A service organization uses the 'Carve-out' method for a subservice organization that provides data center hosting. In the SOC 2® report, how are the controls of the data center presented?

Answer options:

They are fully described and tested by the service auditor.

They are excluded from the description and testing, but the nature of the services provided is described.

The service auditor issues a disclaimer of opinion regarding the data center.

Management asserts that the data center controls are effective without testing.

How to approach this question

Understand 'Carve-out' vs 'Inclusive'. Carve-out = 'Not my problem, go look at their report'. Inclusive = 'I am taking responsibility for them'.

Full Answer

B.They are excluded from the description and testing, but the nature of the services provided is described.✓ Correct

The carve-out method excludes the subservice organization's controls from the scope of the service auditor's testing. The system description identifies the services provided but does not include their specific controls.

Common mistakes

Confusing Carve-out with Inclusive method.

Question 14 All questions Question 16

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard

View all 82 questions →