Common outsourced activities include: investment custody and related services, payroll activities, participant recordkeeping for 401(k) plans and other benefit plans, and claim payments for health and welfare plans.
Even though the service organization is responsible for the day-to-day processing of transactions, certain procedures should be in place at your organization to monitor the activities of the service organization.
If you are a fiduciary of your organization, it is important that you consider your policies and procedures to monitor your service organizations. One of the ways that you can make sure you are meeting your fiduciary responsibilities is to read all reports provided from your service organization—in particular the SOC 1 report (also known as SSAE No. 18 report and formerly known as SSAE 16 or SAS 70 report). Doing so will help you monitor your service provider and may result in cost savings by timely identifying and evaluating potential issues described in the SOC 1 report.
What is a SOC 1 Report?
A SOC 1 report is a report that provides a description of internal controls at the service organization and an independent certified public accountant’s (CPA) opinion about the operating effectiveness of the internal controls. The SOC 1 report is a valuable tool because it provides detailed information about the service organization’s internal control which has been independently tested by an outside CPA, the service auditor.
A SOC 1 report typically covers a six-or twelve month period; essentially, the SOC 1 report is a periodic check-up of the service organization’s internal controls and provides your organization with vital information that is otherwise unavailable.
Why should you review the SOC 1 Report?
One of the benefits to reviewing the SOC 1 report is that it gives your organization the opportunity to evaluate control weakness that may impact your organization.
The service auditor performs certain tests to evaluate the operating effectiveness of the service organization’s internal controls. In some cases, exceptions to the testing performed may be identified. If those exceptions are considered significant then then this may result in a modified opinion by the service auditor (i.e. controls are not operating effectively).
Reviewing the exceptions in the SOC 1 report is important as exceptions may lead to errors in the transactions processed by the service organization. Factors to consider while reviewing the exceptions are as follows:
- Is there a response from the service organization within the SOC 1 report that properly addresses the exception or deviation in control testing?
- Does your organization have policies and procedures in place to compensate for the exception noted?
Does your Organization have the necessary internal controls?
In order for the service organization’s controls to be properly achieved, certain controls should be in place at your organization to complement or work together with the service organization’s internal controls. These controls are referred to as complementary user controls and are listed in the SOC 1 report.
Simply put, the complementary user controls are the necessary link to ensure your organization and the service organization function together like a well-oiled machine. Some general examples of complementary user controls include:
- Accurate information is provided to the service organization,
- Timely review and reconciliations of reports received from the service organization, and
- Timely communication of changes within your organization to the service organization
It is important to ensure your organization has implemented the necessary complementary user controls, as without these controls, errors may not be identified and corrected in a timely manner.
A Valuable Tool
The SOC 1 report is an important tool to effectively monitor your service organization because it provides valuable information and may identify potential problem areas that could affect your organization. By reviewing the SOC 1 report in a timely manner, control weaknesses can be evaluated and if necessary, steps can be taken to mitigate errors.
There are two types of SOC 1 reports: Type 1 and Type 2. A Type 1 report only includes the controls placed in operation, whereas a Type 2 report also tests the operating effectiveness of the controls. A Type 2 report is generally the most common and is the focus of this article.