What Technology and Life Sciences Companies Need to Know About SOC 1 Reports

June 15, 2021

What do technology and life sciences companies need to know about SOC 1 Reports? In this four-minute video, EisnerAmper Director of Pension Services Group Brenda DeSaro explains what a SOC 1 Report is, discusses why companies need to be concerned about these reports even though they likely outsource this work to third-party providers, and outlines a best practices approach.


Transcript

Brenda DeSaro: Hello, my name is Brenda DeSaro, and I am a director at EisnerAmper. I've been with the firm over 20 years and I work exclusively in employee benefit plans. I continue to get the same question from my technology and life science clients so I thought it was worth sharing. The question is, "Why do I have to be concerned with a SOC 1 Report when I outsource this work to certain providers?" My response has been, you already answered your own question. You are outsourcing the processing of certain transactions rather than you or someone in your company doing it. Therefore, by outsourcing those services to a third party provider, their controls become an extension of your controls. Let's take, for example, two most common areas I see when auditing an employee benefit plan. The first example and the one that affects most of my technology company is payroll.

If your company outsources your payroll processing to a service provider like, say, ADP or Paychex, then they are processing a lot of transactions and activity that you would be doing internally if you had in-house payroll. If your life science company has a 401K plan or another type of benefit plan, then most likely you use a vendor like say, Schwab, Vanguard, or Fidelity to handle the majority of the transactions associated with your plan. Now, in both of these instances, those outsource providers would have a SOC 1 Type 2 Report that has valuable information on the controls over financial reporting that are in place to ultimately protect and process your data that you send to them along with the results on the effectiveness of those controls, which remember, this is an extension of your controls.

This is why the SOC Report is so very important and crucial to the activity that they are handling on your behalf. Therefore, wouldn't you want to know what controls are being tested and how effective those controls are? Also, what if there was some deficiencies noted in that report? I know I'd want to know which controls had issues. These answers can all be found in a SOC 1 Type 2 Report. Many of my technology and life science clients have taken a best practice approach when it comes to the SOC Reports that they receive by doing the following. First, they get the correct report that is relevant to the platform that their services are being performed on. I will note that many vendors have more than one SOC Report in different areas, so make sure you are getting all the reports that you need. Also, many vendors may have different platforms for processing transactions so it is crucial to secure the correct reports.

Next, after they get the correct report, then they make sure that they have the proper time period. But keep in mind that it may not be for the exact period of your plan year or tax year. Many SOC Reports are done with fiscal year ends. For example, they might run from October 1st, 2019 through September 30th, 2020, but your plan year may end on December 31. Next, they read the report and they document that in their committee minutes along with considering any deficiencies that the report cited that may have an impact on their payroll or their plan. They may need to put some controls in place that would mitigate any of those deficiencies if they were significant. Lastly, they review and document how they are implementing the complimentary user controls from the report. These are controls that the user, my client, must have in place in order to rely on the controls in that report. I know this was a lot of information, but hopefully this has shed some light on the importance of SOC Reports. If anyone has any questions, feel free to ask.

Transcribed by Rev.com

About Brenda DeSaro

Brenda DeSaro is a Director in the firm’s Pension Services Group handling the related pension plan audit and consulting requirements for a broad client base. She efficiently and accurately manages all types of pension plan audits.