Complementary user entity controls (CUECs) are an important and essential part of any SOC report. If your organization receives a SOC 1, SOC 2 or SOC 3, or if your organization is a vendor that contracts with service organizations, CUECs are an integral part of the process required to have an effective internal controls structure. SOC reports define the system controls that have been implemented by the service organization, and as part of the system of controls user entities must implement and take responsibility for CUECs to ensure that the system of controls is designed and operating effectively. CUECs effectively outline, within the SOC report, the specific internal control requirements that are the responsibility of the user entity and not the responsibility of the service organization. If the user entities do not appropriately implement the required CUECs defined by the service organizations, then the service organization may ultimately be unable to meet the control objectives.
CUEC’s and Service Organizations
Complimentary user entity controls are a required component of SOC reports given that they are integral to the design and operating effectiveness of the overall control environment. In the instance that a SOC audit report does not include CUECs that report is deemed to be incomplete and may result in additional issues during the audit of the user entity. CUECs are generally identified within their own section or subsection of the SOC report. In many instances the CUECs can be found either immediately following the description of the system of controls, or immediately following each of the control sections for which CUECs apply.
Service organizations are responsible for identifying the CUECs related to the services they perform on behalf of user entities during the initial SOC reporting process. As discussed above, CUECs are an important part of the overall control process for both the service organization and the user entities. In order for service organizations to provide a quality SOC report to user entities it is imperative that all CUECs are clearly defined within the SOC report. The first step in the process for service organizations is to clearly identify the types of services performed as well as the control objectives and controls around those services. During that process, service organizations should identify the boundaries of their controls and identify the specific controls that are the responsibility of the user entities. The service organization should document those controls required by the user entities as well as the applicable control objectives and controls related to the CUECs. The CUECs identified during this process are documented, communicated to user entities, and incorporated into the annual SOC report. As the service organization continues to implement new controls, processes, and services offerings, the CUECs should also be continually updated and evaluated to ensure that the user entities know their internal control responsibilities.
CUECs and User Entities
If your organization is a user entity that is involved with a service organization that receives SOC 1, SOC 2 or SOC 3 reports, you should know and understand the various types of CUECs as well as how they operate. Service Organizations are numerous and diverse entities, and CUECs can be very different depending on the specific type of SOC report, service organization, and industry. User entities should begin to evaluate CUECs by reviewing the SOC reports for the service organizations that they are currently using as part of their current business processes. User entities should identify all the applicable CUECs that are outlined in the report during the annual SOC audit report review process. Upon completion of identifying the applicable CUECs from the current SOC reports the user entity should identify and document the specific control or controls that they implemented to address each CUEC. The process of mapping the controls at the user entity to each SOC report will ensure that the user entities controls are adequately designed to address the CUEC requirements outlined by the service organizations. Addressing all the CUECs in the SOC reports will ensure that the user entities can effectively rely on the system of controls being performed by service organizations.