The SSAE 16 inclusive method, according to the AICPA publication, "SSAE 16 - Reporting on Controls at a Service Organization" (April, 2010) is the following:
The method of addressing the services provided by a subservice organization whereby management's description of the service organization's "system" includes an actual description of the nature of the services provided by the subservice organization, along with the relevant control objectives and related controls of the subservice organization itself.
As CPA's, we've been told that the inclusive method is generally feasible and proper to use if the service organization and the subservice organization are actually related. The term "related" can mean many things, thus it's important to gain a strong understanding of what the actual subservice organization is doing for the service organization - that is - what services are they performing. And remember that if the service auditor (i.e., the CPA performing the actual SSAE 16 engagement) is unable to obtain an actual written statement of "assertion" from the subservice organization, then the inclusive method cannot be used, and must instead opt for the "carve-out" method. The carve-out method is where management's description of its "system" discusses the nature of the services performed by the actual subservice organization, but does NOT include the subservice organization's relevant control objectives and the related controls.
Quite a bit to take in, isn't it? That's why you need to confer with a well-qualified CPA firm who has years of experience in performing these types of engagements. They'll essentially be able to assist you regarding the use of the "inclusive" or "carve-out" method for purposes of subservice organization reporting.
Regardless if it's the SSAE 16 inclusive method or the SSAE 16 carve-out method that is utilized, what's fundamentally important to understand is that there's now a greater emphasis placed on subservice organizations. After all, many entities outsources to other entities to perform a certain task or function, so shouldn't these organizations have to undergo certain test procedures or validation requirements - of course they should. Often times in the world of SSAE 16 you'll find that these subservice organizations may have already gone through an SSAE 16 Type 1 or Type 2 assessment process, because these actual organizations may consider themselves an actual service organization for somebody else, and "just" a subservice organization for purposes of your SSAE 16 inclusive method reporting.
Learn more about SSAE 16 at the official SSAE 16 Resource Guide, developed by NDB Accountants & consultants. Additionally, other topics of notable interest relating to the SSAE 16 inclusive method and SSAE 16 reporting include the following:
Need assistance with SSAE 16 Type 1 or Type 2 compliance? Then contact NDB today for a competitive, fixed fee for all your SSAE 16 reporting needs. Contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 or email him directly at firstname.lastname@example.org. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.