Often, a service organization will have an audit to provide assurance to plan management that appropriate controls are in place and that policies and procedures are being followed. In connection with this examination, a Service Organization Controls (SOC 1) report (formerly a SAS 70 report) is issued to the service organization for distribution to its clients (i.e., plans/plan management).
How SOC 1 Reports are Beneficial to Employee Benefit Plans
SOC 1 reports are beneficial to employee benefit plans because they enable plan management to inspect the controls currently in place at their service provider(s) and determine whether they are working.
Whether for a record keeper or an investment custodian, the SOC 1 report yields extremely important information, such as whether data is safeguarded against unexpected destruction, whether new accounts are properly authorized, or whether investments are bought and sold in a timely manner. In addition to learning whether these and other controls are being tested, plan management can identify control deficiencies and read the service provider’s responses. This allows management to make an informed decision and evaluate whether changing service providers is warranted.
How to Read a SOC 1 Report (for Plan Management)
No two SOC 1 reports are exactly the same, but they all contain the same general information, including the opinion by the auditor, overview of operations, overview of controls, summary of subservice organizations, testing of controls and complementary user controls.
The sections on testing of controls and user controls are the most important. The section on testing of controls states specifically how each particular policy and procedure was tested and whether an exception was found. Plan management should be on the lookout for any exceptions noted when reading the SOC 1 report. The user controls indicate which controls are expected to be in place at the user entity (i.e., the plan sponsor) and monitored by plan management.
The SOC 1’s Role in a Plan Audit
When a plan is required to have an audit under the Employee Retirement Income Security Act of 1974 (ERISA), its auditor will request a SOC 1 report for each service provider used by the plan. If available, the SOC 1 report can be an integral component of a benefit plan audit, because it may allow the plan auditor to rely on controls already tested by the SOC 1 auditor.
There are two types of SOC 1 reports: Type I and Type II. A Type I report only includes the policies and procedures placed in operation; a Type II report also tests their operating effectiveness. If the service provider contracted by the plan furnishes a Type II SOC 1 report, the testing the plan auditor needs to perform is minimized, thus saving the plan auditor time and the plan money.
The plan auditor will read the SOC 1 report in detail, particularly examining and evaluating the areas of investments, contributions, participant loans, administrative services, reporting, computer/security and any other controls tested.
In addition, the SOC 1 report identifies user controls that must be performed by plan management in order for the plan auditor to be able to place reliance on the report. For example, a complementary user control might address payroll processing procedures, in which plan management is responsible for establishing a payroll processing submission schedule, submitting payroll data on time, verifying receipt of submission confirmation, and reviewing system reports to verify that outstanding issues are resolved.
An Invaluable Tool
The information contained in a SOC 1 report is invaluable because it sheds light on how effective internal control procedures are within the contracted service organization. The bias-free report—completed by independent certified public accountants—provides data to both plan management and plan auditors that is unattainable with simple inquiry or research.
Have a question about your plan’s SOC 1 report or need a 401(k) plan audit? Contact your Lindquist LLP partner or Marketing Manager Stephanie Kretschmer at (925) 277-9100 or firstname.lastname@example.org.
Nick Motwani is a senior auditor at Lindquist LLP. In his current role, Nick exclusively reviews, evaluates and summarizes Service Organization Control (SOC) reports and prepares them for Lindquist LLP’s use in audits. He has six years of experience auditing employee benefit plans and not-for-profit organizations. A graduate of the University of California, Santa Cruz, Nick earned a bachelor of arts degree in economics and legal studies.
Stephanie Kretschmer is Lindquist LLP’s marketing manager. In conjunction with firm leadership, she oversees marketing, communications and business development for Lindquist LLP’s four West Coast offices. This year is her 10th with the firm. She graduated with a degree in communication studies from Saint Mary’s College (Notre Dame, Indiana).