Complementary User Entity Control (CUEC)

Home » Glossary Items » SOC 2 » Complementary User Entity Control (CUEC)

Complementary user entity controls (CUEC) are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization. Essentially what it means is that there is a shared responsibility between two parties to ensure the control criteria is being achieved. Think of CUECs as more controls that need to be performed on the customer’s end of the service being provided.

Complementary user entity controls in SOC 2 compliance

Example:

User Interface (UI) Automation Co, is a company that provides UI automation with a computing platform, for example, Mac OS X and Windows Operating Systems. They automate against native applications within a computing resource. However, they provide an online platform that users can log in to and see the processing of UI automation jobs, completeness of jobs, and a big red emergency stop button that will stop the automation.

Now let’s introduce a company that utilizes UI Automation as a SaaS offering. This company is called Green Money Processing Inc. Green Money uses UI Automation Co to assist with processing data between older systems that do not have an API backend. However, Green Money just dismissed an IT developer. The developer was very distraught and upset about being let go. Since the developer worked on setting up the automation and knows the username and password to the online service for UI Automation, they decided to delete all of the automation they set up for Green Money. This would be an example of a CUEC that should be defined and spelled out in the UI Automations SOC 2 report.

Now granted, in a perfect world, UI Automation would have single sign-on implemented as an authentication factor, however, not all service organizations are going to have single sign-on implemented, especially during its early stages.

Complementary user entity controls in the system description

CUECs will play an important role when the auditor obtains and inspects the system description. The auditor will evaluate whether those aspects of the description included in the scope of the engagement are fairly presented. Included in the fair representation of the system is the CUECs. These controls are evaluated as part of the system description being accurately and completely presented as part of the control environment.

Complementary user entity controls (CUEC) in the audit

User entities are responsible for the performance of CUECs and it is the user entities’ auditors or the internal audit function that should audit these controls or more specifically, the control environment. If user entities do not consistently review these controls, it is possible that the control environment may have failures and can be problematic at a service organization level. As part of the SOC 2 report review process for the service organizations, it is critical to engage with user entities and implore them to review any applicable CUECs. The user entity should ensure that they are performing the CUECs consistently over the period a SOC 2 report is relied on. It is recommended to have a discussion on CUECs with the user entities, before initiating their SOC 2 process.

Back

You may also like

Blog

April 9, 2024
SOC 2 Type 1 Guide: Everything You Need To Know

Which type of SOC 2 report is best for your organization and what are their differences?
Blog

March 24, 2024
How To Speed Up Your SOC 2 Audit Without Breaking A Sweat

What’s the fastest way to pass a SOC 2 audit? Simple: you need to plan carefully.
Blog

March 4, 2024
The Latest SOC 2 Revisions and What They Mean for Your Business

Do you know what the latest SOC 2 updates mean for your company as you prepare for your next audit? This blog breaks them down for you.
Blog

February 28, 2024
5 Things To Avoid When Implementing SOC 2

There are a number of common mistakes that businesses make when implementing SOC 2.
Blog

February 6, 2024
SOC 2 Audit: The Essentials for Data Security and Compliance

Read All the Essential Steps and Requirements for Preparing for a SOC 2 Audit to Ensure Data Security and Compliance.
Blog

January 31, 2024
The Ultimate SOC 2 Checklist for SaaS Companies

Here’s a handy SOC 2 compliance checklist to help you prepare for your SOC 2 compliance audit and realize your business’ security goals.
Blog

January 23, 2024
Do You Really Need a SOC 2 Report?

You might be asking yourself, “do I really need a SOC 2 report?”
Blog

January 22, 2024
The Right Compliance Framework for Your Startup: Common Compliance Frameworks

A guide to compliance frameworks for startups, with everything you need to know about the most common frameworks and how they apply.
Blog

January 9, 2024
SOC 2 Report Examples for 2024: Insights into Top-Tier Compliance

A SOC 2 report demonstrates how effectively your business has implemented SOC 2 security controls across the five TSC.
Blog

January 3, 2024
The Importance of SOC 2 Templates

In this piece, we're talking about SOC 2 templates and their role in making the compliance process far less complicated.
Blog

December 5, 2023
5 Reasons Why You Need a SOC 2 Report

Here’s five of the most compelling reasons why your business needs SOC 2.
Blog

November 20, 2023
SOC 2 Scope: How it’s Defined

How creating a comprehensive SOC 2 scope can benefit your business, and how to get there.
Blog

October 11, 2023
How Long Does It Really Take To Get SOC 2 Compliant?

When considering how long SOC 2 takes to achieve, you need to consider the entire SOC 2 journey.
Blog

September 4, 2023
What is SOC 2 Compliance Automation Software and Why is it Important?

SOC 2 automation doesn’t simply make compliance easier, it also makes it possible.
Blog

August 7, 2023
What to Look for During a SOC 2 Readiness Assessment

A SOC 2 readiness assessment is a way of examining your systems to make sure it’s compliant with security controls of the SOC 2 standard.