17.4 Service Organization Exceptions and User Controls
Key Takeaways
- Complementary user entity controls (CUECs) are controls the service organization assumes user entities will implement for its controls to meet objectives or commitments.
- Complementary subservice organization controls (CSOCs) arise when a vendor is a subservice organization whose controls are needed for the service organization's commitments or objectives.
- The inclusive method includes a subservice organization's relevant controls in the SOC report; the carve-out method excludes them and only describes the services.
- Exceptions are evaluated by nature, cause, frequency, population, severity, and effect on the control objective or Trust Services Criteria point.
- A report reader should not treat management responses, compensating controls, or user controls as automatic fixes for exceptions.
User and Subservice Controls
SOC reports rarely describe a system that operates alone. A service organization may rely on customers to perform certain controls, and on vendors to deliver parts of the system. The ISC Blueprint specifically includes complementary user entity controls, complementary subservice organization controls, the inclusive and carve-out methods, and the reporting effect of exceptions.
Complementary user entity controls (CUECs) are controls the service organization assumes user entities will implement. They matter because the service organization's controls achieve the objective only if the user does its part. A payroll processor may authenticate files and process them accurately, but the user entity must authorize employees, review payroll registers, and restrict who can submit changes. If the user fails to perform its CUEC, the objective is not met even if the processor's controls work perfectly.
Complementary subservice organization controls (CSOCs) are controls expected at a subservice organization. A vendor becomes a subservice organization when its services are relevant to the service organization's system and to the control objective or service commitments. A cloud-infrastructure provider, data-center operator, payment gateway, or managed-security provider can be a subservice organization when its controls are necessary to the system being reported on.
Inclusive Versus Carve-Out
| Method | Treatment of the subservice organization | Reader implication |
|---|---|---|
| Inclusive | Includes the subservice organization's relevant controls and testing in the report | Coverage extends to those controls; independence and evidence must reach the subservice organization |
| Carve-out | Excludes those controls but describes the services performed | Reader may need a separate SOC report or other evidence for the carved-out vendor |
Neither method is automatically better. Inclusive reports give more complete coverage but require access, coordination, and independence over the subservice organization. Carve-out reports are far more common, but the user must judge whether the excluded services leave a gap in evidence.
Reading Exceptions
An exception is a deviation identified in testing. It does not automatically modify the opinion, but it must be evaluated against the control, test procedure, population, sample size, number of exceptions, period affected, cause, and management response. One missing approval in a low-risk sample of 60 has a very different effect from three failures of privileged-access review out of a sample of 5. Key questions:
- Is the exception a matter of design or of operating effectiveness?
- Does it affect a control objective, service commitment, system requirement, or Trust Services Criteria point?
- Is it isolated or systemic?
- Are compensating controls present, tested, and precise enough to address the risk?
- Must CUECs or CSOCs also operate before the user's residual risk is reduced?
Reporting Effects
A service auditor's opinion may be unmodified (clean) or modified. A control that was not suitably designed or did not operate effectively for one or more objectives or criteria can lead to a qualified opinion; pervasive failures can push toward an adverse opinion, and a scope restriction can produce a disclaimer. Management's response is useful context but is not the auditor's opinion, and it does not erase the exception.
CPA Use of the Report
A user auditor or vendor-risk reviewer maps report content to the user entity's own risk. For SOC 1, determine whether the control objectives relate to assertions in the financial-statement audit and whether the CUECs are actually implemented at the user entity; an unimplemented CUEC is a gap the user auditor must address with its own procedures. For SOC 2, check whether the selected Trust Services Criteria match the vendor risk, whether the report period covers the reliance period, and whether the noted exceptions touch the service commitments that matter to the user.
The disciplined exam answer always connects the exception to reliance, not to boilerplate language.
Worked Scenario: Evaluating an Exception
A SOC 2 Type 2 report for an identity-management vendor notes that, of a sample of 25 terminated employees, access was revoked timely for 23 but two accounts remained active for 11 and 14 days after termination. The control is logical-access removal, tied to the Common Criteria for access. Walk the evaluation: the deviation is operating effectiveness (the control was designed correctly but not performed for two items); it affects a security commitment; with two of 25 it may be more than isolated; and you would ask whether a compensating control, such as session monitoring or periodic access recertification, caught the orphaned accounts.
The user entity must then decide whether the gap affects its reliance, perhaps by performing its own access review of vendor-managed accounts. The exam reward is connecting the exception to the user's residual risk, not simply noting that an exception exists.
Period and Reliance Mismatches
A frequent trap is a SOC 2 report whose coverage period ends months before the user's reliance period. A report covering January through June does not provide operating-effectiveness evidence for the following December. The user auditor must obtain a bridge letter (also called a gap letter) from management for the interim period or perform additional procedures. A bridge letter is management's representation, not the service auditor's opinion, so it carries less assurance and does not extend the auditor's testing.
Quick Reference: Who Performs the Control
| Term | Who performs it | Why it matters to the reader |
|---|---|---|
| CUEC | The user entity (customer) | Objective is not met unless the customer implements it |
| CSOC | A subservice organization (vendor) | Needed for the service organization's commitments |
| Carve-out vendor | Not tested in the report | Reader needs separate evidence for those controls |
| Inclusive vendor | Tested within the report | Coverage and independence extend to the vendor |
A SOC 1 report states that user entities must review exception reports generated by the service organization. What is this most likely describing?
A SOC 2 report uses the carve-out method for the cloud-infrastructure provider that hosts the system. What should a report user generally consider?