Complementary User Entity Controls (CUECs), often referenced in SOC 2 reports as CAROC, are the security controls that a service organisation's customers must implement on their side to fully benefit from the service's security posture. These controls address the shared responsibility model, where the service provider secures its infrastructure but the customer must secure their own access, configurations and data handling.
When reviewing a SOC 2 report, organisations should carefully examine the listed CUECs to understand their residual obligations. Common examples include enforcing multi-factor authentication for user accounts, configuring appropriate access permissions and maintaining their own backup procedures. Failure to implement required CUECs can leave significant security gaps despite the provider's certification.