Auditing Basics: Carve-Out vs. Inclusive Vendors

Author: kirkpatrickprice00

Description: Learn more at

When an organization opts to use the inclusive method for their third-party vendors, this means that they will be including in the scope of the audit. This also implies that the third-party has not had an audit of their controls performed, and the organization being audited wants to make sure that the third-party vendors they’ve partnered with are doing what they say they’re doing to protect their sensitive assets. When using the inclusive method, auditors will perform a site visit, test personnel, interview them, and collect evidence on their controls. On the other hand, when an organization opts to carve-out their third-party vendors, this means that they will not be included in the audit and your audit firm will not issue an opinion on any controls that they have in place that you rely upon to deliver your services. Typically, this implies that the third-party vendor has their own audit report to provide to your audit firm for review and no further action is required on their behalf.
Stay Connected

More Free Resources
White Papers:

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks.

For more about KirkpatrickPrice:
Contact us today: 800-770-2701