The concept of user control considerations within SOC reports has been around since SOC reports were referred to as SAS 70s, although the AICPA’s term used to describe user control considerations has changed over time. These controls are now known as complementary user entity controls (CUEC). You may also hear these controls referred to as client control considerations or user control considerations.
What are Complementary User Entity Controls?
CUECs are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization.
When using a service organization, there are certain controls that remain the responsibility of a user entity. For example, consider a user entity that uses a common file sharing program such as Dropbox. When employees terminate from the user entity, the user entity must remove the former employees’ access to the file sharing program. The file sharing program (service organization) has no way to know when a user entity’s employee access should be removed. As a result, the user entity must remove the former employees access to the file sharing program upon termination. This is an example of a common CUEC.
More Examples of CUECs:
- MSP Environment Changes – A user entity uses uses a managed IT service provider (service organization) to make changes to its environment, however, no changes are made to the service organization without explicit approval from the user entity. In this example, the service organization’s report would say that user entities must approve all changes prior to implementation.
- Encrypted Financial Data – A service organization works with banking institutions that send large amounts of data periodically to the service organization. A CUEC within the service organization’s report may say that user entities must send data in an encrypted manner using industry standard encryption or request that the service organization provide a secure transmission method.
- Security Monitoring – User entities must monitor and update their own antivirus definition updates and security patches unless the service is included within a contracted Statement of Work with the service organization.
- Physical Access – It is the responsibility of user entities to notify the service organization in the event that physical access needs to be added, modified, or revoked for a user entity’s employees.
- Contingency Plan – The service organization’s contingency plan is applicable to its operations only. User entities are not covered by it and should develop their own contingency plan.
When reviewing SOC reports, user entities should review all CUECs where the user entity must perform certain controls. These controls are usually delineated SOC reports within their own report sub-section and/or next to the control objectives they relate. CUECs together with the control activities at the service organization work in conjunction to achieve the related control objective (SOC 1) or Trust Service Criteria (SOC 2).
Most SOC audit reports have CUECs since they are integral to the design and operating effectiveness of the control environment. The CUECs are usually tested by the user auditor in conjunction with the performance of the financial statement audit of the user organization. If a SOC audit report does not have any CUECs, this may be an indication of an incomplete report and therefore lead to inadequate audits at user organizations.
If in doubt, talk to the service auditor. In most cases, they should be more than willing to answer questions on CUECs.
Complementary vs. Compensating Controls
What is the difference between complementary controls versus compensating controls?
Complementary Controls: These are controls that work together at an organization to achieve the same control objective. Using an example from above, if a service organization is not notified to make a change to a user entity’s access list, they will not remove the access for the user entity’s employee when they terminate employment. The result is that an individual who is no longer authorized to have access to the user entity’s environment at the service organization may retain access.
Compensating Controls: Compensating controls are usually put in place when it is too difficult to implement a primary control for a particular requirement. For example, many service organizations know that not all of the user entities that use them notify them consistently when user entity employees terminate employment. To compensate for not being notified properly to remove terminated employee access, a service organization may implement an account lockout feature so that when a user does not login for an extended period of time (e.g., 60 days), their account is locked. This would compensate for the user entity neglecting to notify the service organization to remove access. Of course, the terminated employee could still have accessed the service organization’s environment for up to 59 days, however, this type of control still reduces risk related to logical access at the service organization.
Who has Responsibility for Complementary User Entity Control?
User entities are responsible for the performance of CUECs. If user entities do not consistently perform CUECs, it is possible that the control environment at user entities may have failures even if the controls at a user entity’s service organizations are designed and operate effectively. It is important for user entities to review any applicable CUECs as part of the SOC report review process for any service organizations in use. If there are any CUECs, the user entity should ensure that they are performing the CUECs consistently over the period a given SOC report is relied on.
What are my Organization’s Complementary User Entity Controls?
Your organization’s CUECs can be found within the SOC reports for any service organizations that are used by your organization. CUECs are included within SOC reports in the applicable control objective or process area. Using the example above where a user entity must remove access for any former employees to Dropbox, Dropbox’s SOC report should have a CUEC for its user entities within the logical access section of the report.
Summary of Complementary User Entity Controls or CUECs
A SOC report for any service organization must be evaluated along with any applicable CUECs at the user entity. If CUECs do not operate effectively at a user entity, control failures could still occur related to the use of a particular service organization. Review your SOC reports for any CUECs and ensure that your user entity performs these controls consistently and has a process to review SOC reports annually and ensure that any CUECs are identified and tracked. See our past Linford & Company blog posts related to identifying the correct SOC report for your service organization as well as the impact of any findings within your SOC report.
Linford & Company is a boutique IT auditing firm that performs SOC examinations, FedRAMP, and HITRUST assessments. If you have questions about SOC 1 or SOC 2 reports or the use of CUECs within service auditor reports, please contact us.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.