Key takeaways
- CUECs are controls the service organisation assumes you will operate at the user entity. They appear in the ISAE 3402 report because the service organisation's control objectives depend on them.
- The service auditor does not test CUECs. Testing them is your responsibility as the user entity auditor under ISA 402.15.
- If a CUEC is not implemented, the control objective has not been achieved, and you need additional substantive procedures or may need to modify your opinion.
- Regulators consistently flag missing or superficial CUEC testing as an audit quality issue.
What CUECs are and why they exist
A service organisation designs its control environment around an assumption: certain controls sit outside its boundary. The payroll processor assumes you'll approve the payroll run before it goes to the bank. The SaaS hosting provider assumes you'll revoke access for terminated employees. The fund administrator assumes you'll reconcile NAV statements against your own records. These assumptions are CUECs.
ISAE 3402.A14 requires the service organisation to identify CUECs in its system description when those controls are necessary, together with the service organisation's own controls, to achieve the stated control objectives. The word "necessary" matters. Not every responsibility a user entity has qualifies as a CUEC. Only those controls that the service organisation's control objectives actually depend on belong in the report.
The practical consequence for you as the user entity auditor: if the ISAE 3402 report lists CUECs, you cannot rely on the service auditor's opinion alone. The service auditor tested the service organisation's controls. Nobody tested yours. ISA 402.15 makes this your responsibility. You need to obtain evidence that the CUECs relevant to the assertions you're testing are designed and operating effectively at the user entity.
A report that lists no CUECs at all should raise questions. Most service organisations depend on at least some user-side controls. If the report omits them, the system description may be incomplete, and the service auditor's opinion covers a narrower scope than you assumed.
Where CUECs appear in an ISAE 3402 report
The standard does not prescribe a fixed location for CUECs. In practice, you'll find them in one of two places, sometimes both.
The first location is a dedicated subsection within the system description (often called "Complementary User Entity Controls" or "User Entity Responsibilities"). This is the most common format. The service organisation lists each CUEC alongside the control objective it supports.
The second is inline, embedded within each control objective section. Under this format, you'll see the service organisation's own controls first, followed by the CUECs that complete the control objective. This format makes mapping easier because you can see which service organisation controls pair with which CUECs, but it takes longer to extract a full CUEC inventory.
Build a CUEC register
Either way, your first step when reviewing a new ISAE 3402 report is to build a complete CUEC register. Pull every CUEC into a single list with the control objective reference, so you can map each one to your audit assertions.
Common CUECs you will encounter in practice
CUECs vary by service type and industry, but certain categories recur across almost every ISAE 3402 report. Here are the four you will see most frequently.
Access management. The service organisation controls access to its own systems, but it relies on you to notify it when an employee leaves or changes role. ISAE 3402 reports for payroll providers and cloud hosting companies almost always include a CUEC requiring the user entity to communicate access changes promptly. The service organisation has no way to know your HR events. If you don't tell them, the former employee retains access.
Transaction authorisation. The service organisation processes transactions, but it assumes someone at the user entity authorised them before submission. A payroll provider expects that you reviewed and approved the payroll data file. A payment processor expects that the payment batch was approved by an authorised signatory. Without this CUEC, the service organisation has no basis for assuming the transactions it processes are valid.
Data integrity at input. The service organisation processes what you send it. If you send incomplete or inaccurate data, the output is unreliable regardless of how well the service organisation's controls work. CUECs in this category require you to perform reconciliations or validation checks on data before transmission. An investment fund administrator, for example, expects the fund manager to reconcile trade files against the order management system before uploading them.
Monitoring and reconciliation of output. The service organisation delivers processed output (payroll reports, NAV calculations, claims summaries, tax filings), and the CUEC requires you to reconcile that output against your own records. This is the control that catches processing errors the service organisation's own controls missed. Skipping it means you have no independent check on the accuracy of the outsourced process.
How to test CUECs as the user entity's auditor
Testing CUECs follows the same logic as testing any other internal control at the user entity. ISA 402.16 does not create a separate methodology. You're applying ISA 330 to controls that happen to appear in an ISAE 3402 report rather than in the entity's own control documentation.
Start by identifying which CUECs are relevant to your audit. Not all CUECs will be. If the user entity outsources payroll processing and the ISAE 3402 report lists eight CUECs, but your audit assertions only cover payroll expense completeness and accuracy, you may only need to test four of them. Map each CUEC to your assertion matrix before deciding on scope.
For each relevant CUEC, determine whether management has actually implemented it. This sounds obvious, but it fails more often than you'd expect. Ask management to show you the control, not describe it. Request the access revocation log, the payroll approval email trail, the reconciliation workpaper. If management cannot point you to evidence that the CUEC exists as an operating control, you have a control deficiency before you've even tested effectiveness.
