What Plan Sponsors Need to Know About SOC Reports
October 21, 2021
By Lawrence Handler
Most 401(k) and other benefit plans outsource the vast majority of plan activities to a service organization (e.g., recordkeepers/custodians and payroll service providers). Most service organizations will have a Service Organization Controls (“SOC”) report that documents internal controls over financial reporting as well as the results of the tests of those controls for operating effectiveness.
The plan sponsor of a 401(k) plan or other benefit plan is considered a user entity. A user entity has the responsibility for assessing and addressing risks encountered by the user entity related to financial reporting as well as the efficiency and effectiveness of its operations. A user entity assumes additional risk when it relies on a service organization to perform key functions or processes related to its operations. The internal controls of the service organization become an extension of the plan’s controls. Although the plan sponsor (user entity) can delegate tasks or functions to a service organization, the responsibility for the service provided cannot be delegated and remains with the sponsor. The plan sponsor is responsible for establishing effective internal control over outsourced functions as mandated by those charged with governance (e.g., the board of directors) and as expected by regulators, shareholders, customers and other interested parties.
SOC reports provide plan sponsors with information that can be useful in selecting new service providers or evaluating the effectiveness of service providers currently being used. SOC reports can also give plan sponsors more insight as to how various service providers perform their functions that are critical to the operation of a benefit plan. This enables the plan sponsor to proactively identify potential deficiencies before they create major problems for the plan.
Information contained in the SOC report helps plan sponsors act in the best interests of their plan participants, which is part of the plan sponsor’s fiduciary duty. By identifying issues in the SOC report related to the control objectives, the service auditor helps the plan sponsor initiate an appropriate course of action. This action can mitigate any risk associated with a control objective exception identified or, in a worst-case scenario, a qualification to the SOC report.
Different Types of SOC Reports
The sponsor can obtain different types of SOC reports, and each type of report offers a different level of reliance that a sponsor can use in assessing the effectiveness of procedures and controls for outsourced functions. A Type I report generally describes a set of procedures and controls that a service organization established at a specific time. A Type II report has the same information contained in a Type I report, but it also provides substantiation as to the effectiveness of those procedures and controls over a specified period of time. A public accounting firm conducts an audit that tests the procedures and controls of the service provider and then issues an opinion in the Type II report as to their effectiveness. Therefore, a Type II report is what the user entity should request because this provides evidence on how effective the controls are at the service organization.
User Controls Necessary to Achieve Service Organization Control Objectives Per the Type II Report
In order to achieve the control objectives stated in the Type II report of the service provider, the plan sponsor is responsible for implementing certain of its own controls, which are referred to in the Type II report as complementary user-entity controls. If the plan sponsor does not implement these user controls, the service organization cannot be held responsible if the control objectives stated in the Type II report are not achieved.
Examples of complementary user-entity controls are verifying that a participant is eligible for the plan; ensuring that information from employee payroll files is accurate, complete and properly authorized; resolving rejected items and resubmitting the updates in a timely manner, ensuring that disbursements are approved by an appropriate party; verifying that online access logins and passwords to make plan election changes are given only to authorized personnel; reviewing that changes in investment options offered by the plan are authorized; and monitoring that contribution limits are not exceeded by participants.
Reviewing and Documenting Your Review of SOC 1 Reports
In addition to reviewing the SOC 1 Type II report and the complementary user controls in Type II reports, you should also document your review of these items:
- Period Covered – The system description and controls tested included in the report cover a specific period. Obtain a bridge letter if the SOC report doesn’t cover the entire reporting period for the plan’s audit. The bridge letter will verify that the control objectives per the SOC report continue to be met through the plan’s reporting period.
- Is the Opinion Issued by a Reputable Auditor – If you are not familiar with the audit firm that issued the opinion, perform an informal background check of the audit firm to ensure that it is competent and capable of performing a SOC audit.
- Modifications to the Service Auditor’s Opinion – This could be an indicator that the service organization’s internal controls may not be operating effectively.
- Management’s Opinion on the Operating Effectiveness of the Controls – Similar to the independent auditor for the service organization, management of the service organization also opines on the operating effectiveness of controls. Give the same level of attention to management’s opinion as was done with the auditor’s opinion. If the two opinions differ, the plan sponsor should inquire as to the reason for the differences and satisfy themselves that an appropriate response is provided.
- Subservice Organizations/Carve Outs – These are organizations that perform certain functions (e.g., IT general controls, hosting, pricing services and certain investment-related services) that have been outsourced by a third-party service provider that are relevant to the plan’s internal controls. The plan sponsor should assess whether or not the subservice organization’s controls are covered in the SOC report of the third-party provider. If not, the plan sponsor needs to determine the necessity for obtaining and reviewing the SOC report of the subservice organization. If a SOC report is not available for a carved-out subservice organization, a plan sponsor should (1) perform a review of the current procedures in place at the plan sponsor to address the specific controls that are carved out, and document that these controls are properly addressed. However, in most instances, it is unlikely that this procedure will cover the outsourced controls sufficiently; (2) contact either the service organization or the subservice organization directly to discuss the controls and procedures in place and document those discussions. Obtain supporting documentation to confirm such controls and procedures are in place. This discussion will usually address only the key processes and controls that impact the plan sponsor.
- Control Objectives and Exceptions – The plan sponsor will want to study this section to ensure that the service provider’s controls cover the areas that the plan sponsor is concerned about most, such as new plan setup, eligibility and enrollment, contributions, distributions, investments, investment election changes, loans, income and expense allocations, and IT security. Control deficiencies and exceptions will be stated in the testing section of the report, if they exist. If the deficiencies and exceptions indicate an increased risk, consider whether additional controls or other actions should be taken to mitigate this risk—based on management’s responses—and document steps taken to correct the identified issues.
Use of third-party vendors can expose a plan to substantial risk of unauthorized access to private information within the plan. It is essential that plan sponsors communicate with their vendors in order to understand what their cybersecurity policies are. This may be problematic when trying to assess the cybersecurity environment for a small third-party administrator that doesn’t have a dedicated cybersecurity team. In that case, it would be advisable to obtain its SOC report, which may have details regarding its cybersecurity practices.
Pressure Your Vendors
Some vendors don’t offer a SOC report related to the services that they provide. This would complicate the plan sponsor’s due diligence analysis to make a full assessment of the possible risks associated with the vendor. There’s no requirement for a vendor to produce a SOC report. The vendor’s clients and prospects need to inform the vendor of their requirement to receive a SOC report.
The SOC 1 Type II report is a critical tool because it contains information that provides clarity as to the effectiveness of internal control procedures employed by the contracted or prospective service organization. This report, completed by an independent certified public accountant, provides data to both plan sponsors and plan auditors that couldn’t be gathered solely with research or basic inquiry. The more that plan sponsors understand the information that is contained in SOC reports, the better equipped they will be to meet their fiduciary duties.