User entity Controls in SOC Report

User Control considerations have for long been a significant part of SOC reports. Since SOC reports were referred to as SAS 70, the concept of User Control Considerations was observed within SOC reports. However, over the years the term User Control Considerations by the AICPA has changed.

Today they are controls that are known as Complementary User Entity Controls (CUEC). They are even referred to as Client Control considerations that are an essential part of any SOC report. SOC reports define the system controls implemented by Service Organization.

 As a part of these system controls, user entities must implement and take responsibility for CUECs to ensure that the system controls designed are operating effectively. For Service Organizations to meet the control objectives, the user entity is required to appropriately implement the required CUEC.

Explaining this in detail, we have covered in the article the role of Complementary User Entity Controls in the SOC report. But before that let us first understand what is Complementary User Entity is Controls.

What are Complementary User Entity Controls?

Complementary User Entity Controls (CUECs) which is also popularly known as User Control Considerations (UCCs), are controls that Service Organizations include in their provision and rely on the User Entity to implement.

These controls are an integral part of any service execution process.  For instance, a Service Organization takes the responsibility for ensuring the security of a User Entity’s information.

Here, to execute their service of security, some parts of their services/solution will depend on the User Entity’s administrative control. So, here it is the User Entity’s responsibility of implementing these additional controls related to their use of service offerings from the Service Organizations. 

Appropriate Implementation of CUEC helps in the achievement of control objectives for Service organizations.  The control objectives stated in the description can only be achieved if Complementary User Entity Controls are designed, enforced, and operating effectively. 

User Entities need to ensure that these controls are in place for them to appropriately use the services of the Service organizations. CUECs are documented within a SOC report and ensure that User Entities’ access to specific services of the Service Organization is in alignment with the scope of what both Service Organizations and the User Entities have agreed upon. 

Examples of Complementary User Entity Controls

  • A User Entity that avails managed IT services from a Service Organization will need to provide explicit approval if changes are to be made in the IT environment or services provided by Service Organization. So, in a SOC report, it would say that user entities must approve all changes prior to implementation.
  • Another example of CUEC would be in the Physical Access controls wherein in an event that physical access needs to be added, modified, or revoked for a user entity’s employees, it would be the responsibility of user entities to notify the Service Organization. 

Complementary User Entity Controls in a SOC Report 

CUEC is an integral component of the SOC audit report. Any organization involved in financial auditing services, including audit reports like SOC 1, SOC 2, and SOC 3 will rely on CUECs for efficient auditing. CUECs are integral to the design and operating effectiveness of the control environment.

The CUECs are usually tested by the user auditor in conjunction with the performance of the financial statement audit of the user organization. If a SOC audit report does not have CUECs, it indicates that the report is incomplete and will lead to inadequate audit at the user organization’s end. In SOC reports, it is important to understand that the report is the result of a cohesive effort of all individuals responsible and involved in it.

This will include all individuals with specific roles and responsibilities. So, with that said CUEC is critical in a SOC report, and forms an essential part in the design, formulation, and execution of SOC reports. 

Closing thought 

A SOC report of a Service Organization must be evaluated in conjunction with applicable CUECs at the User Entity’s end. These controls are usually mentioned in SOC reports within the sub-section and/or next to the control objectives they relate. If CUECs are not implemented or effectively operate at a User Entity’s end, then there is a high probability of experiencing control failure when availing relative services from the Service Organization.

So, for Service Organizations to achieve their control objective (SOC 1) or Trust Service Criteria (SOC 2), implementation and operating effectiveness of CUEC is crucial. For these reasons, User Entities are too required to review the SOC report for any CUECs and ensure that they perform these controls consistently. User Entities must also further ensure that they have a process in place to review SOC reports annually and ensure that any CUECs are identified, tracked, and implemented from time to time.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.