Understanding Key SOC Report Terms – The Easy Way!

Jay TilluJay Tillu
4 min read

If you've ever glanced at a SOC report (System and Organization Controls report), you might've felt like you were reading a different language. Between all the acronyms and technical phrases, it’s easy to get lost. But don’t worry—we’ve got you covered.

Here’s a simple breakdown of six common terms you’ll see in SOC reports—complete with real-life examples to help it all make sense.

🧩 1. What are CUECs? (Complementary User Entity Controls)

🔍 Break it down:

  • User Entity = You (the company using a service)

  • Service Provider = The company offering the service (like software, cloud storage, etc.)

So, CUECs are things you (the user) are expected to do to make sure the overall system works securely and properly. These are not controlled by the service provider, but they’re essential to the success of the system.

🏠 Real-World Analogy: Renting an Apartment

Let’s say you rent an apartment in a secure building.

  • The building owner (the service provider) installs cameras, alarm systems, and has a guard at the entrance.

  • But you (the user entity) still have to:

    • Lock your apartment door.

    • Not share your key with strangers.

    • Report suspicious activity.

If you don’t do your part—even though the building has great security—it could still be unsafe.

That’s what CUECs are: the "lock your door" part of the shared responsibility.

Think of it like:

A bank gives you a secure locker, but it’s your job to keep the key safe. If you lose the key, that’s not the bank’s fault.

🛡️ 2. CSOC – Carve-Out Service Organization Controls

What it means:

This term usually refers to controls that are part of a "carved out" section in the report—more on that in the next section. Essentially, it refers to controls performed by another company or sub-service provider that aren't fully included in the SOC report.

Why it matters:

If your service provider depends on another vendor (like a cloud hosting service), and they exclude that vendor’s controls from the SOC report, those are considered CSOCs.

Example:

Your email software provider uses AWS to host their platform. If AWS’s controls aren't included in their SOC report, then those are CSOCs.

✂️ 3. Carve-Out

What it means:

A carve-out approach is when a company does not include a third-party vendor’s controls in their SOC audit.

Example Story:

Imagine you hire a caterer for your event. They serve amazing food, but they use a third-party bakery for the dessert. If the caterer tells you, “I’m only responsible for the food, not the desserts,” that’s a carve-out.

In SOC terms:

The service provider is saying, “We rely on this third party, but their controls aren’t covered in our SOC report.”

🧵 4. Carve-In

What it means:

In contrast, a carve-in approach means the company includes the third-party vendor’s controls in their audit.

Same Story, Different Ending:

Your caterer says, “Don’t worry, we also manage the bakery—we’ll make sure the desserts are perfect too.” That’s a carve-in.

Why it's helpful:

It gives you more complete assurance because the third-party controls are also evaluated.

🔁 5. Bridge Letter

What it means:

A bridge letter (or gap letter) is a document that fills the time gap between the last SOC report and the current date.

Why it’s needed:

SOC reports usually cover a specific time period. If you're reviewing the report but it ended a few months ago, the service provider sends a bridge letter saying, “Nothing has changed since the last report.”

Example:

The SOC report covers Jan–Dec 2024, but you’re reviewing it in March 2025. The provider sends a bridge letter saying, “From Jan–March 2025, our controls are still in place.”

🧾 6. Management Assertion

What it means:

This is a statement made by the company’s management saying:
“We’ve designed and followed these controls properly, and here’s the proof.”

Why it matters:

It’s the company taking official responsibility for its internal controls before the auditor checks them.

Quick Analogy:

It’s like a student saying, “I did my homework,” before the teacher reviews it.

In Practice:

The auditor uses this assertion as the starting point of their review. If something in the report doesn’t match the assertion, that’s a red flag.

🎯 Final Thoughts

SOC reports can seem overwhelming, but once you break down the terms, it all starts to make sense. Think of it like learning the rules of a new board game: it seems complex at first, but after a few rounds, you’re a pro.

Next time you read a SOC report, you’ll know exactly what a bridge letter means, what’s being carved out (or in), and how your own responsibilities fit into the picture.

Wanna know More About SOC Report

Follow me for more such content

0
Subscribe to my newsletter

Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SOC Reportscompliance SecuritysecurityawarenessCloudcloud security

Written by

Jay Tillu
Jay Tillu

Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!