Exams or Audits

 View Only
third-party risk management regulations library
Back to discussions
Expand all | Collapse all

Documenting Complementary User Entity Controls Internal from SOC Reports

  • 1.  Documenting Complementary User Entity Controls Internal from SOC Reports

    This message was posted by a user wishing to remain anonymous
    Posted 03-14-2025 10:09 AM
    This message was posted by a user wishing to remain anonymous

    Our auditors recently requested a memo/report that states we are implementing Complementary User Entity Controls from SOC reports. This is not something we do. Do other financial institutions have vendor reports or memos they document stating that CUECs from vendor SOC reports are implemented by their organizations? 



  • 2.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-14-2025 10:59 AM

    So, we have a basic excel form that is completed with each SOC Report that is reviewed. The form is just a spreadsheet where the Risk Manager can list out the user consideration in one column and then the control that is in place to address the consideration.  



    ------------------------------
    Michael C Papcunik Jr
    ------------------------------

    Original Message


  • 3.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-14-2025 02:57 PM

    Was the request for all vendors, or specific ones like Critical or GLBA?

    Thank you 


    Original Message


  • 4.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-14-2025 03:22 PM

    In recent years our external auditors have asked for our review of CUECs from critical vendors that fall within GLBA. I pull the CUEC's from the SOC and provide them to the admin who is over that vendor and they are expected to document the control(s) we have in place and return it to me by a due date. I do not have a separate form or memo. We document everything on the CUEC form (I create a pdf of the CUEC's and then the admin just adds their comments within the doc next to each control.) 


    Original Message


  • 5.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2025 10:58 AM
    This message was posted by a user wishing to remain anonymous

    The request was for all vendors in general.


    Original Message


  • 6.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-17-2025 10:59 AM

    We track CUECs and document whether they pertain to us and what our specific control for that item is. All of that is tracked within our Vendor Management software. Hope that helps :) 


    Original Message


  • 7.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2025 10:59 AM
    This message was posted by a user wishing to remain anonymous

    Thank you for your question. While it is not a universal practice for financial institutions to formally document a memo or report stating that they implement Complementary User Entity Controls (CUECs) from vendor SOC reports, many organizations do address this requirement in their vendor risk management and control frameworks.
    Typically, organizations review the CUECs outlined in vendor SOC reports to ensure that they align with internal controls and risk management practices. Some financial institutions may:
    1. Incorporate CUECs into Vendor Risk Assessments – Evaluating whether the organization has the necessary internal controls in place to support the vendor's SOC controls.
    2. Include CUECs in Control Documentation – If relevant, documenting the implementation of applicable CUECs within internal control matrices, risk assessment reports, or audit response documents.
    3. Address CUECs in Third-Party Risk Management Policies – Defining a process for assessing and fulfilling CUECs within vendor governance frameworks.
    4. Provide Assurance Through Internal Audit or Compliance Reports – Some institutions document their adherence to CUECs as part of compliance or audit reporting, particularly for regulatory or contractual obligations.
    If your organization does not formally document CUEC implementation, it may be beneficial to review your approach and determine if a structured process is needed to demonstrate how these controls are addressed. If auditors specifically request such a report, it may be helpful to clarify their expectations and whether an alternative method (e.g., a risk assessment or internal policy reference) would satisfy their requirements.


    Original Message


  • 8.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-17-2025 11:01 AM

    Compiling a common list of SOC CUECs at the onset across our vendor ecosystem has added a lot of value where we aligned internal control owners associated to each designated CUEC. We simply obtain an attestation indicating that these controls are adequately in place (existing providers), or would be in place post-contract (new providers) with future follow up. Trying to extract every CUEC from the SOC report (unless AI capabilities are able to be used) can became overly time consuming and in some cases challenging to copy/paste password-protected documents. YoY we would focus only on documenting new CUEC changes from updated SOC reports for new or changing controls. Every auditor and org has a unique way of explaining CUECs, but they usually accomplish a common internal org control. By obtaining these attestations, it helps ensure control owners were aware of any additional effort which might be required pre/post contract signatures for adequate planning and alignment where proper action plans can be put in place in the event that there was not a control (yet).


    Original Message


  • 9.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2025 11:02 AM
    This message was posted by a user wishing to remain anonymous

    Based on past experiences, we used Excel spreadsheets on each occasion.  Pulling from each SOC the CUECs and then expecting the Relationship Managers/risk owners to identify the entity controls.  A couple different risk-based execution expectations were, 1) Required identification of CUECs on an annual basis only for "Critical" vendors, and 2) Required identification of CUECs on financially significant vendors only.  


    Original Message


  • 10.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-18-2025 10:56 AM

    Our review process involves several steps to ensure thorough evaluation and compliance. Initially, the vendor's SOC report is reviewed to identify any CUECs. These CUECs are then documented separately and assigned to the Relationship Manager and other relevant individuals for completion. The CTO is always included in these communications to provide oversight and ensure all necessary controls are in place. Additionally, we engage a third party to review Critical, GLBA, and Infrastructure vendors annually to ensure they meet our compliance standards and mitigate any potential risk.

    Please let me know if you have any questions or need further clarification. 

     

    Original Message

    Based on past experiences, we used Excel spreadsheets on each occasion.  Pulling from each SOC the CUECs and then expecting the Relationship Managers/risk owners to identify the entity controls.  A couple different risk-based execution expectations were, 1) Required identification of CUECs on an annual basis only for "Critical" vendors, and 2) Required identification of CUECs on financially significant vendors only.  


    Original Message:
    Sent: 03-14-2025 10:45 AM
    From: Anonymous Member
    Subject: Documenting Complementary User Entity Controls Internal from SOC Reports

    This message was posted by a user wishing to remain anonymous

    Our auditors recently requested a memo/report that states we are implementing Complementary User Entity Controls from SOC reports. This is not something we do. Do other financial institutions have vendor reports or memos they document stating that CUECs from vendor SOC reports are implemented by their organizations? 



  • 11.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-18-2025 12:31 PM
      |   view attached

    From another list like this, I had an xls for the IT teams to complete (consistently) for responding to CUEC. Feel free to use it. When I actually deployed it, we moved the weighting and just had the questions answered.


    Attachment(s)

    xlsx
    SOC Review_CUEC Report.xlsx   32 KB 1 version
    Original Message


  • 12.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-18-2025 03:33 PM

    In section 1of the Checklist, I would suggest adding some wording as to the Qualifications of the SOC Auditor. Such as:

    1) Is the SOC Auditor enrolled in the AICPA Peer Review Program?

    2) Reviewed the AICPA Peer Review Report and noted under Requested Selections and Considerations that the Peer Review Firm examined the SOC Auditor's SOC 1 and SOC 2 Reports.


    Original Message


  • 13.  RE: Documenting Complementary User Entity Controls Internal from SOC Reports

    Posted 03-18-2025 03:24 PM

    Yes, our organization adopts a risk-based approach for all critical third parties and applications. CUECs ensure that specific controls are reviewed and implemented to maintain the effectiveness of the overall control environment. Even if certain controls are not required or implemented, the review process ensures they are thoroughly evaluated and considered.

    FFIEC guidance emphasizes that user entities must manage their own access controls and monitor activities to ensure compliance and security.  


    Original Message