CUECs in SOC 2 - Are they needed?
In my post about the new #soc2 guide from the AICPA , I mentioned Complementary User Entity Controls (CUECs) and how they should be presented in a system description for SOC 2.
Many SOC 2 reports have presented CUECs as a laundry list of controls/activities that user entities (customers) of the service organization must have in place. The issue lies in the purpose of those controls. Often, many of these controls fall under what the guidance calls “user entity responsibilities” rather than CUECs.
So, what’s the difference??User entity responsibilities are activities that allow customers to benefit from use of the service/system, whereas CUECs are certain controls that customers have to perform in a defined manner in order for the service organization to meet commitments and/or system requirements.
OK, maybe in English this time??Let’s think about it with an example for each that I’ll paraphrase from the guide.
Think about SOC 2 criteria CC6.2, Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
领英推荐
CC6.2 says that the system will register a user and issue credentials to that user after the customer supplies the service organization with a list of authorized users. Providing the service organization with a list of complete and accurate authorized users is necessary for the customer to benefit from the services/system, and therefore is a user entity responsibility. If the customer supplies the service organization with a list of authorized users and accidentally includes employees who should not have access, the service organization still meets CC6.2 and its service commitment to the customer because it is not the responsibility of the service organization to identify authorized users under CC6.2.
Another way to think about it would be let’s say if you order something from Amazon, who says the package will be there in 2 days.?But you haven’t updated your new address in Amazon, therefore the package didn’t make it to you for 6 days due to mail forwarding.?Amazon still met its commitment to getting the package to the address in their system in 2 days.?It was your responsibility to update your address in order to get that package delivered as soon as possible to your house.
To give an example of where CUECs would apply, let’s look at CC6.4, The entity restricts physical access to facilities and protected information assets to authorized personnel to achieve the entity's objectives.
A service organization may install portions of its infrastructure at a customer’s office (for example, servers or on-prem software installed at the customer’s office to support the transmission of files between the customer and the service organization). In these circumstances, to meet CC6.4, the customer needs to implement physical access controls to protect the components of the service organization's system located at the customer’s office.
Bottom line is, based on this line of thinking, there should be little to no CUECs in many SOC 2s. But, in the past, many SOC 2s have listed user entity responsibilities as CUECs for years, so it will be difficult to transition clients away from that thought process.?One way to consider it would be to list user entity responsibilities in the system description.?It is not required criteria under DC200, but there isn’t any reason a service organization cannot have that additional information in the description of how their system operates (which is also useful to the user entity/customer to get the most benefit).
If CUECs or SOC 2s are your thing, or if you just want to further the discussion, please feel free to reach out to me and let’s chat!
Internal Controls & SOX Compliance Leader
2 年Jeff Cook I have not read all of the comments, but are you saying that your perspective is applicable to SOC 2s only?
SOC 2 Auditor | Cybersecurity Compliance
2 年Are user responsibilities supposed to be called out in the system description? I think it would be a good idea to call out CUEC’s and user entity responsibilities in the system description. Otherwise, auditors will probably use this to just remove all CUECs and won’t list the responsibilities.
Manager, SOC Practice | IT Audit & Cyber Risk Advisory at risk3sixty
2 年Thanks for sharing this! I’m having a little trouble squaring something though and would love your insight: How does this play with the achievement of a Principal Service Commitment? Relating to your example on CC6.1, if the service org states that they’ll “maintain the confidentiality of all customer data” as one of their commitments, would it not require a CUEC that requires user entities to provide accurate user listings? The risk I see the control addressing is if an unauthorized user were to be onboarded (or not offboarded in time), that individual would then gain access to the customer’s info, and would thereby compromise the confidentiality of the customer data— which would lead to the service org failing to achieve their service commitment. Am I misunderstanding something? Again, thanks for sharing and I hope to hear your thoughts!
NASBA sponsored SOC 2 Specialist, helper of CPAs and clients, host of Business Birdies, both learner & teacher
2 年Mike DeKock inspired by your question the other day!
President & National Managing Principal @ Schellman | Cybersecurity, ESG, & Compliance
2 年Good points. I lost count of the number of "debates" I had with clients where the CUECs were not necessary to meet their principal service commitments. You're right, for most it was user responsibilities which you can still include but not make a commitment dependency. Most of the other conversations went back to a "our previous auditor did it this way" and/or ultimately tracing back to someone taking a SOC 1 approach for a SOC 2. Appreciate you and the team drawing attention to this in the guide.