4. Control Weakness over Third-Party Oversight for XP2 Application Hosted by Fiserv (NCUA IT-20-04) We noted that in performing its risk assessment, management did not adequately evaluate the System and Organization Controls (SOC) 1 report over Fiserv’s XP2 application service provider environment. Specifically, management’s risk assessment did not: a. Identify and evaluate the NCUA’s design and operating effectiveness of the Complementary User Entity Controls (CUECs) identified within the SOC 1 report. b. Identify and evaluate the complementary subservice organization controls (CSOCs) identified within the SOC 1 report. c. Obtain and perform an assessment of a bridge/gap letter to determine whether coverage was provided for the entire year. NCUA’s documented procedures do not provided detailed guidance on how to perform an assessment of a third party service provider organization, specifically as it relates to the SOC 1 report, as required by Office of Management and Budget Circular Memorandum 16-17 (OMB M-16-17). As a result, the NCUA’s annual assessment of controls related to XP2 was incomplete as it did not consider all relevant aspects of the SOC 1 report during its evaluation.