Appendix C-1 — Illustrative Management Assertion and Service Auditor’s Report for a Type 2 Examination (Carved-Out Controls of a Subservice Organization and Complementary Subservice Organization Controls and Complementary User Entity Controls)