I have been reviewing SOC reports for the last 5 years and have not come across a vendor putting complementary user entity responsibilities in their SOC report until now. I am struggling defining the difference between them and complementary user entity controls. Can anyone explain? I have googled it but I am not having any good luck.
Are they using both within the same report? They seem redundant and both are just things the customer needs to have in place when utilizing their service.
Original Message:Sent: 08-14-2023 11:47 AMFrom: Anonymous MemberSubject: CUEC's and Complementary User Entity ResponsibilitiesThis message was posted by a user wishing to remain anonymous
In October 2022, the AICPA (who writes the rules on SOC reports) issued guidance on SOC reports including clarification of CUECs.
CUECs were intended to be controls the user entity had to have in place when the subservice organization could not meet its commitments and system requirements. CUECs morphed into a "CYA" section of the SOC report and were erroneously labeled most of the time.
In October 2022, the AICPA clarified that CUECs (as defined by the AICPA) should be rare, and what had been labeled "CUEC" were really UER (User Entity Requirement) - things the subservice organization has no control over but that the user entity should have in place to help ensure the best outcome.
Going forward, many SOC reports will have UER, but CUEC are unlikely to appear in SOC reports.
That said, of the ~50 SOC reports we reviewed in the last 9 months, only 1 had UER and the rest still had CUEC. Change is hard.
Original Message:Sent: 8/14/2023 4:44:00 PMFrom: Anonymous MemberSubject: RE: CUEC's and Complementary User Entity ResponsibilitiesThis message was posted by a user wishing to remain anonymous