Plan sponsors rely on recordkeepers and payroll providers to handle sensitive financial data, process transactions accurately and timely, maintain records, and create accurate and complete reporting, but are they effectively evaluating the internal controls of these key vendors? Maybe not.

Reviewing System and Organization Control (SOC) reports isn’t just a compliance checkbox—it’s a vital risk management tool. A SOC report can offer an inside look at a provider’s controls and the operating effectiveness of those controls, helping plan sponsors identify potential red flags.  

Learn why reviewing providers’ SOC reports benefits your company and what to look for with the following insights.

What is an Employee Benefit Plan Audit?

An employee benefit plan audit is an audit of the financial statements of the plan.

Generally, a plan must be audited when it has more than 100 participants with account balances on the first day of the plan year—or 120 if the plan hasn’t been previously audited. The participant count needs to drop below 100 for the audit requirement to go away.

Auditors consider internal control over financial reporting when designing procedures for an audit of financial statements. The procedures should be appropriate for the circumstances and auditors do not express an opinion on the plan sponsor’s internal controls over financial reporting.

As part of their procedures expect plan auditors to request a copy of your service provider’s SOC 1 report. They will likely ask if you are reviewing the SOC 1 report and explore the complementary user entity controls that may be identified in the report.

For 401(k) audits, applicable service provider SOC reports are typically recordkeeper and payroll.

Why Should You Review Your Recordkeeper and Payroll Provider’s SOC Report?

Many employee benefit plan sponsors don’t review their provider’s SOC reports, which exposes their organization to a variety of risk.

As you’re outsourcing the processing of certain transactions to your service provider, the provider’s controls become an extension of your controls. The plan sponsor is a fiduciary of the plan and has the responsibility to monitor plan service providers. You can outsource activity, but never the responsibility.

It’s important to build the review of these reports into your control process so you know the service provider has appropriate controls in place.

Even with the best service providers, there are plenty of opportunities for errors if the plan sponsor doesn’t implement proper authorization and review controls. Where there’s lack of oversight, there’s opportunity for errors and fraud.

Which Type of SOC Report is Best for Recordkeeper and Payroll Providers?

While there are different types of SOC reports, plan sponsors should focus on the type most applicable to what a recordkeeper and payroll provider might provide, which is the SOC 1, Type 2.

SOC 1 Type 2 is a report on service organization controls relevant to a user entity’s internal control over financial reporting.

These reports are specifically intended to meet the needs of user entities and the CPAs that audit the user entities’ financial statements—user auditors— in evaluating the effect of the service organization’s controls on the user entities’ financial statements.

A SOC 1, Type 2 report focuses on descriptions of:

• The service organization’s system.
• Suitability of system controls’ designed to achieve the related control objectives included in the description as of a specified date.
• An opinion on the operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
• A detailed description of the service auditor’s tests of controls and results.

Typically, these reports are restricted to the management of the service organization, user entities, and user auditors. 

Key Areas to Evaluate in Vendor SOC Reports

There are three key areas of a recordkeeper or payroll provider’s SOC report you can review to gain comfort a vendor’s internal controls can be relied upon.

The Auditor’s Report

You should review the SOC report opinion and evaluate a couple of key items:

• What period does the report cover? Does the service provider offer a gap letter addressing subsequent periods?
• Are there any subservice organizations carved out of the SOC report? If so, what services do they provide and are they significant to your plan? Should you obtain the subservice organizations SOC report?
• Did the auditor issue an unmodified opinion? If there are modifications to the opinion, evaluate the potential impacts to your plan. Are there additional steps you should take due to a report modification?

Complimentary User Entity Controls

Most SOC 1 reports will have identified complimentary user entity controls (CUEC’s), which are controls the user organization should have in place for the service provider’s controls to be operating effectively.

Review, evaluate, and document the controls and procedures in place to address any identified CUEC’s. Oftentimes, a user entity doesn’t realize all the CUEC’s they should have in place until they review the SOC report.

Exceptions Found in Control Testing

The SOC 1 report will have a section that details the controls in place at the service organization, a description of the auditor’s tests, and the results of the testing. Were there any exceptions found in the auditor’s testing? If so, evaluate how they may have impacted your plan. You may need to put controls in place to mitigate exceptions found in testing if they were significant.

We’re Here to Help

To learn more about SOC reports, how they can impact your company, and how to review them effectively, contact your Moss Adams professional.

Additional Resources

• SOC Examinations
• Risk & IT Compliance Services