What Technology and Life Sciences Companies Need to Know About SOC 1 Reports
June 15, 2021
What do technology and life sciences companies need to know about SOC 1 Reports? In this four-minute video, EisnerAmper Director of Pension Services Group Brenda DeSaro explains what a SOC 1 Report is, discusses why companies need to be concerned about these reports even though they likely outsource this work to third-party providers, and outlines a best practices approach.
If your company outsources your payroll processing to a service provider like, say, ADP or Paychex, then they are processing a lot of transactions and activity that you would be doing internally if you had in-house payroll. If your life science company has a 401K plan or another type of benefit plan, then most likely you use a vendor like say, Schwab, Vanguard, or Fidelity to handle the majority of the transactions associated with your plan. Now, in both of these instances, those outsource providers would have a SOC 1 Type 2 Report that has valuable information on the controls over financial reporting that are in place to ultimately protect and process your data that you send to them along with the results on the effectiveness of those controls, which remember, this is an extension of your controls.
This is why the SOC Report is so very important and crucial to the activity that they are handling on your behalf. Therefore, wouldn't you want to know what controls are being tested and how effective those controls are? Also, what if there was some deficiencies noted in that report? I know I'd want to know which controls had issues. These answers can all be found in a SOC 1 Type 2 Report. Many of my technology and life science clients have taken a best practice approach when it comes to the SOC Reports that they receive by doing the following. First, they get the correct report that is relevant to the platform that their services are being performed on. I will note that many vendors have more than one SOC Report in different areas, so make sure you are getting all the reports that you need. Also, many vendors may have different platforms for processing transactions so it is crucial to secure the correct reports.
Next, after they get the correct report, then they make sure that they have the proper time period. But keep in mind that it may not be for the exact period of your plan year or tax year. Many SOC Reports are done with fiscal year ends. For example, they might run from October 1st, 2019 through September 30th, 2020, but your plan year may end on December 31. Next, they read the report and they document that in their committee minutes along with considering any deficiencies that the report cited that may have an impact on their payroll or their plan. They may need to put some controls in place that would mitigate any of those deficiencies if they were significant. Lastly, they review and document how they are implementing the complimentary user controls from the report. These are controls that the user, my client, must have in place in order to rely on the controls in that report. I know this was a lot of information, but hopefully this has shed some light on the importance of SOC Reports. If anyone has any questions, feel free to ask.
Transcribed by Rev.com