22.3 Service Organizations, SOC Reports, and CUECs
Key Takeaways
- A SOC 1 report (issued under AT-C 320 / SSAE 18) addresses controls at a service organization that may affect a user entity's ICFR and is the relevant report for a financial statement audit.
- A Type 1 report covers design and implementation at a point in time; a Type 2 report covers design and operating effectiveness over a stated period.
- The user auditor evaluates report scope, period covered, control objectives, tests and exceptions, complementary user entity controls (CUECs), and subservice-organization treatment before relying on a SOC report.
- CUECs are controls the service organization assumes the user entity will implement; if missing, related control objectives may not be achieved.
- SOC 2 and SOC 3 address trust services criteria (security, availability, processing integrity, confidentiality, privacy) and are central to ISC, but they do not substitute for SOC 1 evidence in a financial statement audit.
Why Service Organizations Change the Audit
A service organization performs functions for a user entity. Payroll processors, cloud ERP hosts, claims administrators, benefit-plan recordkeepers, and payment processors are common examples. The user entity still owns its financial-reporting responsibilities, but some relevant controls now operate at the service organization, outside the auditor's direct line of sight. The user auditor therefore needs a way to understand those controls and decide whether to modify the nature, timing, and extent of audit procedures.
The 2026 AUD blueprint specifically includes the implications of an entity using a service organization, including the impact of a SOC 1 Type 2 report in a financial statement audit. ISC goes further, testing SOC engagement planning, management's assertion, the system description, CUECs, subservice organizations, trust services criteria, exceptions, and report modifications. The governing attestation standard for a SOC 1 engagement is AT-C section 320 under SSAE 18, which explicitly requires the service auditor to address CUECs.
SOC Report Map
| Report | Primary subject | Common users | Audit use |
|---|---|---|---|
| SOC 1 | Controls likely relevant to user entities' ICFR | User entities and user auditors | Supports financial statement audit planning and control reliance |
| SOC 2 | Controls relevant to security, availability, processing integrity, confidentiality, or privacy | Customers, partners, regulators, management | Useful for ISC and vendor risk; may not address financial-reporting objectives |
| SOC 3 | General-use report on trust services criteria | Broad public users | Less detailed; generally insufficient for control reliance in an audit |
| Type 1 | Design and implementation at a point in time | Users needing a snapshot | Provides no operating-effectiveness evidence over a period |
| Type 2 | Design and operating effectiveness over a period | Users needing performance evidence | Can support reliance if scope, timing, and controls align |
A SOC 1 Type 2 report is the high-value report for AUD. It helps the user auditor understand controls at the service organization, assess risk of material misstatement, and decide whether additional procedures are needed. Crucially, it never eliminates the user auditor's own responsibility to obtain sufficient appropriate audit evidence.
What the User Auditor Evaluates
Before relying on a SOC report, the user auditor evaluates:
- The service auditor's competence and independence.
- Whether the report covers the relevant service, system, location, and period.
- Whether the control objectives and tested controls relate to the user entity's financial statement assertions.
- Whether test results disclose exceptions and whether those exceptions matter.
- Whether the report period leaves a gap before year-end requiring bridge procedures (a bridge or gap letter is not audit evidence and is generally insufficient on its own).
- Whether subservice organizations are handled with the inclusive or carve-out method.
- Whether the user entity implemented the necessary complementary user entity controls (CUECs).
A complementary user entity control (CUEC) is a control the service organization assumes the user entity will perform. A payroll processor may calculate payroll accurately only if the user entity approves master-file changes and reviews the payroll register before release. If the user entity does not perform those CUECs, the SOC report's conclusions may not support the audit assertion.
CUECs and Subservice Organizations
CUECs are not optional footnotes; they are part of the control story. In a simulation, match each CUEC to a user-entity control and decide whether it was designed and operating. If a CUEC is missing, the auditor may need additional testing or may be unable to rely on the related control objective.
Subservice organizations add a layer. Under the inclusive method, the subservice organization's controls are described in the system description and tested by the service auditor. Under the carve-out method, they are excluded, and the report identifies complementary subservice organization controls that must be considered separately.
Exam Decision Rule
For a payroll processor affecting wage expense and payroll liabilities, SOC 1 Type 2 evidence is directly relevant. For a SaaS vendor's security program, SOC 2 may matter greatly for ISC trust services criteria yet say nothing about payroll completeness or accrued wages. The correct CPA answer asks four things: what does the service organization do, which report covers it, does the report period fit the audit period, and are the CUECs actually in place at the user entity.
When a SOC Report Is Not Enough
A SOC report is one input, not a substitute for the user auditor's judgment. Several situations force additional work even when a clean SOC 1 Type 2 exists. If the report period ends before the user entity's year-end, the auditor must perform procedures over the gap, such as inquiring about changes, obtaining a bridge letter as a starting point only, or testing user-entity controls that capture the same risk. If the report contains exceptions in tested controls, the auditor evaluates whether those exceptions affect assertions material to the user entity and whether the user entity's own controls compensate.
| User-auditor concern | Trigger in the SOC report | Required response |
|---|---|---|
| Period gap | Report period ends months before year-end | Bridge procedures or test user controls |
| Exceptions noted | Service auditor lists control failures | Assess effect on relevant assertions |
| Carve-out subservice org | Key processing outsourced again | Consider subservice report or other evidence |
| Missing CUEC | User entity did not perform expected control | Cannot rely on related objective without other evidence |
Finally, the service auditor is not a substitute for the user auditor. The user auditor remains solely responsible for the audit opinion and may not reference the service auditor in an unmodified report. If the user auditor cannot obtain sufficient appropriate evidence about controls at the service organization, that may constitute a scope limitation affecting the financial statement opinion. Candidates should treat the SOC report as evidence to be evaluated for relevance, period, scope, exceptions, and CUEC dependencies, never as an automatic green light for reliance.
A company outsources payroll processing, and payroll expense is material. Which report is most directly relevant to the financial statement auditor's evaluation of controls at the payroll service organization?
A SOC 1 Type 2 report for a claims processor assumes the user entity reviews and approves all claim master-file changes. The user entity stopped performing that review six months ago. What is the best audit implication?