Due Diligence and Ongoing Monitoring

 View Only

  • 1.  CUEC's and Complementary User Entity Responsibilities

    This message was posted by a user wishing to remain anonymous
    Posted 08-14-2023 12:05 PM
    This message was posted by a user wishing to remain anonymous

    I have been reviewing SOC reports for the last 5 years and have not come across a vendor putting complementary user entity responsibilities in their SOC report until now.  I am struggling defining the difference between them and complementary user entity controls.  Can anyone explain?  I have googled it but I am not having any good luck.



  • 2.  RE: CUEC's and Complementary User Entity Responsibilities

    This message was posted by a user wishing to remain anonymous
    Posted 08-14-2023 05:46 PM
    This message was posted by a user wishing to remain anonymous

    Are they using both within the same report? They seem redundant and both are just things the customer needs to have in place when utilizing their service.


    Original Message


  • 3.  RE: CUEC's and Complementary User Entity Responsibilities

    Posted 08-15-2023 08:45 AM
    It is likely style.  One of the SOC 2 criteria for communication requires the service organization to communicate user responsibilities both externally and internally.  Most do it through controls related to contracts, service level agreements, or user manuals.  Occasionally, I read reports where the control references the system description.
    Happy to look at the report.
    Al Tanju
    CPA, CISA, CISM
    Director of Cybersecurity




    Original Message


  • 4.  RE: CUEC's and Complementary User Entity Responsibilities

    This message was posted by a user wishing to remain anonymous
    Posted 08-15-2023 10:04 AM
    This message was posted by a user wishing to remain anonymous

    In October 2022, the AICPA (who writes the rules on SOC reports) issued guidance on SOC reports including clarification of CUECs. 

    CUECs were intended to be controls the user entity had to have in place when the subservice organization could not meet its commitments and system requirements.  CUECs morphed into a "CYA" section of the SOC report and were erroneously labeled most of the time.

    In October 2022, the AICPA clarified that CUECs (as defined by the AICPA) should be rare, and what had been labeled "CUEC" were really UER (User Entity Requirement) - things the subservice organization has no control over but that the user entity should have in place to help ensure the best outcome.

    Going forward, many SOC reports will have UER, but CUEC are unlikely to appear in SOC reports.  

    That said, of the ~50 SOC reports we reviewed in the last 9 months, only 1 had UER and the rest still had CUEC.  Change is hard.

     


    Original Message