In relation to SOC reporting, controls supporting normal operations provided by your fourth-party vendor are included within a SOC report. Controls of the fourth party are presented separately from those of the third-party vendor and their written assertions should also be included within the report.