Written by Cindy Sandomenico and Laura Zindel.
WHY PLAN SPONSORS SHOULD READ THEIR SERVICE PROVIDERS’ SOC REPORTS
When a plan sponsor hires a service provider, that organization and its professionals become part of the team operating the client’s retirement plan. Each member of the team is expected to perform a specific task according to what is prescribed in the plan document. But how do you know whether each service provider has effective systems and controls in place to ensure that they are executing their roles correctly?
More importantly, how can your auditor be sure and offer proof to federal enforcement officers that a service provider is able to do the job you have hired it to perform?
A System and Organization Controls (SOC) report is a document that can help answer these important questions. It is an independent report conducted by an outside auditor that reviews, evaluates and, in some cases, tests the controls used by a service provider.
Many employee benefit plan recordkeepers, trustees, payroll providers and custodians will commission SOC reports about their service offerings related to benefit plans. These reports are extremely valuable if the plan gets audited. As a result, many plan sponsors file their service providers’ SOC reports away and only dust them off when an auditor asks for it.
But it is a mistake for plan sponsors to think that SOC reports are just for auditors. The value of SOC reports goes far beyond making the audit a simpler, smoother process.
By providing bias-free information and transparency, SOC reports can help plan sponsors select new vendors or evaluate the effectiveness of current ones. SOC reports can also give plan sponsors a fuller understanding of how various service providers perform outsourced operations that are crucial to the execution of a benefit plan and identify potential deficiencies before they become major issues.
All of this information helps plan sponsors fulfill their fiduciary duty to make informed decisions and act in the best interests of plan participants. In addition, the service auditor reports on any issues identified within the SOC report. This helps the plan sponsor take steps, if necessary, to mitigate any risks that could result from exceptions or a qualification within the SOC report.
SOC reports can be dense and intimidating—some of them are several hundred pages long. But that doesn’t mean plan sponsors can afford to treat them as paperweights until the auditors arrive. The more that plan sponsors understand what goes into these reports, the better equipped plan sponsors will be to meet their fiduciary duties.
Types of SOC Reports
There are several different categories of SOC reports, but SOC1 and SOC2 are the ones that plan sponsors will encounter most frequently. A SOC1 report focuses on controls related to financial transactions, such as payroll, investments, contributions and distributions. A SOC2 report focuses on security, privacy and other data- and compliance-related topics.
Furthermore, within each category, there are two different types of SOC1 reports: Type I, where the auditor determines whether the control is implemented and whether the design of those controls is appropriate as of a date in time; and Type II, where the auditor tests the operating effectiveness of each control for a specified period.
High-Priority Sections for Plan Sponsors
Since SOC reports are long and detailed documents, so it is helpful to know where to look to find the information that will be the most useful for plan sponsors. Some of the most valuable sections of SOC reports include:
- Independent service auditor’s report: The auditor will state its opinion about the accuracy of the description of the system and operating effectiveness of the controls (Type II) and identify whether the report is unqualified (clean) or qualified (issues were found).
- Control objectives: The plan sponsor will want to study this section to make sure that the service provider’s controls cover the areas that the plan sponsor is concerned most about, such as contributions, distribution, enrollment, investments and IT security.
- Complementary user entity controls: These are the controls that need to be in place and operating effectively at the plan sponsor level to ensure that the service provider is receiving the correct information it needs to execute its responsibilities, and that such information is accurate. In addition, the plan sponsor should have implemented various controls to review such output as applicable from the service provider. For example, if the plan sponsor doesn’t have proper controls for the accuracy of the payroll records it submits to the record keeper every pay period, the inaccurate information will then be inappropriately recorded to the plan’s records, and could be allocated to the wrong participant accounts/investments.
- Subservice organizations: These are service organizations that are used by the service provider and the services provided are relevant to the processing of financial reporting transactions. Plan sponsors should review the SOC report to determine if these service organizations and the related services are included within the SOC report or excluded from the SOC report. If excluded, and the plan sponsor believes these services are relevant to their plan, then additional SOC reports may need to be obtained and a review should also be conducted over the services provided by these subservice organizations.
- Complementary subservice organization controls: These are the controls that the service provider believes the subservice organizations need to have in place and operating effectively for the control objectives that are included in the service provider’s SOC report to be achieved. Should the plan sponsor conclude the services provided by the subservice organizations to be relevant to their plan, and a SOC report over the subservice organizations’ controls is obtained and reviewed, the plan sponsor should determine if the complementary subservice organization controls specified within the service provider’s SOC report are included within the subservice organizations’ SOC report.
Insight: Read the Report
It is common for plan sponsors to simply push a SOC report over to their auditor. SOC reports may be long and tedious, but they can strengthen a plan sponsor’s knowledge about the plan’s operations.
SOC reports can help plan sponsors understand how a service provider operates and can help sponsors decide whether the provider can satisfy the plan’s needs. The SOC report can also identify if there are issues that need to be addressed with the service provider or if there are areas missing that the plan sponsor would like to have included within the SOC report. If the provider has already been selected, plan sponsors can learn more about the controls that they need to have in place to ensure that the provider is receiving accurate and timely information.
Working with a service provider that has a SOC report doesn’t relieve the plan sponsor of its fiduciary duty to act in participants’ best interests. Plan sponsors need to respond appropriately to the information provided in the SOC report and realize that the report is just one source of inputs that can be used to help make these decisions.
Finally, no plan sponsor looks forward to a plan audit, but having access to SOC reports can make this a much more pleasant process by helping auditors perform their job in a more timely and cost-effective way.