CSOCs and CUECs in a SOC Report

Generally, SOC 1 and SOC 2 reports include a description of complementary subservice organization controls (CSOCs) and complementary user entity controls (CUECs), which are defined as follows in the AICPA SOC 2 Audit Guide:

• CSOCs Controls that service organization management assumed, in the design of the service organization’s system, would be implemented by the subservice organization and that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved.
• CUECs Controls that service organization management assumed, in the design of the service organization’s system, would be implemented by user entities and that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements would be achieved.

The definitions of CSOCs and CUECs for purposes of SOC 1 reports are essentially the same as above, but include an emphasis on control objectives rather than service commitments and system requirements.  Management of the service organization is responsible for identifying and describing CSOCs and CUECs in their system description.  The specific requirements are set forth in Description Criteria (DC) 6 and 7.  The purpose of this paper is to describe the auditor’s responsibility with regard to CSOCs and CUECs.

Sometimes service organizations outsource controls to their parent or a related sister company above them. In this case, the CSOCs would be referred to as Complementary Corporate-Level Controls or CCLCs. For purposes of this guidance, there is no difference between CSOCs and CCLCs.

Auditor’s responsibility for CSOCs

When the service organization uses the carve-out method for the services and controls of a subservice organization, the auditor should evaluate the design of CSOCs to determine whether they are sufficient to address the applicable trust services criteria.  For example, if the service organization is responsible for developing, testing, and approving program changes but has outsourced the actual implementation of the changes to a carved-out subservice organization, controls at the subservice organization would be necessary to achieve the service organization’s service commitments and system requirements based on trust services criterion CC8.1, The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. If there are CSOCs, consideration would be given to whether the CSOCs and the service organization’s controls are suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, if such controls were operating effectively.  The evaluation of the design of CSOCs should generally occur in the planning phase of a SOC engagement, once the system description has been prepared or updated by the service organization and prior to the commencement of fieldwork.

Although a subservice organization may perform certain functions for a service organization, management of the service organization remains responsible to its user entities for performing the services it has agreed to provide, including the outsourced functions. As a result, management is responsible for performing monitoring activities over the subservice organization, and management would include in their system description controls used to monitor the effectiveness of controls at the subservice organization.

The most common way that  service organization management can monitor the controls of the subservice organization is by obtaining a SOC 2 report from the subservice organization. Other reports that could be obtained include SOC 1, C5, CSA Star, ISO or PCI reports if they cover the controls being outsourced to the service organization. When management has obtained such a report, management’s monitoring procedures should adequately address any description misstatements or deviations identified in the subservice organization’s type 2 report. For example, if the service organization has obtained a type 2 report from the subservice organization, such monitoring procedures should include a review of the report to assess (a) the relevance of the system description and CSOCs to the service organization’s system, (b) any deviations requiring further evaluation and response by service organization management, and (c) the period of coverage of the subservice organization’s type 2 report relative to the period covered by the current examination.  The auditor evaluates and tests these monitoring controls when testing trust services criterion CC9.2, The entity assesses and manages risks associated with vendors and business partners.

If the subservice organization’s type 1 or type 2 SOC report identifies the need for CUECs at the service organization, the system description should describe the processes and controls the service organization has implemented to address the CUECs identified in the subservice organization’s description of its system. 

The service auditor should obtain and read the SOC 2 report of the carved out subservice organization and perform the following steps:

1. Compare the CSOCs described by the service organization in their system description to the controls that have been implemented by the carved out subservice organization.  The control language does not need to match exactly, but there should be consistency between the CSOCs and the types of controls implemented by the subservice organization.  
2. Evaluate any exceptions identified in the subservice organization’s SOC report and determine whether they impact the service organization’s ability to achieve its service commitments and system requirements. 
3. Evaluate the period covered by the subservice organization’s SOC report.  Ideally it will align with or include most of the examination period.  The best practice is for the subservice organization SOC report to cover at least 9 months in the case of a 12 month examination period.  The coverage should generally not be less than 70%.  However, this is sometimes not possible so judgment must be applied to determine if the coverage is adequate.  If the subservice organization SOC report does not include any of the examination period, then it is generally not relevant or useful.
4. Pay particular attention to the CUECs identified in the subservice organization’s SOC report and determine if the service organization has adequately addressed any applicable CUECs.  This helps the service auditor evaluate whether controls at the service organization are suitably designed.  It also assists the service auditor in evaluating whether there are any CUECs identified in the subservice organization’s SOC 2 report that are the responsibility of the service organization’s user entities and that should be included in the service organization’s description of its CUECs.

If service organization management does not obtain a type 2 report from a subservice organization, its monitoring of subservice organizations may include tests performed at the subservice organization through the execution of a right-to-audit clause. In such situations, management generally will identify such testing as a control in the description. In any event, the service auditor should obtain sufficient appropriate evidence of the description of the CSOCs and management’s monitoring activities over the subservice organization.

Auditor’s responsibility for CUECs

With regard to CUECs, the service auditor should evaluate whether the CUECs that are described in the system description are complete, accurately described, and necessary (in combination with the service organization’s controls, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria).  The service auditor should perform the following steps to evaluate CUECs and identify additional CUECs that are potentially missing from the system description:

1. Inquire of management about whether there are any controls that user entities are expected to perform with regard to the system being audited.
2. Review any available system documentation to identify user entity controls that are expected to be in place.
3. Review customer contracts for instances where the service organization has communicated to customers that certain control activities are necessary.  

There is a distinction between CUECs and User Entity Responsibilities, which is described in DC 6.  The main difference is that CUECs are necessary to achieve service commitments and system requirements.  Management is not required to disclose detailed User Entity Responsibilities in the same manner as CUECs.

Conclusion

The auditor’s responsibility for CSOCs and CUECs can be summarized as follows: service auditors should evaluate management’s disclosure of CSOCs and CUECs to determine whether they have effectively addressed the requirements set forth in DC 6 and DC 7.