SSAE 16 Terminology

Carve-out method is often used when a service organization utilizes a subservice organization to managed part of their control environments applicable to the system under review.  It is common for many service organizations under going a SSAE 18 engagement to choose a carve-out method to exclude these organizations and reduce the overall scope of their SSAE 18 or SOC 1 report.

Inclusive method is the opposite approach to the carve-out method, this occurs when the service organization chooses to include the scope of the subservice organization control environment into their report.  An inclusive method will require to both the service organization and subservice organization to participate in their SSAE 18 engagements.  It is common for service organization to use this method when their subservice organizations do not already have their own report.

Complementary user entity controls is a section of a SSAE 18 or SOC 1 report that illustrates to the service organizations clients or their client auditors that controls that user entities of the service organization system should consider for their own control environment.  Sometime it is not possible for a service organization to provide all the necessary controls and management should evaluated user entity controls to ensure they are adequately covered in their own environment.  For example a service organization that host software might be responsible for the security of accounts on the operating systems and databases, but the user entity (or client) of the system may be responsible for adding and removing users to the application.

Control objectives  are the different sets of risk that the organization should set when evaluating their system and impact on user organizations.  The control objectives for a SSAE 18 or SOC 1 report is defined by the service organization and should adequately cover their system description.  The service auditor is responsible for reviewing the control objectives to ensure fair presentation of the system.

Controls at a service organization are the policies and procedures put in place and collectively should address the risk of control objectives.  

Controls at a subservice organization are the same of controls at a service organization but are implemented and managed by the relevant third party.

More Information