Complementary user entity controls (CUECs) are an essential part of any SOC (System and Organization Controls) audit report. If you’re involved with an organization that provides financial and transactional services for one or more user entities, you are already familiar with one or more of the SOC audit reports (SOC 1, SOC 2, and SOC 3) that provide information relevant to the internal controls over financial audit reporting (ICFR) of user entities.
Who is Responsible for CUECs?
When contracting with a service organization, any user entity must accept that certain controls will remain among that entity’s prescribed responsibilities. Briefly defined, CUECs encompass all controls within a service organization’s systematic processes that rely on the user entity for implementation and function. In other words, user entities are accountable for the performance of CUECs. And if a user entity does not consistently perform CUECs as stipulated, its affiliated service organizations may ultimately be unable to deliver contracted control objectives.
Examples of CUECs
If you are involved with a service organization that may receive SOC audit reports (or any service organization that may impact the ICFR of a user entity), you should familiarize yourself with the various types of CUECs and the ways in which they function. Common examples of SOC-related service organizations include data centers, payroll processors, medical claims processors, managed IT service providers, loan servicing companies, and SaaS (Software-as-a-Service) providers.
Individual CUECs vary greatly from SOC audit report to SOC audit report, service organization to service organization, and industry to industry. To protect sensitive financial information, for example, a service organization may require user entities to transmit data using encryption that meets or exceeds the latest industry standards. Other security-related CUECs may require user entities to monitor and update their own antivirus infrastructure or monitor and update their own file-sharing programs to prevent illicit access.
A Brief History of CUECs
User control considerations have long been an essential concern of the AICPA and a central part of its various audit reporting apparatuses. But just as SOC audit reports took the place of the auditing regulations of SAS (Statement on Auditing Standards) 70 in 2011, CUECs have gone by many different names over the years. Although you many hear these types of controls referred to as user control considerations or client control considerations, the AICPA currently prefers the term complementary user entity controls (CUECs). The official AICPA website contains a wealth of information about the various SOC audit reports, and the CUECs that influence them.
SOC and CUEC Recommendations and Requirements
The vast majority of SOC audit reports include CUECs since they are generally integral to the design and operating effectiveness of the control environment. In fact, if a SOC audit report does not have CUECs, that report is generally regarded as incomplete and likely to cause inadequate audits for user entities.
To work together with service organizations to achieve stipulated control objectives, user entities must closely examine any applicable CUECs as part of the initial and ongoing SOC audit report review process. Informed by this close examination, user entities must take care to perform relevant CUECs consistently according to SOC terms and criteria.
CUECs are typically delineated in SOC audit reports within their own report sub-section and/or directly adjacent to the control objectives to which they relate. Wise organizations employ the services of a trustworthy auditor to review and test CUECs in conjunction with general financial considerations and contract expectations/goals.
For more information about SOC audit reports and industry-specific CUECs, contact a skilled and knowledgeable representative of I.S. Partners, LLC, today.