Once you've confirmed the control exists, test it like any other control. For a CUEC requiring access notifications within 48 hours of termination, select a sample of leavers from HR records and trace each one to the notification sent to the service organisation. Check the date. If the notification was sent five weeks late, the CUEC was not operating effectively for that period, and you need to consider whether additional substantive procedures are necessary.
Sample sizes for CUEC testing follow your normal ISA 530 approach. If the CUEC operates daily (like transaction authorisation before payroll submission), you'll need a larger sample than for a CUEC that operates monthly (like reconciliation of output to source records). The frequency and nature of the control drive the sample, not the fact that it originated from an ISAE 3402 report.
Document your CUEC testing in a separate section of your ISA 402 workpaper, or cross-reference it to the relevant assertion workpaper. Either approach works, but the key point is traceability. An inspection reviewer needs to see that you identified the CUECs, assessed which ones were relevant, tested them, and evaluated the results. A vague reference to "controls at the user entity are in place" will not survive review.
What happens when CUECs are not implemented
Sometimes you discover that the user entity has not implemented one or more CUECs at all. The payroll input data was never formally approved before submission. The access revocation process doesn't exist. Nobody reconciles the service organisation's output to source records.
This is not a footnote. If a CUEC is necessary (in combination with the service organisation's controls) to achieve a control objective, and the user entity has not implemented it, then that control objective has not been achieved. The service organisation's controls alone are not designed to meet the objective without the CUEC. You cannot rely on the service auditor's opinion to cover the gap, because the opinion explicitly assumes the CUECs are in place.
Your options depend on the significance of the gap. If the missing CUEC relates to a control objective that supports a significant assertion, you need to perform additional substantive procedures under ISA 330.8 to obtain sufficient appropriate audit evidence. In the payroll example, if nobody approved input data before submission to the service organisation, you might need to test a larger sample of payroll transactions against HR records, employment contracts, and approved salary schedules to satisfy yourself that the payroll expense is free from material misstatement.
If the gap is pervasive and you cannot obtain sufficient evidence through alternative procedures, ISA 705.8 requires you to consider modifying your opinion. A scope limitation arising from the inability to test a CUEC (or the inability to compensate for its absence) can lead to a qualified or disclaimer of opinion, depending on the materiality and pervasiveness of the issue.
You also have a communication obligation. ISA 265.8 requires you to communicate significant deficiencies in internal control to those charged with governance. A missing CUEC that the ISAE 3402 report identified as necessary for a control objective is, by definition, a significant deficiency. Do not wait until the management letter. Communicate it during the audit so management has time to implement the control before the next reporting period.
Worked example: testing CUECs at Hoekstra Payroll Services B.V.
Hoekstra Payroll Services B.V. processes payroll for 340 clients across the Netherlands. Your audit client, Vossen Logistics B.V. (€67M revenue, 1,200 employees), outsources its entire payroll function to Hoekstra. You've obtained Hoekstra's ISAE 3402 Type II report for the period 1 January 2025 to 31 December 2025.
The report lists six CUECs. Two are relevant to your payroll assertions (completeness and accuracy of payroll expense, existence of payroll liabilities).
CUEC 1: payroll input approval
"User entities are responsible for reviewing and approving payroll input data before submission to Hoekstra, including new hires, terminations, salary changes, and variable compensation."
Testing approach: You select a sample of 25 payroll periods from the year. For each period, you request the payroll input file Vossen submitted to Hoekstra and the corresponding approval (email from HR manager or digital approval stamp in the payroll portal). You verify that the input file was approved before the submission deadline.
Result: 23 of 25 periods show timely approval. Two periods in August show approval stamps dated after the submission date (approved retroactively). You document this as a control deviation and assess whether the payroll data for those two periods contains errors by performing a substantive reconciliation of gross pay to approved salary records.
Documentation note
CUEC 1 tested per ISA 402.16. Two deviations identified (August periods 15 and 16, retroactive approval). Substantive reconciliation of gross pay to HR master data for both periods identified no misstatements. Deviation does not indicate a systemic failure but should be communicated to management under ISA 265.A7.
CUEC 4: termination notification
"User entities are responsible for notifying Hoekstra of employee terminations within five business days to ensure timely cessation of payroll processing and system access revocation."
Testing approach: You obtain the HR termination register for 2025 (48 terminations). You select 15 terminations spread across the year. For each, you compare the termination effective date to the date Vossen sent the termination notification to Hoekstra (via the portal's notification log or email confirmation).
Result: 12 of 15 notifications were sent within five business days. One notification was sent eight business days late (a mid-level logistics coordinator who left in March). Two notifications were sent on business day five, within the threshold. For the late notification, you check whether payroll was processed for that employee after the termination date. Hoekstra processed one additional pay cycle (March) before the notification arrived. You quantify the overpayment at €3,870 gross and trace the recovery to accounts receivable.
