SOC 2 Academy: Identifying Vendors as Carve-Out or Inclusive

Author: kirkpatrickprice00

Description: Learn more at

Third-party vendors often play critical roles in helping businesses perform their day-to-day business operations, but they also can pose major risks to organizations’ security postures. When pursuing SOC 2 compliance then, it’s important that third-party vendors not be an afterthought. Why? Because service organizations have a responsibility to keep their customers’ data secure, and if they’re not performing their due diligence to ensure that the third-parties they use are also doing their part to keep that data safe, there could be serious financial, reputation, and operational consequences.
During a SOC 2 audit, organizations will be faced with identifying their vendors as either carve-out or inclusive. If an organization wants to show that they are dedicated to performing their due diligence of verifying that the third parties they use are secure, then identifying that vendor as inclusive would be the best option. By identifying a vendor as inclusive, an organization can have their audit firm perform an assessment of the vendor’s internal controls. On the other hand, some organizations might opt to identify their vendors as carve-out. This could mean one of two things. First, this could mean that the third-party vendor has already undergone an independent attestation and can provide an audit report over their internal controls for review. Second, this could mean that the organization does not want to validate the third-party’s internal controls or doesn’t verify that the vendor does what they say they’re doing to do.

Stay Connected

More Free Resources
White Papers:

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks.

For more about KirkpatrickPrice:
Contact us today: 800-770-2701