What are CUECs?

Complementary User Entity Controls (CUECs) are controls that a service organization has assumed, when designing its own control system, would be implemented by the user entity. They appear in the service organization's ISAE 3402 report as a list of controls that user entities are expected to have in place for the service organization's controls to achieve their stated objectives.

The concept is straightforward: a service organization designs its controls under certain assumptions about what happens at the user entity's end. If the user entity does not implement the assumed controls, the service organization's controls may not fully mitigate the relevant risks.

For example, a payroll service provider may design its system assuming that the user entity reviews and approves payroll summary reports before posting journal entries. If the user entity does not perform that review, errors in payroll processing could flow into the financial statements undetected — even though the service organization's own controls are operating effectively.

Key Points

  • CUECs are the user auditor's responsibility. The service auditor identifies and lists CUECs in the ISAE 3402 report, but testing them is entirely the user auditor's job. Failing to test CUECs means the user auditor cannot fully rely on the ISAE 3402 report.
  • Assumed-in-design vs recommended. CUECs that are "assumed in the design" of the service organization's system are mandatory for the control objectives to be met. Recommended controls are supplementary suggestions and are not essential to the service organization's control design.
  • Testing period matches the user entity's year. CUECs must be tested over the user entity's financial reporting period, not the ISAE 3402 report period. These periods may differ.
  • Common CUECs include review of output reports, access management (adding/removing users), reconciliation of data between user entity and service organization systems, and authorization of input transactions.

Why it matters in practice

Worked example: Dekker Accountancy tests CUECs

Dekker Accountancy audits Van der Berg Logistics, which uses Horizon Payroll Services for payroll processing. Horizon's ISAE 3402 Type II report lists five CUECs. Dekker must test each one independently at Van der Berg Logistics.

  • CUEC-01 — User access management. Van der Berg is responsible for promptly notifying Horizon when employees join or leave, so that payroll access and processing reflect current staff. Dekker tests this by selecting a sample of 25 joiners and leavers during the year and comparing notification dates to HR records. Result: all notifications sent within two business days. No exceptions.
  • CUEC-03 — Payroll report review. Van der Berg must review the monthly payroll summary report produced by Horizon before posting journal entries. Dekker inspects 12 monthly reports for evidence of review (signature, date, annotations). Result: 11 of 12 reports show evidence of review. The April report has no signature. Dekker investigates and determines the review was performed but not documented — a documentation weakness, not a control failure.
  • CUEC-05 — Bank reconciliation. Van der Berg must reconcile payroll bank payments to the payroll summary before authorizing the payment run. Dekker selects 12 monthly reconciliations and inspects each for completeness, accuracy, and timely preparation. Result: all 12 reconciliations completed within three business days of the payment run. No exceptions.

What reviewers catch

The most common CUEC-related finding in regulatory inspections is simple: the user auditor did not test CUECs at all.

  • CPAB (Canada). Found that user auditors treated the ISAE 3402 report as complete assurance over the outsourced process without identifying or testing CUECs. The gap between the controls tested by the service auditor and the controls assumed at the user entity was not addressed.
  • AFM (Netherlands). Noted that even when CUECs were identified, testing was often limited to inquiry rather than inspection or reperformance. Inquiry alone is insufficient for testing control operating effectiveness.

CUECs vs service organization controls

  • Tested by. CUECs are tested by the user auditor; service organization controls are tested by the service auditor.
  • Location. CUECs operate at the user entity; service organization controls operate at the service organization.
  • Documented in. Both are documented in the ISAE 3402 report, but CUECs are listed separately as controls the service organization assumed would exist at the user entity.
  • Consequence of failure. If CUECs are not implemented, the service organization's related controls may not achieve their objectives — even if those controls operated effectively in isolation.

Key standard references

  • ISAE 3402.A36: The service organization's responsibility to identify complementary user entity controls that are assumed in the design of the system.
  • ISA 402.15: The user auditor's responsibility to evaluate whether sufficient appropriate audit evidence is available from the ISAE 3402 report and from testing CUECs.
  • ISA 402.A22-A23: Guidance on how user auditors should identify and test CUECs listed in the service organization's report.
  • ISA 330.8: Designing and performing tests of controls — applicable to the user auditor's testing of CUECs at the user entity.

Related terms

ISAE 3402Bridge LetterAudit SamplingFraud Risk Factors

Related tools

ISAE 3402 Audit Template Pack
ISAE 3402

Related reading

ISA 402: Service Organisations Guide
Blog guide

Frequently asked questions

What is the difference between assumed-in-design CUECs and recommended controls?

Assumed-in-design CUECs are controls that the service organization relied upon when designing its own control system. If the user entity does not implement them, the service organization's controls may not achieve their objectives. Recommended controls are suggestions that would enhance the overall control environment but are not essential to the service organization's control design. The user auditor must test assumed-in-design CUECs; recommended controls are optional.

What period must CUECs be tested over?

CUECs should be tested over the same period as the user entity's financial year. If the user entity's year-end is 31 December and the CUEC relates to monthly reconciliation reviews, the user auditor must obtain evidence that the control operated throughout the full year — not just at the point-in-time of the ISAE 3402 report. The testing period for CUECs is independent of the ISAE 3402 report period.

Who is responsible for testing CUECs — the service auditor or the user auditor?

The user auditor. CUECs are, by definition, controls that operate at the user entity level. The service auditor identifies and lists them in the ISAE 3402 report, but testing is the user auditor's responsibility. Failure to identify and test CUECs means the user auditor cannot fully rely on the ISAE 3402 report for their assessment of control risk over the outsourced process.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook