As a service provider undergoing a SOC audit, your organization invests significant time and effort into designing and implementing robust internal controls to protect your systems and meet your service commitments. But even the most secure control environment relies on one critical component that’s often outside your control: your customers.

That’s where complementary user entity controls (CUECs) come in.

When you assume certain responsibilities will be carried out by your customers—like managing user access or securing endpoints—you need to document those assumptions clearly. These are known as complementary user entity controls (CUECs), and they play a vital role in how your controls are evaluated against SOC requirements.

What is a CUEC?

A complementary user entity control (CUEC) is a control that a service provider expects its customers (ie. user entities) to implement in order for the service provider’s system and services to function securely and effectively.

In a SOC report, you—the service provider—outline your system controls, but you also identify areas where shared responsibility exists. You may be responsible for securing your infrastructure, monitoring for intrusions, and encrypting data in transit, for example, but you likely rely on user entities to enforce strong password policies, regularly review access rights, or configure the security settings you offer. These customer responsibilities are documented as CUECs in the SOC report.

Since CUECs are assumed in the design of many controls at the service provider, they are an important disclosure in SOC 1, SOC 2, and SOC 3 reports — but they are not required to be implemented by the service provider itself. Rather, they must be clearly communicated so user entities can implement them to rely on the controls.

Let’s take a closer look at the importance of CUECs below.

Why are CUECs important?

CUECs are important because they:

• Clarify shared responsibilities: CUECs specify which internal control requirements are the responsibility of the user entity and not the responsibility of the service provider. In other words, documenting CUECs help both the service provider and the customer understand who’s responsible for which controls. This type of transparent communication about shared responsibilities enables you and your customers to manage your own risk.
• Enable accurate audits: As part of the SOC audit process, your independent auditor will evaluate whether your controls are suitably designed and operating effectively to meet your service commitments and system requirements. If your control environment assumes certain user behaviors or configurations, those assumptions must be made explicit as CUECs. This enables auditors reviewing a SOC report to understand which parts of the control environment are the responsibility of the user entities and not yours.
• Impact on the SOC report: If a service provider fails to clearly define its Complementary User Entity Controls (CUECs), it could lead to misunderstandings about the shared responsibilities required for controls to function as intended. While the service provider can still receive an unqualified opinion if its own controls are effective and CUECs are properly disclosed, failing to define or communicate them may limit the usefulness of the SOC report for user entities. It is then the responsibility of the user entity to assess and implement the required CUECs on their end.

Now that we broadly understand what CUECs are and why they’re important, let’s take a look at some specific examples.

CUEC examples

While CUECs vary depending on your service and control environment, and industry, here are some common examples:

• User entities must configure multi-factor authentication (MFA) for their users.
• User entities must maintain up-to-date endpoint protection on devices accessing your service.
• User entities must disable former employee accounts in a timely manner.
• User entities must regularly review and update user permissions.
• User entities must configure IP allowlisting where offered.

These controls may not be within the service provider’s operational scope, but they are critical dependencies for the system to function securely as intended.

CUECs in a SOC 2 Report

Your SOC 2 report includes a specific section where these customer responsibilities are outlined. It’s typically titled "Complementary User Entity Controls" or something similar.

This section includes a list of the customer actions or controls assumed in your system design. These controls represent assumptions built into your system design and are taken into account by your auditor when assessing whether your controls meet the applicable Trust Services Criteria for security, availability, privacy, processing integrity, or confidentiality.

For your customers, this section is critical reading. It helps them understand their role in maintaining control effectiveness and aligning with their own compliance obligations.

How to enable customers to implement CUECs

To help your customers act on their responsibilities, consider:

• Explaining the CUEC section of your SOC report and what’s expected of them
• Highlighting CUECs in onboarding materials and documentation
• Incorporating reminders into your admin dashboards or user interface
• Assigning an owner at the user entity to be responsible for managing and reviewing each CUEC
• Providing guidance or best practices for implementing each CUEC
• Offering periodic training or webinars
• Revisiting CUECs before you renew contracts, conduct security reviews, or undergo audits
• Mapping controls from your customer’s control environment to your CUEC requirements

While CUECs are a required part of your SOC 2 report, proactively communicating them can reduce confusion, strengthen partnerships, and improve overall security outcomes.

How Secureframe can simplify SOC 2 compliance

In today’s interconnected digital ecosystem, compliance and security are shared responsibilities. 

Complementary user entity controls define security practices that are your customers’ responsibilities when using your services. These are a key piece of your overall control environment and your SOC 2 report. By designing your controls with CUECs in mind and clearly communicating them to your customers, you demonstrate maturity, transparency, and a deep understanding of shared responsibility.

Secureframe can simplify the SOC 2 compliance process so you have peace of mind going into your audit. Secureframe provides:

• Continuous monitoring with automated remediation: Detect misconfigurations in real time and get auto-generated, environment-specific remediation guidance to fix issues faster.
• Automated evidence collection: Automatically collect and organize audit-ready evidence via our 300+ native integrations to reduce manual work and simplify audits.
• Policy management: Access auditor-approved policy templates, customize them for your organization, and easily manage distribution and tracking.
• Personnel and access management: Track employee security training, automate policy acknowledgments, and streamline offboarding processes.
• AI-powered risk management: Identify, prioritize, and monitor risks using smart, AI-driven insights and automated assessments.
• Vendor risk management: Centralize vendor assessments, track compliance status, and manage third-party access in one place.
• Automated asset inventory: Maintain an up-to-date inventory of assets for improved visibility and continuous monitoring.
• Expert, end-to-end support: Work with a dedicated team of compliance experts, including former auditors, for hands-on guidance before, during, and after your audit.
• Trusted audit partner network:  Get connected with top-tier SOC 2 audit firms for a smoother, more efficient audit experience.

To see how 95% of Secureframe users save time and resources obtaining and maintaining compliance, schedule a demo.