History

There are 2 versions of this glossary term.

2. Carve-Out Method

In relation to SOC reporting, the carve-out method is used when controls at the vendor’s vendor (fourth party) have been excluded from the SOC audit. It’s appropriate for a vendor to use the carve-out method for supporting services provided to the vendor that are required for normal operations. The third party vendor should provide documentation supporting their own due diligence and vendor management practices. Note: It’s still always encouraged to review your fourth-party vendors regardless if the carve-out method is used or not.

Revised By: Venminder Inc Revised On: May 13, 2020 9:06 AM

Characters Edited: 0 Total: 537

1. Carve-Out Method

In relation to SOC reporting, the carve-out method is used when controls at the vendor’s vendor (fourth party) have been excluded from the SOC audit. It’s appropriate for a vendor to use the carve-out method for supporting services provided to the vendor that are required for normal operations. The third party vendor should provide documentation supporting their own due diligence and vendor management practices. Note: It’s still always encouraged to review your fourth party vendors regardless if the carve-out method is used or not.

Revised By: Venminder Inc Revised On: Aug 13, 2019 2:30 PM

Characters Edited: 0 Total: 537