Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Reviewing Vendor SOC Complementary User Entity Controls (CUECs)

4 min read
Featured Image

Many of us are likely familiar with the information security risk that comes from working with vendors. When vendors have access to your organization or customers’ data, it’s critical to ensure that they have controls in place to protect it. A vendor’s SOC report will provide details on these controls and will also describe what your organization needs to do for the controls to be effective. SOC complementary user entity controls (CUECs) are essentially used to help achieve the vendor’s control objectives.
Let’s review some of the basics of CUECs and some tips on how to review them.

Basics of Vendor CUECs


CUECs are meant to ensure that the vendor’s control objectives can be met while informing your organization of your responsibilities. Vendor controls are a shared responsibility. CUECs are your organization’s responsibility in the relationship. The number of CUECs for different vendors or services can vary. There can be less than five or there can be as many as 30 or more.

In SOC 2 reports, CUECs address and are mapped to the Trust Services Criteria of security, availability, processing integrity, confidentiality or privacy. The organization being examined for a SOC 2 report gets to select the Trust Services Criteria and scope they’re examined against. Common criteria are those that are common to all five of the trust service categories. Controls can address common criteria or individual Trust Services Criteria. By ensuring implementation of the established CUECs, your organization is ensuring security through the Trust Services Criteria.

SOC 1 reports do not address the Trust Services Criteria. Instead, the organization being examined is tested on internal controls they have selected relevant to their financial operations. However, the organization being examined does not get to determine the scope of the exam as all controls are tested. By implementing CUECs described in a SOC 1 report, your organization is ensuring security according to your vendor’s selected controls.

How to Review Vendor CUECs

You can find CUECs in the Description or Tested Controls section of your vendor’s SOC report. CUECs found in the Description section, often Section III, include details on controls and how they relate to the control objectives found in the report. This subsection is often found toward the end of the Description section. CUECs may also be found in the Tested Controls section, or section IV, of the SOC report. Controls may be documented with the control objectives to which they are mapped.

Now that you have found the CUECs, here’s how to review them:

  1. Review the CUECs and their associated control objectives to ensure context is understood
  2. Determine which CUECs apply to you as not all will always apply
  3. Assign each CUEC to a person/team/role for responsibility
  4.  Determine which CUECs you’re already addressing
  5. Address each applicable remaining CUEC
  6. Record how each CUEC is addressed. Here are questions to ask:
    1. Is this CUEC similar to any of your organization’s existing controls?
    2. Who owns this control and takes responsibility for it?
    3. How often is this control validated or tested for effectiveness?
  7. Assess CUECs with each new SOC report or with any significant internal changes
  8. Document, document, document! Make sure you record this work.

vendor soc cuecs

Excluding Vendor Controls From the Review

A Subject Matter Expert (SME) in your organization should review the CUECs to determine which controls apply to the products or services your organization is using. If CUECs are specific to products or services your organization does NOT use, then you can exclude these from your activities. CUECs that are specific criteria that apply to products or services you are using should be implemented by a SME in your organization. CUECs classified as common criteria should also be implemented by your organization.

Tips for Mapping CUECs

It’s your organization’s responsibility to ensure you’re meeting any regulatory or contractual requirements with your controls. Map CUECs to these requirements and then analyze what other requirements have not yet been fulfilled.

Mapping CUECs to appropriate business units will ensure that controls are implemented by the proper SMEs. Consider which department would be most knowledgeable about each control and who would be able to best accomplish the control objective.

Assigning the implementation of CUECs to the SME will provide the best assurance that the control objective is effective to ensure security.

When mapping controls to your organization, make sure the activities you are implementing are also included in your governance documentation to aid with consistency and accountability.

CUECs are critical activities your organization should be doing to ensure that your vendor’s control objectives are met to achieve optimal security. A SME in your organization should review the CUECs to determine which controls apply to the products and services utilized. The applicable controls must be assigned so that they can be effectively implemented. CUECs are designed to give your organization confidence that security is not compromised by your vendor relationships.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo