By Anthony Sebastiani, Manager, Thomas J. DeMayo, Partner and Victor Peña, Partner
Key Takeaways
1. Complementary user-entity controls (CUECs) are essential for broker-dealers to fully rely on the Service Organization Control (SOC) report of a third-party provider.
These controls must be implemented at the user entity level to ensure the effectiveness of the service organization’s internal controls as described in the SOC report.
2. Failure to implement CUECs can expose broker-dealers to operational, financial and regulatory risks.
By actively maintaining and testing these controls, firms can strengthen data accuracy, support compliance and reduce audit burden through better alignment with regulatory expectations.
3. Broker-dealers should inventory, document, test and communicate their complementary user-entity controls to close compliance gaps and enhance oversight.
Clear control ownership, ongoing monitoring and stakeholder training help build a reliable control environment and reinforce the broker-dealer’s role in safeguarding data integrity.
In today’s tightly regulated financial landscape, broker–dealers rely heavily on third-party service organizations to process transactions, maintain ledgers and safeguard client assets. A Service Organization Control (SOC) report evaluates a provider’s internal controls—but tells only half the story. To gain full assurance over data accuracy and completeness—critical for mitigating risks, maintaining compliance and driving operational efficiency—broker–dealers must understand and implement the complementary user-entity controls (CUECs) outlined in their service organizations’ SOC reports. Without them, the SOC report’s controls cannot be fully relied upon.
Complementary User-Entity Controls Defined
Complementary user-entity controls are those the service organization expects its clients (the “user entities”) to have in place to support the effectiveness of the service organization’s controls. For example, a clearing agent might require a broker–dealer to reconcile position reports or maintain proper user access procedures. Without these user-entity controls, the service provider’s controls may not function as intended—even if they’re included in the SOC report.
Why Knowledge of CUECs Matters
- Data Integrity and Completeness
By understanding and executing CUECs—such as daily reconciliations, system access reviews and exception-handling protocols—broker-dealers close gaps that could lead to incomplete trade data, unrecorded cash movements or misstatements in regulatory filings. - Risk Mitigation and Regulatory Compliance
Regulators expect firms to govern both third-party risk and internal controls. Failure to implement CUECs can expose a broker–dealer to operational breakdowns, financial losses or regulatory penalties. Adhering to CUECs demonstrates that the firm is serious about its control environment. - Operational Efficiency and Cost Savings
When user-entity controls are documented and functioning effectively, both internal and external auditors—as well as regulators—can rely on this evidence to streamline evaluations and audits. This reduces duplicative testing, saving time and cost. For example, assurance over the completeness and accuracy of reports produced by the service organization may allow auditors to reduce detailed testing. It also builds transparency and enhances confidence in the broker-dealer’s overall control environment.
Practical Steps for Broker–Dealers
- Inventory and Prioritize
Review the SOC report’s CUEC matrix and map each control to your current policies and procedures. Identify which controls are already in place, which need adjustments and which must be developed. - Document Control Ownership
Assign clear ownership for each CUEC: who performs it, how often and where evidence is stored. Defined roles promote accountability and transparency. Retained documentation ensures compliance with internal and external requirements. - Test and Monitor
Integrate CUEC testing into your internal audit or compliance routines. Track exceptions and remediation activities in a central dashboard to ensure timely follow-up and continuous monitoring. - Communicate with Stakeholders
Educate leadership, operations teams and technology staff on the role and value of CUECs. Regular training and updates foster a control-focused culture and help prevent control gaps.
Building Confidence Through Collaboration
Complementary user-entity controls bridge the gap between a third-party provider’s control environment and your firm’s own. A clear understanding of CUECs helps ensure that data flowing through outsourced systems is complete, accurate and reliable. While the processing function may be outsourced to a service organization, the responsibility for data integrity remains with the broker-dealer.
Contact Us
As PKF O’Connor Davies specializes in broker–dealer controls, we partner with broker-dealers and other organizations to design, implement and test these critical user-entity controls—transforming SOC report obligations into strategic operational strengths. Contact us to learn how we can help you turn regulatory requirements into a competitive advantage:
Anthony Sebastiani, CPA, CFE, MBA
Manager
asebastiani@pkfod.com | 646.449.6354
Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
tdemayo@pkfod.com | 646.449.6353
Don Melody, CPA, CFE
Partner
dmelody@pkfod.com | 646.893.0178
Victor Peña, CPA, CGMA
Partner
vpena@pkfod.com | 646.449.6380
Rachel DiDio, CPA
Partner
rdidio@pkfod.com | 954.947.3941