Most employee benefit plan sponsors today outsource a wide range of functions to third party service providers. These typically include TPAs/record-keepers, payroll providers, investment custodians, and claims processors.
Outsourcing these duties, however, doesn’t absolve sponsors of fiduciary responsibility for monitoring the performance of service providers and making sure tasks are being handled adequately. To do this, you should ask service providers for a Service Organization Controls report, or a SOC 1 report.
Obtaining a SOC 1 report is especially important now given the risks posed by cyber-attacks. A SOC 1 report will detail the controls designed to protect a service provider from attack and indicate if a provider has experienced a cybersecurity breach.
What is a SOC 1 Report?
A SOC 1 report will provide assurances that service providers have placed adequate internal controls over their financial reporting processes and that policies and procedures are being followed. It will include a description of the tests of internal controls and their results to support an opinion on the effectiveness of the controls.
There are two types of SOC 1 reports: a Type I report and a Type II report. The Type II SOC 1 report goes a step further than a Type I report by testing the operating effectiveness of a service provider’s controls for a specific period, and includes a list of complementary user entity controls that are integral but untested. It is the plan sponsor’s responsibility to review the complementary user controls and ensure they have been implemented.
SOC 1 Reports and Plan Audits
SOC 1 reports are usually requested by auditors during the audit process. Audit considerations include:
- The type of report,
- The system covered by the report,
- The time period covered, and
- The service auditor qualifications/opinion.
The key objectives of a SOC 1 report are to understand the design and implementation of a service provider’s internal controls and reduce specific substantive procedures. This is done by reducing control risk and testing the operating effectiveness of complimentary user entity controls. These controls help ensure proper coordination between plan sponsors and their service providers.
Without adequate complementary user entity controls, a system of internal controls may prove to be ineffective. So it’s critical to understand and implement these controls as contemplated by the third party service providers you work with.
The auditor will determine if sub-service organizations used by service organizations to perform services like record-keeping, claims processing, and statement mailing are included in the SOC 1 report or carved out. If they are carved out, the auditor will assess how significant the sub-service is to the plan and/or controls of the service organization. If significant, the auditor will likely perform additional procedures.
How to Review the Report
As you review SOC 1 reports submitted by third party service providers, pay particularly close attention to the following:
Scope of the opinion—The opinion should specify the system or systems covered, including whether sub-service organizations are covered or carved out of the description and testing. It should also refer to complementary user entity controls contemplated at the user organization, if any.
Modifications to the opinion—These could indicate a deficiency in the design or effectiveness of the service organization’s internal controls that may be significant enough to indicate a potential deficiency in the controls.
Management’s response/remediation—The report may contain a management response that describes remediation of the exceptions through modifications of control activities or implementation of additional controls. This could be valuable in considering risk to the plan or the time-frame for testing potential errors if this is considered necessary.
Exceptions—The testing section of the report may contain information about exceptions noted during testing. If the exceptions indicate an increased risk, you should consider whether additional controls or other actions should be taken to mitigate this risk.
It’s Your Responsibility
Remember that it’s your responsibility to obtain, review, and sign off on SOC 1 reports provided by third party service providers. Your plan auditor can provide assistance in reviewing SOC 1 reports.