SOC reports will usually include Complementary User Entity Controls. These are controls that the vendor has included within its system and rely on the user entity (you) to implement in order to achieve the vendor’s control objectives.
Beware: In these cases, the control objectives stated in the description can be achieved only if these complementary user entity controls are suitably designed and operating effectively (by you), along with the controls at the service organization (vendor).