Documentation note
CUEC 4 tested per ISA 402.16. One deviation (March termination, notification 3 days late). Overpayment of €3,870 identified, subsequently recovered in April via accounts receivable. Projected misstatement below clearly trivial threshold (€18,000). No further procedures required. Communicated to management per ISA 265.
Inspection findings related to CUECs
Regulators and quality reviewers flag CUEC failures consistently. The AFM (Netherlands Authority for the Financial Markets) has identified CUEC testing gaps in multiple inspection cycles. The most common findings fall into two categories.
The first is that the engagement team never identified or tested CUECs at all. The audit file contains the ISAE 3402 report, the service auditor's opinion is unqualified, and the engagement team treated that as sufficient. It is not sufficient. The service auditor's opinion does not extend to the CUECs. ISA 402.15 explicitly requires you to determine whether the CUECs are relevant and, if they are, to obtain evidence about their operating effectiveness.
The second is superficial testing. The engagement team asked management whether the controls were in place, received a verbal confirmation, and documented "management confirmed CUECs are operating effectively." This does not meet the evidence threshold under ISA 500.A5. You need to inspect the actual evidence of the control operating (the log, the approval, the reconciliation), not accept management's representation that it happened.
Both findings lead to the same consequence: the audit opinion on the financial statements rests on an untested assumption. If the CUEC wasn't operating, the service organisation's control objectives may not have been achieved, and your reliance on the ISAE 3402 report is misplaced.
How CUECs connect to ISA 402
ISA 402 governs how you, as the user entity auditor, use the work of a service organisation and its service auditor. CUECs sit at the intersection of ISA 402 and your broader risk assessment under ISA 315.
ISA 402.8 requires you to obtain an understanding of the nature and significance of the services provided by the service organisation and their effect on internal control relevant to the audit. CUECs are part of that understanding. They tell you where the service organisation's control boundary ends and where the user entity's responsibility begins.
ISA 402.15 then requires you to determine whether sufficient appropriate audit evidence is available about the relevant financial statement assertions. If the user entity has not implemented the CUECs, or if they're not operating effectively, the service organisation's controls alone may be insufficient to support your assertions. You'll need additional substantive procedures to close the gap, or you may need to consider the implications for your audit opinion under ISA 705.
Mapping the relationship: the ISAE 3402 parent guide covers how the report works from the service auditor's perspective. The carve-out vs inclusive method page explains how subservice organisations affect the report's scope. And the ISA 402 guide covers the user entity auditor's full set of responsibilities. CUECs are the thread that connects all of them: what the service organisation assumes you'll do, and what you need to prove you did.
Get practical audit insights, weekly.
No exam theory. Just what makes audits run faster.
No spam — we're auditors, not marketers.
Related Ciferi content
Related guides:
Put audit concepts into practice with these free tools:
Frequently asked questions
What are complementary user entity controls (CUECs)?
CUECs are controls that a service organisation assumes the user entity will operate on its end. They appear in the ISAE 3402 report because the service organisation's own controls cannot fully achieve the stated control objectives without them. ISAE 3402.A14 requires the service organisation to identify CUECs when they are necessary, together with the service organisation's controls, to meet control objectives.
Where do CUECs appear in an ISAE 3402 report?
CUECs typically appear in one of two places: a dedicated subsection within the system description (often titled "Complementary User Entity Controls" or "User Entity Responsibilities"), or inline within each control objective section alongside the service organisation's own controls. Either way, your first step when reviewing a new report should be to build a complete CUEC register.
What happens if a user entity hasn't implemented CUECs?
If a CUEC is necessary to achieve a control objective and the user entity has not implemented it, that control objective has not been achieved. You cannot rely on the service auditor's opinion to cover the gap. You will need additional substantive procedures under ISA 330.8, and if the gap is pervasive, ISA 705.8 may require you to modify your audit opinion.
How do you test CUECs as the user entity auditor?
Testing CUECs follows standard ISA 330 methodology. Identify which CUECs are relevant to your audit assertions, confirm management has implemented each one by requesting evidence, then test operating effectiveness using appropriate sample sizes per ISA 530. Document your testing in your ISA 402 workpaper with full traceability.
Further reading and source references
- ISAE 3402.A14: Requirement for service organisations to identify CUECs in the system description.
- ISA 402.15–16: User entity auditor's responsibility to evaluate and test CUECs.
- ISA 330.8: Responses to assessed risks, including additional substantive procedures when controls are deficient.
- ISA 265.8: Communication of significant deficiencies in internal control to governance.
- ISA 705.8: Modifications to the auditor's opinion when sufficient evidence cannot be obtained.