Reviewing your vendor's complementary user entity controls (CUECs) is a good first step, but at least in the financial industry, we're seeing examiners wanting to see how the controls were addressed within your organization as well. This is the process I always recommend:
- Review the CUECs and their associated control objectives to ensure context is understood.
- Determine which CUECs apply to you as not all will always apply.
- Assign each CUEC to a person/team/role for responsibility.
- Determine which CUECs are addressed already through:
- Internal/External Audit.
- Unwritten controls (if so, document it).
- Address each applicable, unaddressed CUEC.
- Record how each CUEC is addressed.
- Assess CUECs with each new SOC report or significant internal changes.
For organizations with a more mature internal audit program, you can map all of your vendor's CUECs to your internal control identifier. That way you can simply respond to each CUEC with your internal control identifier, simplifying the CUEC management process.
I'd like to hear how others are handling CUECs. Both in and out of the financial institution space. What are your examiners and auditors asking for?