Found in SOC reports, these are the controls the vendor assumes will be implemented by the subservice organization (your fourth-party vendor) and are necessary to achieve the control objectives stated in the vendor’s description of the service organization’s system.