Preparing for Your Plan Audit, Part 4: SOC 1 Report

A SOC 1 report on your employee benefit plan’s service providers has great value to your plan; read why. 

What is a SOC 1 report?

SOC stands for System and Organization Controls. A SOC 1 Type 2 Report is not required for an employee benefit plan audit. However, most recordkeepers, payroll providers and trustees have SOC reports. It is normally prepared for a service provider to document its key controls and processes over internal controls for financial reporting and financial statement assertions throughout a specific period and tests the operational effectiveness of those controls along with results. In other words, a SOC 1 Type 2 Report on your recordkeeper or payroll provider allows the plan sponsor to rely on and include those internal controls by extension as part of the plan’s controls.       

Why would those controls be part of the plans if I outsource that work?

You are outsourcing the processing of certain transactions rather than you or someone in your company. Therefore, by outsourcing those services to a service provider, their controls become an extension of your controls. Remember, you can outsource the activity but never the responsibility.  Ultimately, the plan sponsor is the fiduciary and has the responsibility to monitor plan service providers.

If your company outsources your payroll processing to a service provider, then that provider is processing the many transactions that you would be doing internally if you had in-house payroll. Additionally, the recordkeeper for your 401(k) plan or another type of benefit plan normally handles most of the transactions, such as processing distributions, posting contributions and allocating earnings, to name a few. In both instances, those outsourced providers may have a SOC 1 Type 2 report that has valuable information on the controls over financial reporting that are in place to ultimately protect and process the data that you send to them, along with results on the effectiveness of those controls. Those are, in turn, an extension of your controls.

Therefore, the SOC report is crucial to the activity that the service provider is handling on your behalf.  Another benefit is to learn the results of the effectiveness of the controls. Wouldn’t you want to know what controls are being tested and how effective those controls are? Also, what if there were some deficiencies noted in the report? You would want to know which controls had issues so that you can check those transactions within your plan to ensure they did not impact your plan.

These answers can all be found in a SOC 1 Type 2 Report.

What are some best practice approaches when it comes to the SOC report results?

• First, make sure you get the correct report(s) that are relevant to the platform on which your services are performed. This can be tricky because some service providers have more than one SOC report. For example, a third-party administrator may have a SOC report that covers the recordkeeping controls and may have a separate SOC report for the related technology controls. Therefore, make sure you are getting all the reports that you need. Also, vendors may have different platforms for processing transactions, so it is crucial to secure the correct reports for the platform your plan is using.
• Second, make sure that the SOC report you have covered the proper time period. Keep in mind that it may not be for the exact period of your plan year. Many SOC reports utilize fiscal year- ends. For example, the report may cover the period of October 1, 2020, through September 30, 2021, but your plan year may end on December 31. You may need to get multiple SOC reports to cover the 12 months of the plan year or obtain a gap letter from the third-party administrator for the remaining period.
• Third, read the report and document your review in your committee minutes. Note any deficiencies cited that may have an impact on your payroll or plan. You may need to put some controls in place that would mitigate any of those deficiencies if they were significant.
• Lastly, review and document how you are implementing the “complementary user controls” from the report. These are the controls that the user—you as the plan sponsor and plan administrator—must have in place to rely on the controls in the report.

The SOC report, while not required for the plan audit, is an extremely helpful piece of information. You can assess your third-party administrators, include as part of your plan’s internal controls, and determine whether they are keeping your plan assets as safe as they would have been in-house. The report(s) can be lengthy and complex, so we recommend obtaining and reviewing them from your service providers well in advance of audit fieldwork.

For more details on SOC reports, visit our blog here.

Accss the rest of this blog series below:

Part 1: Census Reconciliation

Part 2:  Timeliness Schedule

Part 3:  Investment Certificatons

Part 5:  Minutes and Amendments