Where in a SOC engagement report are CUECs usually identified?

In a SOC engagement report, Complementary User Entity Controls (CUECs) are typically identified in the scope section. This section provides a detailed description of the boundaries and parameters of the audit, including the controls that the service organization has implemented. CUECs are essential as they refer to the user entity's responsibilities that complement the service organization's controls to ensure effective operation. By detailing these controls in the scope section, the report clearly defines the controls the user must have in place to work effectively alongside those of the service organization. This information helps the stakeholders understand the full context of control obligations within their environment and the shared responsibility for risk management.

Other sections of the report serve different purposes: the executive summary typically summarizes key findings, the opinion section presents the auditor's conclusions regarding the effectiveness of controls, and the conclusion section reiterates the outcomes of the engagement, but does not focus on identifying specific user entity controls.