Businesses increasingly rely on third-party service organizations to handle critical operations. For these service organizations (such as SaaS providers), demonstrating robust internal controls through a SOC 2 report is paramount for building trust with their clients, known as “user entities”. But what happens when a service organization itself relies on other third parties to deliver its services?
This is where Complementary Subservice Organization Controls (CSOCs) come into play, and understanding how they are addressed in a SOC 2 audit can significantly impact the transparency and assurance provided by the report.
We recently had an interesting discussion with a SaaS prospect, for our managed SOC 2 compliance service, about what the scope should be for some controls that were implemented by another organization. That conversation served as a great reminder of how important it is to understand Complementary Subservice Organization Controls (CSOCs) and why the Inclusive Method sometimes makes sense. This blog is a quick refresher on what CSOCs are, how they function, and what their inclusion in a SOC 2 audit really means for both service organizations and their customers.
What Are CSOCs?
CSOCs are a crucial part of SOC 2 reporting, highlighting the interdependent nature of modern service delivery. They refer to controls at a subservice organization that the primary service organization’s management presumes will be implemented and operated effectively.
These controls are vital because they are considered necessary—either alone or combined with controls at the primary service organization—to provide reasonable assurance that the service commitments and system requirements are met, based on the Trust Services Criteria (TSCs).
For example, if a service organization relies on a cloud hosting provider, that provider’s physical security controls (such as access to servers) may be a CSOC critical to fulfilling security requirements.
CSOCs and the Inclusive Method
When a service organization chooses to have CSOCs included in the audit, it’s using the inclusive method. This approach offers a deeper level of assurance by directly addressing the controls of subservice organizations in the SOC 2 report.
Here’s what inclusion via the inclusive method entails:
- Expanded Scope and System Description
The system description includes:
- The subservice organization’s infrastructure, software, people, processes, and data relevant to the primary service.
- Details on services provided by the subservice organization and how its controls meet the TSCs.
- Direct Testing by the Service Auditor
- The service auditor directly tests the CSOCs.
- The report confirms that these controls were “included in service auditor’s procedures.”
- This differs from the carve-out method, where subservice controls are not directly tested.
- Subservice Organization’s Formal Involvement
- The subservice organization must provide an assertion and a representation letter tailored to their controls.
- This ensures accountability for the controls included in the SOC 2 report.
- Comprehensive Reporting
- CSOCs must be disclosed in the system description if applicable.
- Management’s written assertion will reference CSOCs.
- The auditor’s report will mention CSOCs (and potentially CUECs—Complementary User Entity Controls).
Why This Matters for User Entities (aka Clients)
For user entities outsourcing critical functions, understanding how CSOCs are handled in a SOC 2 report is essential for effective risk assessment and due diligence.
Inclusion of CSOCs via the inclusive method:
- Provides direct assurance over controls at key third-party providers.
- Reduces the need to separately audit those subservice organizations.
- Simplifies your vendor risk management and compliance oversight.
In summary, the inclusion of CSOCs in a SOC 2 audit strengthens the reliability of the report, giving user entities greater confidence in the service organization’s control environment and their extended ecosystem of service providers.
Let’s talk! Schedule a free SOC-2 consultation to see how we can help you achieve and maintain SOC 2 compliance effortlessly.
.svg)
