Why SOC 1 reports are important to employee benefit plans

Employee benefit plans use third party service providers (service organizations) for a variety of reasons including participant recordkeeping, trust reporting, plan testing, information systems, and claims processing. These services influence the financial reporting of a plan. If your company has an employee benefit plan that is audited, one of the items an auditor will ask for is the Service Organization Controls report (SOC 1 report) for each of the service organizations used by the plan. A SOC 1 report is an extremely important document that plan management should review to ensure the reliance placed on each service organization by the plan is appropriate, and that entity user controls, which are the responsibility of plan management, are being followed.

SSAE 16, SAS 70, and SOC 1

Statement on Standards for Attestation Engagements (SSAE) 16 is the new standard for creating a SOC 1 report and, in effect, replaces SAS 70 reports. In fact, the terms SSAE 16 and SOC 1 are often used interchangeably. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to the user organizations’ financial reporting. SOC 1 reports are intended to be used by the management of user entities as they evaluate the appropriateness of the service organization’s controls on their financial reporting process and regulatory compliance. Auditors can also use these reports as they plan and perform audits of the user entities’ financial statements.

Types of SOC 1 reports

There are two types of SOC 1 reports. In both cases, they report on the fairness of management’s description of the service organization’s system and suitability of the controls design to achieve related objectives.

  • Type 1 – Test of Design and Implementation of Controls: A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – Test of Operating Effectiveness of Controls: A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

In most situations, service organizations will provide a Type 2 SOC 1 report because it covers the operating effectiveness of the controls throughout a specified period. A Type 2 SOC 1 report articulates the control testing that was performed and the testing results over a number of potentially relevant areas, including:

  • Purchase and sales
  • Investment income
  • Market valuation
  • Cash and asset reconciliations
  • Benefit payments
  • Participant loans
  • Participant account recordkeeping
  • Information systems

By reviewing these areas and the results of the control testing that was performed, management teams and auditors can determine if the reliance placed on them is appropriate.

Complementary user entity controls

Complementary user entity controls may also be included in SOC 1 reports. These controls are indicated as items not covered by the service organization, and are instead the responsibility of the user organization. An example of an entity user control is participant eligibility. It is the responsibility of plan management to monitor and review participant eligibility prior to requesting that the participant be added to the service organizations’ system.

When to review SOC 1 reports

SOC 1 reports should be obtained annually from service organizations and reviewed by plan management to develop an understanding of the scope of coverage and any issues, changes, or exceptions noted in the report. Plan management should also review the reports to identify the appropriate user entity controls that should be implemented in their environments. The combination of the SOC 1 report and the evaluation of user entity controls should then be considered in the context of the audit scope and assurance needs, so that an appropriate level of reliance can be placed on the service organization for purposes of plan oversight and reporting.

For more information on this topic, or to learn how Baker Tilly accounting and assurance specialists can help, contact our team.