User Entity Responsibilities for Complementary User Entity Controls (CUECs)

Which of the following is a responsibility of user entity management over complementary user entity controls (CUECs)?

A. Implement CUEC(s) that address each control deemed necessary by the service organization for each relevant control objective. B. Obtain an understanding of the CUEC(s) designed and implemented by the service organization. C. Implement CUEC(s) exactly as specified by the service organization for each relevant control objective. D. Confirm that the service auditor’s report provides an opinion on the operating effectiveness of the CUEC(s).

The correct answer is B. Obtain an understanding of the CUEC(s) designed and implemented by the service organization.

User entities are responsible for understanding the CUECs implemented by the service organization. This includes understanding the purpose, design, and operation of the controls. User entities need this understanding to:

• Assess the impact of CUECs on their own control environment.
• Determine if additional controls are needed within their organization.
• Effectively use the information provided by the service organization in their own risk assessments and control monitoring activities.