Obtaining and reviewing your service provider’s Service Organization Control (SOC) report is not only imperative to understanding the controls in place, it is also part of a fiduciary’s responsibility to monitor the plan under the Employee Retirement Income Security Act (ERISA).
Under AICPA Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, effective since June 15, 2011, Service Organization Control (SOC) 1 Reports were established to report on controls at a service organization relevant to user entities’ internal control over financial reporting.
Many companies (user entities) with employee benefit plans outsource various plan activities to independent outside service organizations. In most cases, the service organization holds the plan’s investments and executes investment transactions. This has a direct impact on the financial reporting of the plan. Reviewing your service organization’s SOC 1 report can provide management with key information to help them determine that the service organization has the necessary controls in place to properly perform and track the plan’s investments and investment transactions. In addition, reviewing the SOC 1 report will help aid management in determining the user controls which need to be in place at the company in order for the service organization’s controls to operate effectively.
Proper review and understanding of your service provider’s SOC 1 report encompasses several key questions that need to be answered and, most importantly, have those answers documented.
What type of SOC 1 report was provided? Type I or Type II?
In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization, as of a specific date, as to whether (1) the service organization's description of its system fairly presents the system that was designed and implemented; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives.
In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization for a specified period of time, rather than as of a specified date as in a Type I report. In addition to (1) and (2) above, the Type II report will also express an opinion on whether the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.
Does the report cover the period that was requested?
If the report does not cover the entire period requested, it may be necessary to ask your service organization for a “negative assurance memo” – a statement covering the remaining period under audit.
Does the service organization use another service organization (referred to as a subservice organization) to perform certain functions or procedures?
Often times, service organizations may use other service organizations to perform certain functions and procedures. The subservice organization’s internal controls must be assessed to determine their effect on the plan. Additional SOC 1 reports for the subservice organization may need to be obtained and reviewed if it is determined that the subservice organization’s internal controls affect plan transactions.
Does the service auditor’s opinion contain any areas of concern or deficiencies in controls?
Reading the service auditor’s opinion can help to determine any issues or deficiencies that the service auditor came across during their review.
For a Type II Report, were there any exceptions noted during the service auditor’s tests of controls and the results of operating effectiveness?
"If the service auditor noted exceptions during their testing, it is important to assess and document how those exceptions could affect the financial reporting of the plan."
If the service auditor noted exceptions during their testing, it is important to assess and document how those exceptions could affect the financial reporting of the plan.
Does the company have the necessary user controls in place as described in the SOC 1 report?
The SOC 1 report describes the user controls, which are complementary, and should be implemented by the company, in addition to the controls in place at the service organization. The company should maintain documentation on what processes and procedures are in place and implemented by the company to address each user control consideration.
In conclusion, plan management and those charged with fiduciary responsibility should read and review their service organization’s SOC 1 report in its entirety and maintain the necessary documentation of that review. This documented review can play an important role in evidencing oversight and monitoring of the plan, a required fiduciary responsibility under ERISA.
