What Technology and Life Sciences Companies Need to Know About SOC 1 Reports

June 15, 2021

What do technology and life sciences companies need to know about SOC 1 Reports? In this four-minute video, EisnerAmper Director of Pension Services Group Brenda DeSaro explains what a SOC 1 Report is, discusses why companies need to be concerned about these reports even though they likely outsource this work to third-party providers, and outlines a best practices approach.


Brenda DeSaro: Hello, my name is Brenda DeSaro, and I am a director at EisnerAmper. I've been with the firm over 20 years and I work exclusively in employee benefit plans. I continue to get the same question from my technology and life science clients so I thought it was worth sharing. The question is, "Why do I have to be concerned with a SOC 1 Report when I outsource this work to certain providers?" My response has been, you already answered your own question. You are outsourcing the processing of certain transactions rather than you or someone in your company doing it. Therefore, by outsourcing those services to a third party provider, their controls become an extension of your controls. Let's take, for example, two most common areas I see when auditing an employee benefit plan. The first example and the one that affects most of my technology company is payroll.

If your company outsources your payroll processing to a service provider like, say, ADP or Paychex, then they are processing a lot of transactions and activity that you would be doing internally if you had in-house payroll. If your life science company has a 401K plan or another type of benefit plan, then most likely you use a vendor like say, Schwab, Vanguard, or Fidelity to handle the majority of the transactions associated with your plan. Now, in both of these instances, those outsource providers would have a SOC 1 Type 2 Report that has valuable information on the controls over financial reporting that are in place to ultimately protect and process your data that you send to them along with the results on the effectiveness of those controls, which remember, this is an extension of your controls.

This is why the SOC Report is so very important and crucial to the activity that they are handling on your behalf. Therefore, wouldn't you want to know what controls are being tested and how effective those controls are? Also, what if there was some deficiencies noted in that report? I know I'd want to know which controls had issues. These answers can all be found in a SOC 1 Type 2 Report. Many of my technology and life science clients have taken a best practice approach when it comes to the SOC Reports that they receive by doing the following. First, they get the correct report that is relevant to the platform that their services are being performed on. I will note that many vendors have more than one SOC Report in different areas, so make sure you are getting all the reports that you need. Also, many vendors may have different platforms for processing transactions so it is crucial to secure the correct reports.

Next, after they get the correct report, then they make sure that they have the proper time period. But keep in mind that it may not be for the exact period of your plan year or tax year. Many SOC Reports are done with fiscal year ends. For example, they might run from October 1st, 2019 through September 30th, 2020, but your plan year may end on December 31. Next, they read the report and they document that in their committee minutes along with considering any deficiencies that the report cited that may have an impact on their payroll or their plan. They may need to put some controls in place that would mitigate any of those deficiencies if they were significant. Lastly, they review and document how they are implementing the complimentary user controls from the report. These are controls that the user, my client, must have in place in order to rely on the controls in that report. I know this was a lot of information, but hopefully this has shed some light on the importance of SOC Reports. If anyone has any questions, feel free to ask.

Transcribed by Rev.com

About Brenda DeSaro

Brenda DeSaro is a Director in the firm’s Pension Services Group handling the related pension plan audit and consulting requirements for a broad client base. She efficiently and accurately manages all types of pension plan audits.

More in This Series

Life Sciences Startups: Why ESG?

Environmental, Social, & Governance considerations have become a competitive advantage for life sciences startups. In this video, you’ll learn how ESG can be used to measure a companies’ vulnerabilities to external threats and deliver long-term financial gains.

Competitive Compensation Packages for Startups

Though often strapped for cash, startups are finding new and creative ways to remain competitive. In this video, you’ll find out about alternative compensation considerations and strategies as we explore ways to engage and retain key stakeholders in ever-changing markets.

Startups: Tax Implications of Hiring Independent Contractors vs. Employees

In this video, you’ll learn about the three worker classification tests, filing requirements, and more in order to make an accurate worker classification/determination and avoid possible tax and legal exposure.

Cybersecurity Risks and Solutions for Life Sciences Startups

Cybersecurity poses a significant risk to life sciences startups that handle personal identifiable information. In this video, you’ll learn about the risks facing your business and how you can protect your clients and systems.

When Do I Need to Get an IRC Sec. 409A Valuation for My Stock Options or Stock Grants?

A 409A valuation is used by private companies to assess the fair market value of their stock. In this video, you’ll learn when a 409A valuation is necessary, the length of time in which it is valid, and which events trigger the need for an update

Capital Raising: What Are My Options—and How Do I Approach Investors?

In this video, you’ll learn about various options for raising capital, tips for creating your potential investor list, and how to approach investors.

What Technology and Life Sciences Companies Need to Know about being Acquired by a SPAC

Becoming a public company through an acquisition by a SPAC is an alternative to the traditional initial public offering (IPO). In this video, you’ll learn some key considerations that a technology or life sciences company should keep in mind before being acquired by a SPAC.

Going Global: How to Report Your Foreign Operations for Tax Purposes

In this video, we’ll examine why reporting on foreign operations for tax purposes is an important matter for technology and life sciences start-ups doing business abroad.

What Tax Considerations Does My IPO Trigger?

Is your company preparing for (or have you recently had) an IPO? In this video, you’ll learn about the impact that an ownership change under IRC Sec. 382 can have on the utilization of net operating loss (NOL) carryovers and other factors that can influence your tax burden.

Medical Device Companies: Consideration for Consignment Inventory and Related Sales Process

Many medical device companies have chosen to deploy a consignment inventory and sales approach for their related products. In this video, you’ll learn about the advantages and disadvantages of this strategy for both the company and third parties, as well as best practices to consider

What Technology and Life Sciences Companies Need to Know About Transfer Pricing—from Start-ups to Large MNEs

In this video, you will learn why transfer pricing is an important focus point for many multinational enterprises in the technology and life science industry.

Capital Raising: Are Financial Instruments Classified as Liabilities or Equity?

In this video, you'll learn about the different accounting ramifications for financial instruments issued to investors by start-ups and why it’s important to properly structure financial instruments upfront for accounting purposes.

Financing for Entrepreneurs: What Are Issuance Costs?

In this video, you’ll learn about “issuance costs” and how to properly account for them based on the type of funding that was raised.

Does My Start-up Need an Advisory Board?

In this video, you'll examine the ways how an advisory board differs from a board of directors; why you might consider forming an advisory board; how you can attract and retain advisory board members; and how you can enhance the effectiveness of the advisory board for your start-up.

Entrepreneurship: Behind the Numbers

John Pennett talks about the ingredients for successful entrepreneurship—from early to late-stage enterprises—with “Behind the Numbers” host and senior director at CFGI.