Reviewing Vendor SOC Complementary User Entity Controls (CUECs)

When vendors access your organization’s or customers’ data, it’s critical to ensure they have adequate controls in place to protect that data.  

A vendor’s SOC report provides details on the vendor’s controls and addresses whether those controls are designed appropriately and operated effectively during the audit period.  In some instances, the vendor needs the client (you) to implement certain controls in order for the provider’s controls to operate as designed. Those controls are called complementary user entity controls (CUECs) or user entity controls (UECs). 

Let’s review some of the basics of CUECs and look at what you need to do with them. 

Basics of Vendor CUECs

The CUECs are a control guide provided by your vendor to let you know that your organization has certain responsibilities to ensure your vendor’s products and services can meet service level agreements (SLAs) and terms related to areas like quality, integrity, availability, security, and privacy.  

Your controls in response to those CUECS must be suitably designed and operate effectively in combination with the vendor’s controls. 

Why are CUECs Necessary? 

The vendor makes that determination, generally at the service level. In some instances, the vendor determines that CUECs aren't necessary. Having no UECs or many UECs is neither positive nor negative. The number of CUECs for different vendors or services can vary from less than five to as many as 30 or more. 

In SOC 2 reports, CUECs support and are mapped to the applicable Trust Services Criteria of security, availability, processing integrity, confidentiality, and/or privacy. The vendor selects which Trust Services Criteria and defines the scope they’re examined against, in addition to the security criteria, which is required for all SOC 2 audits.

Common criteria controls are common to all five of the trust service categories. Controls can address common criteria or individual Trust Services Criteria. 

Note: SOC 1 reports do not address Trust Services Criteria. Instead, the vendor is tested on their defined internal controls and objectives that they have selected as being relevant to or impacting the financial operations of clients or customers.  

Related: Understanding the Differences Between a Vendor SOC 1, 2, 3 

How to Review Vendor CUECs

The auditor’s opinion, near the beginning of the SOC audit report, will let you know whether CUECs are required for the vendor to meet control objectives. You can usually find CUECs in the section of the SOC report that’s directly before the testing section.  

In some instances, the CUECs are integrated into the control testing section near the control objective that is related to the specific CUEC.  

Now that you have found the CUECs, here’s how to review them:

1. Determine which CUECs apply to you. All controls may not apply to all services addressed in the SOC report.
2. Review the CUECs and their associated control objectives to ensure context is understood. This should ideally be done by a qualified expert or a vendor risk management (VRM) subject matter expert. 
   
   If you do not understand a CUEC, contact your vendor representative and ask them to explain it in writing, so that it’s maintained within your VRM files. 
3. Determine which CUECs you are already addressing. For instance, CUECs related to access controls or incident reporting may already be documented and in place at your organization. You only need to refer to the applicable policy.
4. Assign each CUEC to a team/role for responsibility. This ensures that nothing gets lost. Assign responsibility to a role or team and not to a specific person so that personnel changes don’t result in a CUEC not being reviewed.
5. Address each applicable remaining CUEC. 
6. Record how each CUEC is addressed. Here are questions to ask:
   • Is this CUEC similar to any of your organization’s existing controls?
   • Who owns this control and takes responsibility for it?
   • How often is this control validated or tested for effectiveness?
7. Assess CUECs with each new SOC report or with any significant internal changes. 

Related: When to Request a Vendor SOC 1 vs SOC 2 Report 

Tips for Mapping and Completing Vendor CUECs

There’s no one-size fits all on how to document your response to CUECs. This should be determined by what works best for your organization. However, here’s some tips you can use for mapping and completing vendor CUECs: 

• Maintain documentation: CUECs may relate to organizational or departmental polices or protocols you already have in place, or to regulatory or contractual requirements you already have documented. You still need to document it again in a vendor-specific CUEC document.  
  
  Maintain the completed CUEC document in a central location, so that it’s readily available to auditors. 
• Prioritize CUECs during vendor onboarding: Take the time to get the CUECs properly documented during your first vendor due diligence cycle. CUECs don't generally change year after year, unless the vendor has major changes. For subsequent years, review your previously completed CUEC document(s) to ensure the vendor or your own entity hasn’t made changes that should be reflected in the CUEC documentation. Be sure to update the year/review period even if no changes are made from the previous year. 
• Assign to the correct person/department: Assigning vendor CUECs to your appropriate internal department ensures the right SME reviews and documents appropriate controls. Consider which department is the most knowledgeable about each control and who would be responsible for meeting the CUEC. 
• Involve subject matter experts (SMEs): Have a subject matter expert (SME) review the CUECs to determine which controls apply to the products or services your organization is using. Assigning implementation of the CUECs to the right SME provides the best assurance that the CUEC is effective.  
• Amend governance documentation: When mapping controls to your organization, make sure implemented activities are also included in your governance documentation to aid with consistency and accountability. 

CUECs are critical to implement to ensure your vendor’s control objectives are met. This protects your organization from some preventable vendor risks and gives your organization confidence that your vendor relationship is based upon mutual trust and communication. 

Struggling to make sense of SOC reports and CUECs? Take a look at Venminder’s Sample Vendor Control Assessments to see how we help simplify reviews and surface what matters most.