Overview
Managing SOC reports manually can be time-consuming and error-prone. Gathering and verifying detailed information from the SOC reports often requires significant effort, and reports can be difficult to scan if the data isn’t properly organized.
Numero’s AI-powered Document Repository simplifies the process by automatically categorizing the report and extracting the key information—including exceptions, subservice providers, and user entity controls (CUEC)—eliminating tedious manual work, improving accuracy, and making it easier to scan and navigate the data.
Instructions
Accessing and Uploading SOC Reports
Log in to Numero and go to Internal Documents to access your repository. Click Add Documents to upload a SOC report, which Numero’s AI will automatically categorize and process. For a detailed walkthrough, see Manually Adding Documents to the Repository.
If you have connected your Cloud Drive like SharePoint, add your files to your cloud folder and Numero will automatically sync the new files.
Viewing SOC Report Details
Once the document is processed, click the SOC document name to open a detailed view, where Exceptions highlights any deviations, Subservice Orgs displays third-party controls within the report’s scope, and CUEC Mapping outlines user entity responsibilities. Numero also provides citations indicating the exact source of the information within the document, so you don’t have to scan through the entire document to locate the details it highlights.
Cover Sheet: Provides a quick snapshot of the SOC report, including the service organization, report type, coverage period, and auditor’s opinion. This summary helps you confirm the report’s scope and key details at a glance, without reading through the full document. You can also edit the content, and by clicking the book icon, you can view the corresponding citation from the report, with the relevant text highlighted for easy reference.
Exception: Shows any deviations noted in the SOC report, or confirms when none are found. These exceptions reflect differences between the controls the service organization provides and what client entities are expected to manage or rely on.
Subservice Orgs: Lists the Complementary Subservice Organization Controls (CSOCs), third-party service providers, that are carved out of the SOC report’s scope. These are usually noted explicitly in the report to clarify which controls remain outside the auditor’s review.
If something’s missing, you can easily add it yourself by clicking “+Add.
CUEC Mapping: Details Complementary User Entity Controls, which outline the responsibilities client organizations must implement on their side. These are typically specified in the SOC report to clarify the shared responsibility between the service provider and its users. As like above, add your inputs by clicking “+Add”
Linked Documents: You can link relevant documents, such as bridge letters, to the selected SOC report. This allows you to review all related materials in one place.
Downloading or Exporting SOC Reports
When reviewing a document, you’ll notice the original SOC report (and bridge letter, if included) on the right-hand side for easy comparison. You can:
Click the download icon in the top-right corner to download the SOC report or the extracted information
Download - Downloads the SOC report document
Export SOC Report - Download the extracted details in a spreadsheet..
This ensures you always have both the source and AI-extracted data at your fingertips.
Troubleshooting
Sync Failure: If your SOC report isn’t visible, please ensure it’s in a supported format (.pdf or .docx ) and allow some time for processing delays.
Missing Data in Tabs: Ensure the correct SOC PDF and the corresponding bridge letters are uploaded. If you still have challenges, reach out to us.