A clear and bold header

Complementary Controls; Bless Your Heart

Posted by CMPG Risk Solutions on Dec 20, 2016 1:51:00 AM
Find me on:


Complementary-User-Entity-Controls-VendorinsightWell not exactly. Many of us are all too familiar with the e-mail and phone chase of your vendor population to obtain their third party control audits. Most know control audits by their various designations: SSAE16 or SOC 1, SOC 2, be they Type I or Type II. Confused yet?

What seems to have grown in scrutiny with control audits is not the receipt, review and acceptance of your third (and fourth party) control audits by an independenndering an unqualified opinion, but that deep inside these documents there is actually information that you are charged to validate within your own institution's control environment. You typically find the Complementary User Entity Controls as a separate section in the Table of Contents page of any professionally completed control audit report.

Complementary User Entity Controls are those things that your institution must perform from your side of a vendor relationship. As an example, if a vendor is posting transactions that you submit, the Complementary User Entity Control will likely require that you balance and validate the batch of transactions prior to submission. That makes perfect sense, right?

The catch is that someone physically needs to match and validate that your controls match those prescribed by your vendor. And you will be asked at some point by an auditor or examiner in the future, if not already, for this internal control validation. The person performing the validation needs exceptional internal control documentation or must possess intimate working knowledge of your organizational structure, process and policies. The verification of controls likely leads them on a hunt for signatures across the organization: accounting, operations, items processing, IT, etc.

This is an area where solution providers such as VendorInsight® can provide assistance in organizing the required validation efforts and certifications; whether it is specific reports, or tracking outstanding control item exceptions. While many may still want to copy and sign the top of the page from the SSAE16; John Smith, SVP, We Do This!, this approach will likely not meet expectations, if ever, for much longer. VendorInsight® is designed to improve in this critical area of Vendor Risk Management. If you’d like to schedule a consultation with a member of our team, follow the link below and we’ll be in touch soon!

Schedule An Introduction


VendorInsider Blog

Insight into Vendor Management Best Practices, Challenges, Solutions and Trends from Industry Insiders

As one of the longest running and most advanced vendor management software solutions, the helpful people of VendorInsight® have a unique perspective on third-party risk, compliance and management.  In the VendorInsider Blog, we share our insights on timely and relevant issues facing vendor managers.  You can subscribe using the button below, or contact us with questions.

Subscribe to Our Blog

Recent Posts

Posts by Topic

see all