Learn · SOC Reports
CUECs & CSOCs,
Explained
Complementary user entity controls (CUECs) are the controls a SOC report assumes YOU, the customer, operate. Complementary subservice organization controls (CSOCs) are the controls assumed of a carved-out vendor. Miss either, and the assurance in the report doesn't fully apply.
Defined in the AICPA attestation standards. Both concepts come from the standards behind SOC 1 (AT-C section 320) and SOC 2, and appear in management’s system description in every report.
Plain-English explainer · Applies to SOC 1 & SOC 2 · Last reviewed July 2026
CUECs (complementary user entity controls) are controls that a service organization’s SOC report assumes its customers operate at their own end; CSOCs (complementary subservice organization controls) are controls assumed to be operated by a vendor the service organization itself relies on. Both appear in management’s description of the system in SOC 1 and SOC 2 reports because some control objectives can only be achieved in combination: the service organization does its part, the customer does theirs, and carved-out vendors do theirs. Since SSAE 18, the standards are strict that these lists contain only controls that are genuinely necessary to achieve the stated control objectives — not generic best-practice recommendations. That makes them short, specific, and worth reading: they are the parts of the assurance story that the service auditor did not test.
The Two Concepts
Complementary Controls: Yours and Your Vendor’s
A SOC report never claims the service organization controls everything. Control objectives are achieved by three parties together — and the report names the other two.
CUECs — Complementary User Entity Controls
Controls the service organization assumes its customers (user entities) operate at their own end, because the control objectives cannot be met by the service organization alone. Example: a payroll processor assumes the client reviews and approves payroll input before submitting it.
CSOCs — Complementary Subservice Organization Controls
Controls assumed to be in place at a subservice organization the service organization relies on — most commonly a cloud or data-centre provider under the carve-out method. Example: physical access to servers is controlled by the hosting provider, not the SaaS company.
A concrete SOC 1 example: a payroll processor’s control objective is that payroll is processed completely and accurately. The processor validates and calculates (its controls), but it cannot know whether the hours submitted were right — so “client reviews and approves payroll input before submission” is a CUEC. And if the processor runs on a carved-out cloud provider, “physical and environmental protection of production infrastructure” is a CSOC.
Subservice Organizations
Carve-Out vs Inclusive Method
When a service organization depends on another vendor — a subservice organization — management must choose how that vendor appears in the report. The attestation standards allow exactly two treatments.
Carve-out method
- The subservice organization’s services are identified in the system description, but its controls are excluded from the description and from the auditor’s testing.
- The report lists the CSOCs the service organization relies on the subservice organization to perform.
- Report readers close the gap by obtaining the subservice organization’s own SOC report (e.g. the cloud provider’s SOC 1/SOC 2).
- This is by far the more common method — it does not require the subservice organization’s participation in the audit.
Inclusive method
- The subservice organization’s relevant controls are included in the system description and tested by the service auditor.
- Requires the subservice organization to cooperate: provide a management assertion, written representations, and access for testing.
- Gives report readers fuller, single-document coverage — no separate vendor report to chase.
- Rarer in practice, and generally impractical when the subservice organization is a hyperscale provider like AWS, Azure, or GCP.
For Report Readers
What To Actually Do With Them
- Find the CUEC list in the system description (and any CUEC-related wording in the auditor’s opinion), then map every CUEC to a named internal control, owner, and evidence source at your organization.
- Keep the mapping current — your financial-statement auditor can ask for it when they rely on the SOC 1, and enterprise customers increasingly ask for it during vendor reviews.
- List the carved-out subservice organizations, obtain each one’s own SOC report, and check its period, scope, and exceptions cover the CSOCs your vendor relies on.
- Check the report period against your fiscal year — if there’s a gap, ask the service organization for a bridge letter covering the interim months.
- If you cannot operate a listed CUEC, raise it with the service organization: either a compensating control on your side or a scope conversation on theirs.
For service organizations drafting a description, the discipline runs the other way: keep the CUEC list short and genuinely necessary, name your subservice organizations and chosen method explicitly, and revisit both at every audit cycle. Vague or bloated CUEC lists are one of the most common findings we see in SOC 1 readiness work.
CUECs & CSOCs — Common Questions
The questions report readers and service organizations ask most.
What are CUECs in a SOC 1 report?
CUECs (complementary user entity controls) are controls that management’s description of the system assumes user entities — the service organization’s customers — have in place, because they are necessary, in combination with the service organization’s own controls, to achieve the stated control objectives. A typical SOC 1 example is the client approving payroll input before submission. The service auditor does not test CUECs; each customer is responsible for operating them.
What is the difference between CUECs and CSOCs?
Direction. CUECs are controls assumed of the customer (user entity) reading the report. CSOCs (complementary subservice organization controls) are controls assumed of a vendor the service organization itself uses — a subservice organization carved out of the report, such as a cloud or data-centre provider. Readers cover CUECs by operating them internally, and cover CSOCs by obtaining the subservice organization’s own SOC report.
What is the carve-out method vs the inclusive method?
They are the two permitted ways to handle a subservice organization. Under the carve-out method, the vendor’s services are identified but its controls are excluded from the description and testing, and the report lists CSOCs instead. Under the inclusive method, the vendor’s relevant controls are included in the description and tested by the service auditor, which requires the vendor’s active cooperation (including its own management assertion). Carve-out is far more common, especially for hyperscale cloud providers.
Do CUECs apply to SOC 2 reports too?
Yes. The concept appears in both SOC 1 and SOC 2. In SOC 1 the reference point is the control objectives relevant to financial reporting; in SOC 2 it is the applicable Trust Services Criteria and the service organization’s service commitments. In both cases, the report’s assurance assumes the listed user-entity controls are actually operating at the customer.
Who tests CUECs?
Nobody, within the SOC examination itself — that is the point. The service auditor’s opinion explicitly assumes CUECs are suitably designed and operating at the user entities. The user entity (and, for SOC 1, its financial-statement auditor) is responsible for confirming those controls exist and operate on its side. That is why a CUEC-to-internal-control mapping is standard practice when relying on a SOC report.
What happens if we can’t meet a CUEC?
The related control objective may not be achieved for your organization even though the report is clean, so the reliance you (or your auditor) can place on the report is reduced. Practical options: implement the control, put a compensating control in place and document the rationale, or discuss with the service organization whether its controls can absorb the gap. Since SSAE 18, CUEC lists should contain only necessary controls — so a listed CUEC should never be treated as optional.
Related reading: the Learn hub, what AT-C section 320 requires, SOC 1 bridge letters, our SOC 1 guide and SOC 1 vs SOC 2. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours