This message was posted by a user wishing to remain anonymous
In October 2022, the AICPA (who writes the rules on SOC reports) issued guidance on SOC reports including clarification of CUECs.
CUECs were intended to be controls the user entity had to have in place when the subservice organization could not meet its commitments and system requirements. CUECs morphed into a "CYA" section of the SOC report and were erroneously labeled most of the time.
In October 2022, the AICPA clarified that CUECs (as defined by the AICPA) should be rare, and what had been labeled "CUEC" were really UER (User Entity Requirement) - things the subservice organization has no control over but that the user entity should have in place to help ensure the best outcome.
Going forward, many SOC reports will have UER, but CUEC are unlikely to appear in SOC reports.
That said, of the ~50 SOC reports we reviewed in the last 9 months, only 1 had UER and the rest still had CUEC. Change is hard.
Original Message:
Sent: 08-14-2023 06:27 PM
From: Altan Tanju
Subject: CUEC's and Complementary User Entity Responsibilities
It is likely style. One of the SOC 2 criteria for communication requires the service organization to communicate user responsibilities both externally and internally. Most do it through controls related to contracts, service level agreements, or user manuals. Occasionally, I read reports where the control references the system description.
Happy to look at the report.
| Director of Cybersecurity | |
|
| | | |
|
Original Message:
Sent: 8/14/2023 4:44:00 PM
From: Anonymous Member
Subject: RE: CUEC's and Complementary User Entity Responsibilities
This message was posted by a user wishing to remain anonymous
Are they using both within the same report? They seem redundant and both are just things the customer needs to have in place when utilizing their service.
Original Message:
Sent: 08-14-2023 11:47 AM
From: Anonymous Member
Subject: CUEC's and Complementary User Entity Responsibilities
This message was posted by a user wishing to remain anonymous
I have been reviewing SOC reports for the last 5 years and have not come across a vendor putting complementary user entity responsibilities in their SOC report until now. I am struggling defining the difference between them and complementary user entity controls. Can anyone explain? I have googled it but I am not having any good luck.