Skip to main contentChat with us

Glossary · SOC

CSOCs

Complementary Subservice Organization Controls

Controls that a carved-out subservice organisation (for example, a hosting provider) is assumed to operate for the service organisation's control objectives to be met. Report readers verify they are covered — usually by obtaining the subservice organisation's own SOC report.

This definition is part of TCSA’s plain-English compliance glossary, written and reviewed by the auditors who prepare organizations for these frameworks — 500+ audits delivered across India, USA, UK, Australia & UAE.

Go deeper: the full CSOCs guide

The complete plain-English explainer behind this definition.

Related SOC terms

AT-C Section 320

The section of the AICPA's clarified attestation standards (introduced by SSAE 18) under which every SOC 1 examination is performed. It prescribes what management's system description must contain, how control objectives are specified, and what the service auditor's opinion covers.

Bridge Letter

A short letter from a service organisation's management covering the gap between the end of its latest SOC report period and a customer's financial year-end, stating whether the described controls have materially changed. It is a management representation, not a CPA opinion, and is meant as a stop-gap until the next report.

Carve-out Method

One of two ways to treat subservice organisations (such as a cloud or data-centre provider) in a SOC 1 or SOC 2 report: their controls are excluded from the description and testing, and the report instead identifies the complementary subservice organization controls (CSOCs) being relied on. The alternative is the inclusive method.

CUECs

Controls that a SOC report assumes the customer (user entity) operates at its own end — for example, approving payroll input before submission or deactivating leavers' accounts promptly. If a user entity does not operate its CUECs, the report's assurance does not fully apply to it.

Inclusive Method

The alternative to the carve-out method: the subservice organisation's relevant controls are included in the service organisation's system description and tested by the service auditor. It gives report readers fuller coverage but is rarer in practice because it requires the subservice organisation's cooperation.

Qualified Opinion

An "except for" auditor's opinion on a SOC 1 or SOC 2 report: one or more criteria were not achieved, or material exceptions were found, but the problem is confined to specific areas rather than pervasive. The rest of the report still stands. Readers should identify exactly which criteria are qualified and whether they affect the service they consume.

Browse all 54 glossary terms

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations