Understanding Complementary User Entity Controls: Key Considerations for SOC Report Readers & Service Organizations

In our previous articles, we have explored the different types SOC reports and highlighted the key differences between Type 1 and Type 2 reports. Today, we will define complementary user entity controls (CUECs), explaining how they are selected for inclusion in a SOC report. Additionally, we will discuss their impact on report readers and provide guidance on what to consider during their review.

What are Complementary User Entity Controls (CUECs)?

CUECs are defined as control activities that the management of a service organization expects user entities (when applicable) to implement in order to complement their own control activities. CUECs are distinct from user responsibilities, which are specific requirements outlined in service agreements and contracts to fulfill service commitments. The distinction between user responsibilities and CUECs is best illustrated through analyzing a few potential scenarios:

User Responsibilities

A service organization provides a Software as a Service (SaaS) platform to user entities. Upon signing the agreement, the user entity is required to provide information for the individual(s) who will be set up as administrators for their organization’s instance. This is considered a user responsibility, as providing this information is necessary to use the contracted service and enable the service organization to fulfill its service commitment.

CUEC

A service organization’s system may require the installation of an appliance or server in the server room of user entities to provide the service. In this case, the service organization cannot control the physical security mechanisms of the server rooms where their appliance or server is located. The service organization would specify a CUEC in their report, stating that user entities are responsible for implementing appropriate physical security controls to ensure that access to the server room – and therefore to the appliance or server – is restricted to authorized personnel.

How Does a Service Organization Determine What CUECs to Include in the SOC Report?

CUECs can appear in both SOC 1 and SOC 2 reports; however, they are not mandatory. Management of a service organization will collaborate with their auditor to determine whether CUECs are necessary. The auditor typically begins by working with management to understand what controls they expect to be in place at user entities, if any.

The service auditor will then review agreements between the service organization and user entities, as well as user guides, to identify clearly defined responsibilities. Any control expectations from management that are not explicitly outlined in these documents will typically indicate the need for CUECs.

What are the Responsibilities of Report Readers?

SOC report readers (user entities) are responsible for reviewing reports to determine if any CUECs are defined in the system description. For any CUECs listed, the reader should assess their applicability and evaluate the controls in place to address them. Ideally, readers should document their responses regarding how CUECs are met as part of fulfilling their vendor management obligations. If a reader identifies a relevant CUEC but lacks an appropriate control, they should develop a strategy to implement the necessary control.

The Importance of User Entities in Achieving Control Objectives

It is vital to understand that user entities play a crucial role in supporting service organizations in achieving control objectives. Report readers should take the time to determine if CUECs have been defined and assess what actions they are taking to meet the defined requirements.

Wolf’s SOC Reporting team provides expert guidance on reporting, helping you navigate CUECs and align your controls align with requirements. If you have any questions about CUECs or need assistance with your SOC reporting requirements, reach out to a member of our team today.