What are CUECs?

When a service organization designs its controls, it assumes the user entity will do certain things. A payroll processor assumes the client will review and approve payroll runs before they post. A fund administrator assumes the client will reconcile NAV calculations independently. The SOC report lists these assumptions as CUECs.

ISA 402.15 requires you to evaluate CUECs as part of your assessment of the service auditor's report. ISAE 3402.A8 confirms this from the service auditor's side: the system description must identify complementary user entity controls assumed in the design.

The practical consequence is direct. If the SOC 1 report lists a CUEC and your client does not operate it, the control objective that depends on it has a gap. You cannot rely on the SOC 1 report for that objective without addressing the CUEC. This is true even when the service auditor's opinion is unqualified.

Key Points

  • CUECs appear in Section IV of a SOC 1 report and must be tested by the user auditor.
  • If your client does not operate a listed CUEC, the related control objective at the service organization may not be met.
  • Most inspection findings on service organizations relate to CUECs being ignored, not to the SOC report itself.
  • A clean SOC 1 opinion does not mean the user entity's controls are adequate.

Worked example: Rheintal Maschinenbau GmbH

Client: German manufacturing subsidiary, FY2024, revenue €35M, HGB reporter. Uses an outsourced IT hosting provider (DataHaus AG) for its ERP system. DataHaus has a SOC 1 Type II report.

Read Section IV of the DataHaus SOC 1 report. The report lists four CUECs:

  1. The user entity must restrict logical access to the ERP application to authorised personnel only.
  2. The user entity must review access rights quarterly and remove terminated employees within 5 business days.
  3. The user entity must maintain segregation of duties between users who initiate transactions and users who approve them within the ERP.
  4. The user entity must perform daily reconciliation of data transmitted to and received from DataHaus.

Test CUEC 1

obtain the ERP access list. Compare to the authorised user list maintained by IT management. Two former employees still have active accounts (both terminated in November 2024). This is a failure.

Test CUEC 2

request evidence of quarterly access reviews. The client documented reviews for Q1 through Q3 but did not complete the Q4 review before year end.

Test CUECs 3 and 4

obtain segregation of duties matrix and daily reconciliation logs. Both operating as described.

Conclusion

two of four CUECs are operating. Two have exceptions that require evaluation and potential expansion of substantive procedures. The SOC 1 report's clean opinion does not override these findings.

What reviewers and practitioners get wrong

The AFM has repeatedly flagged Dutch firms for failing to test CUECs. The issue is not that firms reject CUECs as irrelevant; they simply do not read Section IV of the SOC report. ISA 402.15 makes the evaluation mandatory.

Teams sometimes test CUECs at a point in time (year end only) rather than for the period of reliance. If the SOC report covers January through September and you tested CUECs only at December 31, you have no evidence that the client operated those controls during the same period the SOC report covered. ISA 402.12 requires evidence for the relevant period, not a single date.

CUECs vs service organization controls

CUECs vs service organization controls
DimensionCUECsService organization controls
Who operates themThe user entity (your audit client)The service organization
Who tests themThe user auditor (you)The service auditor (SOC report issuer)
Where they appearSection IV of the SOC reportSection III of the SOC report
What happens if they failThe related control objective may not be achieved despite a clean SOC opinionThe service auditor reports the exception in Section III

Key standard references

  • ISAE 3402.A8: Requires the system description to identify complementary user entity controls assumed in the design.
  • ISA 402.15 : Requires the user auditor to evaluate CUECs as part of the service organization assessment.
  • ISA 402.12 : Requires sufficient appropriate audit evidence for the relevant period of reliance.

Related terms

SOC 1 ReportSOC 2 ReportBridge LetterSubservice Organization

Related reading

ISAE 3402: Service Organisation Controls Guide
Blog guide

Frequently asked questions

What happens if my client does not operate a listed CUEC?

If the SOC 1 report lists a CUEC and your client does not operate it, the control objective that depends on it has a gap. You cannot rely on the SOC 1 report for that objective without addressing the CUEC. This is true even when the service auditor's opinion is unqualified. You must document the gap and determine whether compensating controls or additional substantive procedures are needed.

Should CUECs be tested for a point in time or the full period?

CUECs must be tested for the period of reliance, not just at year end. If the SOC report covers January through September and you test CUECs only at December 31, you have no evidence that the client operated those controls during the same period the SOC report covered. ISA 402.12 requires evidence for the relevant period.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook