Examining the value of complementary user entity controls within SOC reports
By Fazal Nabi
For SOC reports, user control considerations have long been important.
Essentially, complementary user entity controls (CUECs) are operative measures that exist on a user-entity level within a service-based organization or business. Here, the term user entity is used to refer to any organization that borrows a financial auditing or transactional service from another business.
CUECs ensure that user entities’ access to specific services are controlled from within the scope of what both organizations have already agreed upon. Within this scope, CUECs help align the reports with their allotted subsections and control objectives. For example, along with control activities, CUECs help complete SOC 1 (control objective), SOC 2 (trust service criteria) and SOC 3 type reports.
CUECs within SOC reporting
In terms of the roles that CUECs play within SOC reports, it’s important to understand that SOC reports are often the result of a cohesive effort on the part of several individuals — all of whom have specific roles and responsibilities. Thus, the relationship between SOC reports and CUECS is especially important, as CUECs help in the design, formulation and execution of SOC reports.
Moreover, the use of CUECs within SOC reports help ensure that access is provided efficiently, leading to higher levels of productivity. In the vast majority of contemporary SOC reports, CUECs have become not only important but also essential components of ensuring fluidity, accuracy and proper completion.
Altogether, there are two different type of CUECs: complementary and compensating controls. While the former can be identified as cohesive controls that work together to ensure control objectives, the latter can be identified as one-off controls that are allocated when primary controls are needed for specific requirements or needs.
In terms of the party that is responsible for CUECs, this falls on user entities, who need to continuously and consistently create new CUECs that change according to the current demands and needs.
The risk of inefficient CUEC deployment
Another way of explaining such controls could take corporate emails as a simple example. The use of corporate email addresses are only permitted so long as the individual using the email address is still employed by the corporation the address represents. In the case the individual no longer represents the company, CUECs help allow for a seamless and smooth transition towards access reallocation. Other examples of CUECs include anything from system encryption to monitoring services and contingency planning.
Without continuous monitoring, tracking and development, CUECs may fall short of allowing successful control environments, which could have an adverse effect on the general efficiency of the SOC report. CUECs should never be glossed over because of the additional work they often require. Even the smallest or most potentially unimportant vendor relationship can pose the greatest amount of risk to a SOC report if the appropriate CUECs are not properly considered and added. Without such controls, the SOC report is deemed to have an increased amount of risk, due to potentially missing protections, which are often considered the strict responsibility of the service organization.
With a clear and transparent implementation of CUECs within a SOC report, the overall process can be easily explained throughout internal audits and external regulatory tests.
CUECs are an integral component within any SOC audit report. For any organization involved in financial auditing services, almost all SOC audit reports — including SOC 1, SOC 2 and SOC 3 — rely on CUECs for efficient auditing. The timely filing of SOC reports are a requirement within the SSAE and the AICPA rules, and are greatly reliant on CUECs.
If you need assistance with your CUECs or planning your next SOC audit, contact Wipfli for assistance.
Related content:
After the chaos of COVID-19, a SOC exam is more important than ever
