Most security, audit and compliance professionals are already acquainted with System and Organization Controls (SOC) and SSAE 18 audits.

There is, however, another category of controls that needs attention too: Complementary User Entity Controls (CUECs).

CUECs are a subset of service organization controls, and exist on a user-entity level — that is, at the level of organizations that use service providers, so the client company can have better control over how the service provider and its services are used.

CUECs are also sometimes known as client control considerations or user control considerations (UCCs).

So what exactly are Complementary User Entity Controls? Who is responsible for them? How can organizations determine their CUECs?

This brief guide addresses all these questions about this vital area of SOC audit reports.

What Are Complementary User Entity Controls?

Service providers want their customers to have complementary user entity controls to assure that the customer can properly use the vendor’s services — and, just as important, to confirm that the customer can’t improperly use the vendor’s services either.

The customer company is the “user entity.” CUECs are controls that reside with the user entity, to make sure that the user entity’s access to services remains within the scope agreed upon by both organizations.

For example, a service provider that works with a bank may require that to use the vendor’s services, the bank must transmit only encrypted data to the vendor. The vendor might also require the bank to use only standard encryption methods that are aligned with the latest industry standards. Those controls reside with the user entity (the bank), and are two types of CUECs.

CEUCs are documented within SOC reports or evaluated in an SSAE 18 audit, depending on the requirements of the auditing firm performing the SOC review.

How Do CUECs Relate to SOC Reports?

SOC reports (SOC 1, SOC 2, and SOC 3) are issued by a certified public accountant (CPA), and verify that a service organization has implemented effective control activities related to security, confidentiality, privacy, availability, and processing integrity.

The goal of a SOC report is to identify potential risks for customers considering the service provider, and to establish trust between service organizations and customers.

Service providers and their customers agree on a scope for user entity-level access to services. Within this scope, CUECs help align SOC reports with relevant control objectives and sub-sections. CUECs play an important role in the design, formulation, and execution of SOC reports.

These controls are also integral to the design and operating effectiveness of the control environment, and for assuring efficient user access, improved business processes, and operating effectiveness.

In the SOC report, CUECs are usually placed:

  • In a specific sub-section of the service description section
  • As part of the tested controls section

Who Is Responsible for CUECs?

Service vendors include CUECs within their system and rely on customers to implement them, so the customer can achieve their control objectives. This means that the customer that contracts with a service organization (a Software-as-a-Service vendor, for example) is responsible for CUECs.

Customers should be aware of CUECs and their functions. This awareness will help a customer company understand its responsibility when it contracts with a service vendor, and assure that the vendor’s stated control objectives are effective for the company.

CUEC implementation and function depend on the user entity, not on the service provider. Therefore, it’s vital that the user entity must review all CUECs carefully, and also confirm that the required controls are in place within its own operational environment.

Furthermore, the user entity must also consistently create new CUECs to match evolving business needs or market realities. If the user entity is unable to do so, the service organization may not be able to deliver the contracted control objectives.

How Do I Determine My Organization’s CUECs?

Organizations that work with service providers can find their CUECs within the provider’s SOC report. The CEUCs are included in the applicable control objective or process area in this report.

To determine and create its CUECs, an organization must review its SOC and SSAE 18 requirements.

It’s also useful to look at various aspects that might apply to the organization when it signs up with a service provider, such as:

  • Risk assessment, internal audit, and mitigation
  • Logical and physical access controls
  • Change management processes
  • IT security measures and controls
  • Data storage, backup, and restoration
  • Monitoring, logging, and alerts

Some of the most common CUECs are listed in the next section.

Common Examples of CUECs

Individual CUECs vary among SOC reports, service organizations, and industries. Nonetheless, the most common CUECs in any SOC report are:

  • Authorization policies and procedures to assure that transactions are authorized, secure, complete, and timely.
  • Data transmission policies and procedures to protect data by appropriate methods, such as encryption.
  • Separation procedures occur in the form of regular account assessments and timely account removal.
  • Physical access controls notify the service provider if physical access for the entity’s employees is to be added, modified, or revoked.
  • Logical access controls include account provisioning and management.
  • Security procedures refer to monitoring or updating antivirus infrastructure, applying security patches, and related controls.

Risks of Poor CUEC Deployment

Inefficient CUEC deployment at a user entity leads to weak control environments. That, in turn, could cause internal control failures related to the use of a service organization.

For instance, if an employee at the user entity leaves the organization, the user entity must inform the service organization to remove this person from the user entity’s network access list. Without this notification from the user entity, the vendor will not remove access for the employee who departed. Consequently, this person will have unauthorized access to the user entity’s environment, which can create serious security risks for the user entity.

Poor CEUCs could harm the efficiency and quality of the SOC report provided by service organizations to user entities. A report that doesn’t include CUECs may create additional issues when the user entity is audited.

Mapping the controls at the user entities to each service auditor’s SOC report assures that these controls are efficiently designed to meet all CUEC requirements outlined by a service organization. This, in turn, makes certain assures that the user entity can rely on the vendor’s control environment.

Complementary User Entity Controls Versus Complementary Sub-Service Organization Controls

CUECs should not be confused with Complementary Sub-Service Organization Controls, which are the SOC2 controls that service providers outsource to their vendors.

These may include the implementation of physical and environmental safeguards, data backups, and the management of logical systems access.

Although performed by another entity (such as a sub-contractor to the service organization), these controls remain important for the service organization, because a weakness in this area could harm the controls’ operating effectiveness and continuity.

To confirm that these controls are in place, the service provider must review all in-scope SOC2 criteria and principles, identify the controls performed by others, and note the related trust services criteria for each control.

How ZenGRC Can Help With CUECs

CUECs are an important component of SOC reports. They are also vital to the design and operating effectiveness of the control environment, the achievement of stipulated control objectives, and overall risk management.

This is why user organizations must examine all CUECs applicable to them as part of the SOC report review process. They must also continuously create new applicable CUECs to stay aligned with SOC terms and criteria.

ZenGRC is a SaaS platform that can reduce the burden of SOC reports or any other compliance and risk management requirements you may have.

The ZenGRC dashboard offers a centralized view of your risk management stance at all times, across numerous frameworks.

Worry-free compliance and risk management is the ‘Zen’ way! To see ZenGRC in action, contact us today for a free demo.