This method is most common in SOC reporting and means that the subservice organization’s controls are NOT included in the scope of the SOC report. The subservice’s controls have been carved out and aren’t applicable. When a vendor uses this method, it should provide its own due diligence and vendor management documentation. If the method is used for a critical subservice organization, it’s recommended to review your fourth-party’s SOC report during your due diligence review.
Note: It’s still always encouraged to review your critical fourth parties whether the carve-out method is used or not.