# SOC 2 With Overseas Development Teams: Three Ways to Structure the Audit | Attri Edge

Home Articles SOC 2 With Overseas Development Teams: Three Ways to Structure the Audit Rescue SOC 2 With Overseas Development Teams: Three Ways to Structure the Audit Inclusive scope, carve-out subservice, or separate-entity audit, the three structural choices for SOC 2 with overseas dev teams, when each works and the buyer-acceptance reality of each. By Hemant Attri , Founder, Attri Edge · June 13, 2026 · Updated June 13, 2026 · 2 min read “SOC 2 for US SaaS company with overseas development team, how did you structure the audit?” It’s one of the most-asked questions in founder communities, and it doesn’t have a one-size answer. There are three structures; the right one depends on whether the overseas team is yours or a vendor’s. Why this question doesn’t have a one-size answer The structure hinges on a single fact: is the overseas team part of your organization (a wholly-owned subsidiary, your employees, your contractors) or a genuinely independent third party? Wholly-owned teams belong in scope; independent vendors are subservice organizations. Most US SaaS overseas teams are the former. Structure 1, Inclusive scope (the default) The overseas team’s controls are tested as part of your audited entity. The US legal entity is the named service organization; the offshore team is in scope under it. Roughly 85%+ of US SaaS with overseas teams should use inclusive scope. Buyer rejection rates are low because the report proves offshore controls were actually tested. Structure 2, Carve-out subservice (when and why) Carve-out describes the offshore unit as a subservice organization and lists only the controls you maintain over it; its own controls are assured separately by the customer. This is appropriate for a true third-party vendor, not for a wholly-owned subsidiary, where it’s rarely appropriate. Buyer rejection rates are medium-to-high, because buyers read a carved-out subsidiary as a gap. Structure 3, Separate entity audit (rare, specific) A separate audit of the overseas entity only works when that entity provides a genuinely independent service to distinct customers. For the standard US-HQ-with-offshore-engineering pattern it’s the wrong tool, and buyer rejection rates are high because the contracting entity isn’t the audited one. What enterprise buyers will actually accept Buyers want the audited entity to match the contracting entity and the offshore controls to have been tested. Ranked by acceptance: inclusive (low rejection), carve-out (medium-high), separate-entity (high). The structural deep dive for India teams specifically is in the SOC 2 cornerstone . How to decide for your specific situation Ask three questions: Who signs customer contracts? Who owns the code and data? Is the offshore team wholly owned? If the US entity contracts and owns IP and the offshore team is yours, choose inclusive scope and move on. The GCC compliance encyclopedia covers the operating model around it. Where Attri Edge fits The diagnostic confirms the right audit structure before you spend money on an engagement, the single most expensive decision to get wrong. $999, 48-hour deliverable. Related reading: The Complete Guide to SOC 2 for US SaaS With India Teams The GCC Compliance Encyclopedia Frequently asked questions What's the difference between inclusive and carve-out? Inclusive scope tests the overseas team's controls directly as part of your audited entity. Carve-out treats them as a separate subservice organization whose controls the customer is expected to assure separately. For a wholly-owned subsidiary, inclusive is almost always the right answer. Can we mix structures (some controls inclusive, some carve-out)? In narrow cases, yes, for example, inclusive for your own engineers and carve-out for a genuinely third-party managed-infrastructure vendor. But mixing to scope out your own subsidiary's controls invites auditor scrutiny and buyer rejection. How do we present the structure to buyers? State plainly that the US entity is the service organization and the overseas team is in inclusive scope. Buyers want to hear that offshore controls were tested, not excluded. Inclusive scope is the answer that survives vendor-risk review. What happens if we change structure between audits? It's allowed but creates a discontinuity buyers notice. Moving from carve-out to inclusive is usually a strengthening (good); the reverse reads as scoping out risk (bad). Plan the structure once, up front. Does the structure affect audit cost? Yes. Inclusive scope costs more because the auditor tests overseas controls; carve-out costs less but produces a weaker report. The savings from carve-out are usually erased by lost deals, so the cost comparison favors inclusive for revenue. Talk to the operator This article is one slice of the work Attri Edge does for US SaaS companies with India GCCs. If your situation needs the full operational layer, start with a 90-minute diagnostic. Book your $999 diagnostic