Outsourcing a Process Does Not Outsource the Control
CovaCtrl
4 min read
When a third-party provider holds a SOC 1 or SOC 2 report, many organisations treat that as sufficient evidence that the associated risks are under control. The assumption is understandable. But the assurance a SOC report provides rests partly on controls the client organisation must implement itself — and most organisations overlook that entirely.
What Are Complementary User Entity Controls?
Every SOC report documents the controls the service organisation has in place. But almost every SOC report also lists what are known as Complementary User Entity Controls, or CUECs: controls that the client organisation must implement for the service provider's controls to function as intended.
CUECs are not suggestions. They are assumptions baked into the auditor's opinion. If the SOC report states that the service organisation relies on the user entity to manage access to the relevant system, the auditor has assumed that control exists on the client's side. Where it does not, the assurance the report appears to provide does not actually cover the gap it implies it covers.
Why Do Organisations Overlook This?
Many organisations receive their vendors' SOC reports, note that no exceptions are listed, and file them. The section of each report detailing CUECs frequently goes unread. Practitioners have identified this as a persistent failure: many institutions either do not perform or do not document their review of CUECs at all.
The consequences are predictable. Control programmes that appear complete contain silent dependencies that no one owns. If a control failure later emerges, the organisation has no documented basis for the oversight that was assumed to exist.
What Does the Third-Party Controls Gap Look Like?
The problem typically manifests in a recognisable pattern:
External auditors have begun demanding more in this area. In recent SOX cycles, organisations have been asked to produce full-year SOC coverage, evidence of formal CUEC review, and — in some cases — additional assurance from vendors' vendors to cover subservice organisation controls that the primary SOC report excludes.
How Are Regulations Raising the Bar in 2026?
Three parallel developments in 2026 are increasing scrutiny of third-party controls simultaneously.
The Digital Operational Resilience Act came into force for EU financial entities in January 2025, requiring a comprehensive Register of Information covering all ICT third-party arrangements. The 2024 dry-run exercise conducted by the European Supervisory Authorities found that only 6.5% of participating firms passed all 116 data quality checks, with the most common failures involving incomplete contract data and missing subcontractor information. Regulators have moved from reviewing paperwork to active enforcement in 2026.
The UK's revised Corporate Governance Code — effective under Provision 29 for financial years beginning January 2026 — requires boards to evaluate control effectiveness across outsourced processes. A board declaration on control performance must account for third-party environments, not only those under direct internal management.
From September 15, 2026, the Institute of Internal Auditors' Third-Party Topical Requirement becomes mandatory for assurance engagements. When a third-party engagement is included in an assurance plan, internal auditors must evaluate governance, risk management and controls across the entire third-party lifecycle — selection, contracting, onboarding, ongoing monitoring and offboarding. The requirement extends to subcontractors, including those several layers removed from the primary relationship.
What Does a Sound Third-Party Control Programme Require?
Addressing the gap does not require building an entirely separate function. It requires applying the same discipline to third-party controls that effective organisations already apply to internal ones:
- Risk-tiering third parties at onboarding, with assurance requirements matched to the level of impact on financial reporting or operations
- Formally reviewing the CUECs in each relevant SOC report and mapping them to owned internal controls
- Maintaining ongoing monitoring of critical third parties rather than relying on annual point-in-time assessments
- Securing contractual audit rights and access to subcontractor assurance where material subservice relationships exist
- Documenting control performance evidence throughout the vendor lifecycle, not only at audit time
The accountability principle is unambiguous across every major framework: although a process is outsourced, responsibility for the controls that govern it remains with the organisation.
How Is CovaCtrl Different?
CovaCtrl supports teams in maintaining structured, continuous evidence of control performance — including controls that exist to govern third-party relationships. Where CUECs require the user entity to maintain access reviews, data validation or approval workflows, those controls can be monitored and evidenced as part of the same internal control framework as any directly owned control.
Teams approaching a SOX audit, a Provision 29 declaration or an IIA third-party assurance engagement can demonstrate a documented and continuously maintained control environment, rather than assembling evidence for controls that were assumed to exist.
Why This Matters Now
The third-party controls gap is not a new problem. What is new in 2026 is the convergence of three regulatory regimes — DORA enforcement, UK Provision 29 and the IIA's mandatory topical requirements — each of which now requires organisations to demonstrate that third-party controls are genuinely owned, documented and monitored throughout the relationship lifecycle.
A vendor's SOC report is a starting point for assurance, not the conclusion of it. The controls it assumes exist on the client's side are the organisation's responsibility to implement, evidence and maintain.
Outsourcing a process is straightforward. Outsourcing accountability for the controls around it is not possible.