A service organization uses a subservice organization for data center hosting. The service organization's auditor decides to use the 'Carve-Out' method. What does this mean for the report?

Answer options:

The subservice organization's controls are tested by the service auditor.

The subservice organization's controls are excluded from the scope of the service auditor's testing and opinion.

The service organization takes full responsibility for the subservice organization's controls.

The report cannot be issued.

How to approach this question

Carve-Out = Cut out / Exclude.

Full Answer

B.The subservice organization's controls are excluded from the scope of the service auditor's testing and opinion.✓ Correct

The subservice organization's controls are excluded from the scope of the service auditor's testing and opinion.

In the Carve-Out method, the subservice organization's controls are identified but not tested by the service auditor. The user entity typically relies on the subservice organization's own SOC report.

Common mistakes

Confusing Carve-Out with Inclusive.

Question 67 All questions Question 69

Practice the full CPA ISC Practice Exam 5

82 questions · hints · full answers · grading

More questions from this exam

Q01A service organization provides a cloud-based payroll processing application to its user entities...Medium Q02An auditor is reviewing the shared responsibility model for a client using an Infrastructure as a...Hard Q03A financial institution requires a cloud deployment model that offers the highest level of contro...Medium Q04During an IT audit, you observe that a company uses a 'Hybrid Cloud' architecture. Which scenario...Medium Q05Which component of IT architecture is primarily responsible for translating domain names (like ww...Easy

View all 82 questions →