice organization. The auditor evaluates the subservice provider’s systems and processes as if they are an extension of your own. The subservice organization signs an assertion letter, provides a representation letter, makes personnel available for testing, and grants the auditor access. The findings about the subservice provider appear in your SOC 2 report alongside your own controls.
The Decision Matrix
The decision turns on four dimensions. Each dimension has a clear directional pull, and the four together produce the answer for any given subservice relationship. Most decisions are obvious; the close calls are where the matrix is most useful.
| Dimension | Pulls Toward Carve-Out | Pulls Toward Inclusive |
|---|---|---|
| Subservice Has Its Own SOC 2 | Yes (Type II covering relevant services and period) | No or scope insufficient |
| Customer Assurance Demand | Carve-out is acceptable to customer base | Customers explicitly require inclusive coverage |
| Contractual Leverage | You cannot compel subservice cooperation | Contract grants you cooperation rights and the provider agrees |
| Risk Concentration | Subservice is one of many; failure is recoverable | Subservice is mission-critical; failure is existential |
The first dimension is whether the subservice organization has its own SOC 2 Type II report covering the relevant services and audit period. If it does, the carve-out method works because your audit firm can rely on the subservice’s report for the controls outside your scope. The customer can request both reports and assemble end-to-end assurance. If the subservice does not have a SOC 2, or has one whose scope or period is insufficient, the carve-out method leaves a gap, and the inclusive method may be the only way to produce complete coverage.
The second dimension is what your customer base actually demands. Most enterprise customers accept carve-out and request the subservice’s separate SOC 2 alongside yours. Some customers, particularly in regulated industries (financial services, healthcare, federal government) demand inclusive coverage to compress assurance into a single document. The customer demand is empirical; ask your largest customers what they expect rather than assume.
The third dimension is contractual leverage. The inclusive method requires the subservice organization to participate actively. The provider must sign the assertion letter, sign the representation letter, make personnel available for auditor testing, and grant the auditor system access. Most subservice organizations refuse all of this because they have their own SOC 2 reports and treat customer-specific inclusive participation as a non-scalable obligation. If your contract with the subservice does not grant you cooperation rights, the inclusive method is operationally infeasible regardless of your preference.
The fourth dimension is risk concentration. A subservice organization that is one of several similar providers, easily replaceable, and not core to your value proposition is a candidate for carve-out treatment. A subservice organization whose failure would be existential to your business may justify the cost of inclusive coverage even when the other three dimensions point toward carve-out, because the inclusive testing produces a deeper understanding of the dependency.
The Cost Math
The audit fee differential between carve-out and inclusive is typically 30 to 50 percent, scaling with the size and complexity of the subservice scope. For a Software-as-a-Service company with one major subservice (a hosting provider), inclusive coverage of that subservice might add $30,000 to $80,000 to a $150,000 base audit fee. The differential rises with multiple subservices and falls with smaller scopes.
The audit timeline differential is typically 30 to 60 days. The auditor must coordinate with the subservice organization, schedule testing, perform on-site or remote testing, evaluate findings, and incorporate the results into the report. Each step adds calendar time that does not exist in a carve-out engagement.
The internal cost differential is significant but often unbudgeted. Coordinating an inclusive engagement requires legal review of the subservice contract, negotiation with the subservice’s legal and compliance teams, project management to align audit timelines, and potentially internal disputes when the subservice’s findings affect your report.
The customer-acquisition impact is the offset. Inclusive coverage in a SOC 2 report can be a differentiator with regulated customers and large enterprise buyers whose security review processes value compressed assurance. The differential customer-acquisition value can exceed the cost differential when the customer base is dominated by regulated buyers.
The Four Scenarios Where Inclusive Earns Its Premium
Inclusive coverage is the right call in four specific scenarios. Recognizing the scenarios is more valuable than rehearsing the mechanics.
The first scenario is the regulated-customer concentration. Your customer base is dominated by financial services, healthcare, federal government, or other regulated buyers whose own compliance posture depends on the assurance you provide. These buyers often require inclusive coverage for the subservices most material to your service. The audit fee premium is recovered through customer retention and acquisition.
The second scenario is the missing or inadequate subservice SOC 2. Your subservice provider does not have a SOC 2, has one whose scope does not cover the services you depend on, or has one whose audit period does not align with yours. The carve-out method leaves an assurance gap that customers will eventually flag. Inclusive coverage closes the gap, particularly for the period until the subservice produces its own report.
The third scenario is the architecturally embedded subservice. Some subservices are not separable from your service in the customer’s mental model. A SaaS offering that runs on a single cloud-native platform with deep platform-feature integration is, from the customer’s perspective, that platform. Inclusive coverage matches the customer’s perception of the service boundary and produces an assurance document that reflects how the service actually operates.
