Complementary user entity controls (CUEC) are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization. Essentially what it means is that there is a shared responsibility between two parties to ensure the control criteria is being achieved. Think of CUECs as more controls that need to be performed on the customer's end of the service being provided.
Example of Complementary User Entity Controls in SOC 2 compliance
User Interface (UI) Automation Co, is a company that provides UI automation with a computing platform, for example, Mac OS X and Windows Operating Systems. They automate against native applications within a computing resource. However, they provide an online platform that users can log in to and see the processing of UI automation jobs, completeness of jobs, and a big red emergency stop button that will stop the automation.
Now let’s introduce a company that utilizes UI Automation as a SaaS offering. This company is called Green Money Processing Inc. Green Money uses UI Automation Co to assist with processing data between older systems that do not have an API backend. However, Green Money just dismissed an IT developer. The developer was very distraught and upset about being let go. Since the developer worked on setting up the automation and knows the username and password to the online service for UI Automation, they decided to delete all of the automation they set up for Green Money. This would be an example of a CUEC that should be defined and spelled out in the UI Automations SOC 2 report.
Now granted, in a perfect world, UI Automation would have single sign-on implemented as an authentication factor, however, not all service organizations are going to have single sign-on implemented, especially during its early stages.
Complementary user entity controls in the system description
CUECs will play an important role when the auditor obtains and inspects the system description. The auditor will evaluate whether those aspects of the description included in the scope of the engagement are fairly presented. Included in the fair representation of the system is the CUECs. These controls are evaluated as part of the system description being accurately and completely presented as part of the control environment.
Complementary user entity controls (CUEC) in audit
User entities are responsible for the performance of CUECs and it is the user entities’ auditors or the internal audit function that should audit these controls or more specifically, the control environment. If user entities do not consistently review these controls, it is possible that the control environment may have failures and can be problematic at a service organization level. As part of the SOC 2 report review process for the service organizations, it is critical to engage with user entities and implore them to review any applicable CUECs. The user entity should ensure that they are performing the CUECs consistently over the period a SOC 2 report is relied on. It is recommended to have a discussion on CUECs with the user entities, before initiating their SOC 2 process.