PKF O'Connor Davies Accountants and Advisors
PKF O'Connor Davies Accountants and Advisors

The Benefits for Broker-Dealers to Understand Complementary User-Entity Controls (CUECs) in SOC Reports

Need help getting started?

Contact Us
July 8, 2025

By Anthony Sebastiani, Manager, Thomas J. DeMayo, Partner and Victor Peña, Partner


Key Takeaways

1. Complementary user-entity controls (CUECs) are essential for broker-dealers to fully rely on the Service Organization Control (SOC) report of a third-party provider.
These controls must be implemented at the user entity level to ensure the effectiveness of the service organization’s internal controls as described in the SOC report.

2. Failure to implement CUECs can expose broker-dealers to operational, financial and regulatory risks.
By actively maintaining and testing these controls, firms can strengthen data accuracy, support compliance and reduce audit burden through better alignment with regulatory expectations.

3. Broker-dealers should inventory, document, test and communicate their complementary user-entity controls to close compliance gaps and enhance oversight.
Clear control ownership, ongoing monitoring and stakeholder training help build a reliable control environment and reinforce the broker-dealer’s role in safeguarding data integrity.


In today’s tightly regulated financial landscape, broker–dealers rely heavily on third-party service organizations to process transactions, maintain ledgers and safeguard client assets. A Service Organization Control (SOC) report evaluates a provider’s internal controls—but tells only half the story. To gain full assurance over data accuracy and completeness—critical for mitigating risks, maintaining compliance and driving operational efficiency—broker–dealers must understand and implement the complementary user-entity controls (CUECs) outlined in their service organizations’ SOC reports. Without them, the SOC report’s controls cannot be fully relied upon.

Complementary User-Entity Controls Defined

Complementary user-entity controls are those the service organization expects its clients (the “user entities”) to have in place to support the effectiveness of the service organization’s controls. For example, a clearing agent might require a broker–dealer to reconcile position reports or maintain proper user access procedures. Without these user-entity controls, the service provider’s controls may not function as intended—even if they’re included in the SOC report.

Why Knowledge of CUECs Matters

  1. Data Integrity and Completeness
    By understanding and executing CUECs—such as daily reconciliations, system access reviews and exception-handling protocols—broker-dealers close gaps that could lead to incomplete trade data, unrecorded cash movements or misstatements in regulatory filings.

  2. Risk Mitigation and Regulatory Compliance
    Regulators expect firms to govern both third-party risk and internal controls. Failure to implement CUECs can expose a broker–dealer to operational breakdowns, financial losses or regulatory penalties. Adhering to CUECs demonstrates that the firm is serious about its control environment.

  3. Operational Efficiency and Cost Savings
    When user-entity controls are documented and functioning effectively, both internal and external auditors—as well as regulators—can rely on this evidence to streamline evaluations and audits. This reduces duplicative testing, saving time and cost. For example, assurance over the completeness and accuracy of reports produced by the service organization may allow auditors to reduce detailed testing. It also builds transparency and enhances confidence in the broker-dealer’s overall control environment.

Practical Steps for Broker–Dealers

  1. Inventory and Prioritize
    Review the SOC report’s CUEC matrix and map each control to your current policies and procedures. Identify which controls are already in place, which need adjustments and which must be developed.

  2. Document Control Ownership
    Assign clear ownership for each CUEC: who performs it, how often and where evidence is stored. Defined roles promote accountability and transparency. Retained documentation ensures compliance with internal and external requirements.

  3. Test and Monitor
    Integrate CUEC testing into your internal audit or compliance routines. Track exceptions and remediation activities in a central dashboard to ensure timely follow-up and continuous monitoring.

  4. Communicate with Stakeholders
    Educate leadership, operations teams and technology staff on the role and value of CUECs. Regular training and updates foster a control-focused culture and help prevent control gaps.

Building Confidence Through Collaboration

Complementary user-entity controls bridge the gap between a third-party provider’s control environment and your firm’s own. A clear understanding of CUECs helps ensure that data flowing through outsourced systems is complete, accurate and reliable. While the processing function may be outsourced to a service organization, the responsibility for data integrity remains with the broker-dealer.

Contact Us

As PKF O’Connor Davies specializes in broker–dealer controls, we partner with broker-dealers and other organizations to design, implement and test these critical user-entity controls—transforming SOC report obligations into strategic operational strengths. Contact us to learn how we can help you turn regulatory requirements into a competitive advantage:

Anthony Sebastiani, CPA, CFE, MBA
Manager
asebastiani@pkfod.com | 646.449.6354

Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
tdemayo@pkfod.com | 646.449.6353

Don Melody, CPA, CFE
Partner
dmelody@pkfod.com | 646.893.0178

Victor Peña, CPA, CGMA
Partner
vpena@pkfod.com | 646.449.6380

Rachel DiDio, CPA
Partner
rdidio@pkfod.com | 954.947.3941