The fourth scenario is the cooperative subservice. Some subservice providers, particularly those whose relationship with you is strategic (a partnership rather than an arms-length vendor relationship), agree to inclusive participation as part of the broader commercial arrangement. Cooperation eliminates the operational obstacle, and the inclusive method becomes practical when the contractual leverage exists.
The Contract Language That Matters
The decision to use the inclusive method has to be supported by contract language. Standard subservice agreements rarely include the cooperation rights inclusive coverage requires, and adding the language after the relationship is established is materially harder than including it at the start.
The contract language has four elements. First, the subservice provider agrees to participate in the customer’s SOC 2 audit on the inclusive basis when requested with reasonable notice (typically 90 to 120 days). Second, the subservice provider commits to providing the assertion letter, the representation letter, personnel availability for testing, and system access as the customer’s auditor reasonably requires. Third, the subservice provider agrees to remediation of findings that affect the customer’s controls, with timelines proportional to the severity of the finding. Fourth, the cost of inclusive participation is allocated, typically with the subservice provider bearing its own internal costs and the customer bearing the audit firm’s incremental fee.
For new subservice relationships, the contract language is negotiable as part of the initial agreement. The cost of including it is low, even if the right to invoke it is rarely exercised. For existing subservice relationships, the language is a contract amendment. Most subservice providers will agree to amendments at renewal, particularly when the customer’s business is material to them; few will agree mid-term outside renewal.
The Customer Communication
The decision affects customer communication regardless of which method is chosen. Customers reading a SOC 2 report want to understand how subservices are treated; the report’s language matters as much as the underlying decision.
For carve-out reports, the description of services should be specific about which subservices are out of scope, what services they perform, and what complementary controls are expected at the subservice organization. The customer reading this language should be able to identify the subservice’s own SOC 2 report and request it for end-to-end assurance.
For inclusive reports, the description of services should clearly identify which subservices are included, what services they perform, and how their controls are tested as part of the report. The customer reading this language should understand that the report covers the full service stack, including the named subservices.
The mistake to avoid is ambiguity. A report that names a subservice without specifying treatment leaves the customer to infer, and the inference often goes wrong. Be explicit about which method applies to each named subservice.
When the Decision Changes
The decision is not one-time. Three triggers should prompt a re-evaluation of the carve-out versus inclusive choice.
The first trigger is a change in customer composition. Acquiring large regulated customers may shift the optimal posture toward inclusive coverage for material subservices. Losing those customers may shift it back toward carve-out.
The second trigger is a change in subservice posture. A subservice that produced its own SOC 2 may have lapsed; a subservice that did not have one may have produced one. The carve-out viability depends on the subservice’s own audit posture.
The third trigger is a change in the subservice relationship. A vendor relationship may evolve into a partnership where inclusive cooperation becomes mutually beneficial; a partnership may revert to a vendor relationship where cooperation is harder to obtain. The relationship’s commercial nature drives the practical feasibility of inclusive coverage.
Frequently Asked Questions
Can I switch methods between audit cycles?
Yes. The method is chosen for each engagement and can change between cycles. The transition adds some complexity (mapping the prior cycle’s treatment to the new cycle) but is operationally straightforward when the decision is documented and the subservice cooperation is in place.
What if my subservice provider refuses inclusive cooperation?
Use the carve-out method. The inclusive method is not a customer right; it requires the subservice’s cooperation. A subservice that refuses cooperation is making a business decision; you must respect it and choose the method that works.
Does inclusive coverage of one subservice apply to all?
No. Each subservice is treated separately. A SOC 2 report can carve out one subservice and include another. The complexity of mixed treatment is real but the practice is common when the subservice mix has different characteristics.
Does the audit firm prefer one method?
Audit firms generally prefer the method that aligns with the customer demand and the subservice cooperation reality. Firms will execute either method; the firm should not be the deciding factor.
How do customers prefer the report be delivered?
Most customers prefer compressed assurance: a single SOC 2 report covering the full service stack. That preference favors inclusive coverage. The preference is moderated by cost; customers do not bear your audit fee, and they will accept carve-out if the alternative is unaffordable.
What is the most common mistake in this decision?
Choosing inclusive without confirming subservice cooperation, then having to switch to carve-out partway through the engagement. The result is wasted audit time, delayed report delivery, and a customer-communication issue. Confirm cooperation in writing before committing to the inclusive method.
The verdict. The carve-out-versus-inclusive choice is one of the cleanest examples of a SOC 2 decision that hinges on commercial structure rather than technical posture. The four dimensions in the matrix produce the answer for most subservice relationships in five minutes of analysis. The four scenarios where inclusive earns its premium are the cases where the matrix produces a counterintuitive result; recognizing those scenarios is the difference between an audit fee well spent and an audit fee that produces a report no customer asked for. The contract language is the unglamorous part of the decision and the part that determines whether the decision is even available to make.
