Definition

SOC 2 TSC criterion CC9.2 requires organisations to assess and monitor third-party vendors (sub-service organisations) that perform functions covered by the system description. Organisations must choose between the carve-out method (excluding sub-service org controls from the report) and the inclusive method (including them); this choice affects report scope, audit complexity and what user entities can rely upon.

Why it matters

The pressure on SOC 2 programmes is shifting in specific, observable ways:

• BFSI enterprise customers (banks, insurers) contractually require inclusive-method SOC 2 reports for critical sub-service providers (cloud infrastructure, payment processors) — a carve-out report for AWS-hosted services is rejected by their vendor management teams.
• Inclusive method for major IaaS providers (AWS, Azure, GCP) is operationally impractical — auditors accept complementary user entity controls (CUECs) and AWS SOC 2 report reliance as the standard approach, but this must be explicitly documented in Section 3.
• SAMA CSF 3.3.5 requires documented assurance on sub-service organisations — the SOC 2 CC9.2 sub-service organisation management section is directly cited by SAMA examiners as satisfying this requirement.
• A carve-out that improperly excludes a material service provider (e.g. the payment processing sub-processor handling 60% of transaction volume) creates a qualification in the CPA opinion and triggers enterprise customer security review escalations.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Sub-service organisation register — listing all vendors performing in-scope functions, their method (carve-out/inclusive), their own SOC 2 report availability, and last review date
• CUECs register — for each carve-out sub-service org, a documented list of Complementary User Entity Controls implemented by the organisation to address the gap (CC9.2 requirement)
• AWS / Azure / GCP SOC 2 Type II reports — downloaded from AWS Artifact / Azure Trust Center / GCP Compliance Reports annually; reviewed by Compliance Manager with notes on any exceptions
• Vendor contract clauses — right-to-audit, incident notification SLA (≤24–72 hours), security requirement schedules signed by sub-service organisations
• Annual sub-service org review memo — Compliance Manager's documented review of each sub-service org's SOC 2 or equivalent report, noting material changes, exceptions and CUECs adequacy assessment

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: Compliance Manager lists all vendors performing functions described in the system description; classifies each as sub-service organisation (performs in-scope functions) or vendor (provides ancillary services outside scope); documents method selection (carve-out vs. inclusive) with rationale.
• Day 31–60: For carve-out sub-service orgs, compile their SOC 2 Type II reports from AWS Artifact / Trust Center; review for exceptions affecting the organisation's controls; document CUECs for each material carve-out.
• Day 61–90: Legal team validates that all sub-service organisation contracts include notification obligations and right-to-audit clauses per CC9.2; update contracts lacking these clauses at next renewal.
• Day 90+: Draft the sub-service organisation section of the SOC 2 system description (Section 3) with CPA firm guidance; confirm method choice with enterprise customers before finalising to avoid post-issuance disputes.
• Ongoing: Annually download and review sub-service org SOC 2 reports; flag any new exceptions to CISO within 10 business days; update CUECs register if sub-service org changes its control environment.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Sub-service org register completeness: 100% of vendors performing in-scope functions classified and documented before observation window start
• CUEC coverage: 100% of carve-out sub-service organisations have documented, tested CUECs addressing the excluded control areas
• Annual SOC 2 report review: 100% of critical sub-service org reports reviewed within 30 days of issuance
• Contract compliance: 100% of sub-service organisation contracts include incident notification SLA (≤72 hours) and right-to-audit clauses within 12 months
• CPA qualification rate: 0 qualifications in the SOC 2 opinion attributable to undisclosed or improperly handled sub-service organisations

The executive frame

For an executive sponsor, the decision behind this piece reduces to three questions: what changes in the next two quarters, what is the cost of not acting, and what is the minimum credible response?

Held against AICPA (standards setter) and the licensed CPA firm issuing the report, the answer is rarely "do nothing" — but it is also rarely "rebuild the programme". The honest answer for most SOC 2 buyers is a sharply scoped uplift focused on the two indicators that move the most: days between observation window close and report issuance and % of controls with evidence within their stated frequency.

• What changes. The supervisory bar has moved on operating evidence, not on the control text itself.
• Cost of inaction. Findings carried into the next cycle compound; remediation in a regulator-driven timeframe costs 3–5× what proactive remediation costs.
• Minimum credible response. A 90-day uplift focused on the two indicators above, with a board-level commitment to the next review point.

Pitfalls we keep seeing

Across MAST Consulting Group's SOC 2 portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: incident response runbooks that don't reference the in-scope environment. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: controls that are designed but operated inconsistently across the window. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: user access reviews completed late or without independent reviewer. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: change tickets without explicit approval evidence. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on SOC 2 engagements because the integrations are cheap and the evidence is defensible:

• PagerDuty / Opsgenie for incident evidence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Drata / Vanta / Secureframe for evidence collection — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• GitHub / GitLab for change evidence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs SOC 2 programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this briefing is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for SOC 2 programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.