What is a SOC-1 report? And why is it important to your Plan? From the auditor perspective

Plan sponsors of 401k plans, both large audited plans, as well as smaller plans, have most likely run into a key document which remains a mystery as to what it is for and what are plan sponsors supposed to do with it. 

The document is the annual SOC-1 report for the key service providers to your retirement plan. Let’s take a few minutes to look at this report and gain a better understanding of what it is for, as well as what plan sponsors should be doing with it.

What is a SOC-1 report?

 SOC is short for “Service Organization Controls”. This is a report of internal controls at a service organization specific to processing of transactions for user organizations. A service organization is a company that provides services to your 401k plan. The user organization is the Plan Sponsor who is using the services of the service organization. The typical service organizations to your 401k plan are:

o  The Plan’s Custodian/recorkeeper (Principal, Vanguard, Fidelity, etc.)

o  Payroll provider (ADP, Paychex, etc.)

The custodian/recordkeeper is a key service organization to your plan, because they provide processing of retirement plan transactions. Your payroll provider is also a key service organization to your plan because the accurate processing of payroll transactions directly impacts your 401k plan activity.

Most service organizations will have a SOC-1 report, and may also have a SOC-2 report. For purposes of a retirement plan audit, your audit firm will want the SOC-1 report, which is focused on the internal controls over processing transactions at the service organization. SOC-2 reports are more narrowly focused on IT controls at the service organization, and are not the focus of this discussion.

Type 1 vs Type 2 reports

A SOC-1 report can be a Type 1 or a Type 2. There is an important difference between these designations. 

A Type 1 report documents internal controls related to processing transactions at the service organization. However, a Type 1 report does not include tests of those controls.

A Type 2 report also documents internal controls related to processing transactions at the service organization, as well as the results of the tests of those controls for operating effectiveness.

The auditor of your plan wants a Type 2 report, because your auditor wants to rely on the testing of the internal controls at the service organization. A Type 1 report is not useful to your plan auditor.

Why a plan sponsor needs to read and review the annual SOC-1 reports

Typically, the key service providers to your plan are the custodian/recordkeeper, and your payroll provider. These service providers are processing thousands of transactions monthly, weekly, or even on a daily basis. As the Plan Sponsor, it is your responsibility to make sure the service providers to your plan are accurately processing transactions related to your plan. If a SOC-1 report has errors noted in the testing, or a qualified opinion, the plan sponsor is responsible for determining the impact on their 401k plan.

What are the key sections of a SOC-1 report that a plan sponsor should be reviewing?

There are four key sections of a SOC-1, Type 2 report a plan sponsor needs to review:

1.      The audit opinion. Known as the “Independent Service Auditor’s Report”. This is the report the CPA firm provides on the result of tests of controls at the service organization. The opinion is typically near the front of the SOC-1 report, and is typically 3 pages in length. A plan sponsor wants to find the “Opinion” section near the end of the third page. A plan sponsor want to see in this section, that the service auditor is concluding that the controls operated effectively for the period under audit.

If the Independent Service Auditor Report contains a “Basis for Qualified Opinion” paragraph, this indicates there were errors in the internal controls at the service provider. The plan sponsor needs to evaluate these internal controls errors for any potential negative impact on their 401k plan.

2.      Subservice providers. A service organization typically uses other companies to provide services to the service organization. These other companies are known as subservice providers. Depending on the service organization, a subservice provider may provide services such as IT hosting and backup, valuation services for specific investment products, physical security services, or a variety of other services to the service organization. The SOC-1 report will typically carve out the subservice providers from the test of controls at the service provider. Meaning that the internal controls at the subservice providers are not included in the test of controls in the SOC-1 report. 

Plan sponsors should be evaluating the subservice providers to determine if any of the subservice providers are providing a key service to the main service organization. If the plan sponsor determines a subservice provider is providing a key service to one of the plan’s service organizations, the plan sponsor should obtain and review the SOC-1 report of that key subservice provider.

3.      User controls. A key section of the SOC-1 report that is often overlooked is the User Controls section.  This is a list of internal controls which the service organization recommends that the plan sponsor have in place at the plan sponsor’s company. In the User Controls section, the service organization will state that in order for the service organization to have accurate data to process, the plan sponsor needs to have user controls in place to ensure accurate data is provided to the service organization.

The SOC-1 report may have a list of 20 to 40 recommended user controls for the plan sponsor to have in place. However, in reality, a plan sponsor does not need to have all of the user controls in place. I would recommend a plan sponsor review the user controls and pick out 5 to 7 key user controls to have in place at the plan sponsor’s organization.

4.      Results of the test of controls.  The section of the SOC-1 report which contains the controls tested and the results of those tests should be reviewed by the plan sponsor. This part of the report may have 10 to 20 different control objectives described, with various test of controls within each control objective. Management at the plan sponsor should read this section and look for any tests with testing exceptions identified. 

It is very common for a SOC-1 report to have a few testing exceptions identified. A SOC-1 report can have a few testing exceptions and still have a clean service auditors report. However, management at the plan sponsor will still want to evaluate if any of the resting exceptions noted in the SOC-1 report may have a negative impact on their plan.

 Reporting the results of managements review of the SOC-1 Report

Management should report the results of their review of the SOC-1 report to the committee responsible for the oversight of the plan. The best way to document this is to include management’s report in the meeting minutes of your plan oversight committee. For more tips on plan oversight meeting minutes, see my recent article on Linked In at https://www.linkedin.com/pulse/time-catch-up-those-401k-plan-committee-meeting-bradley-bartells-cpa

How exactly should management document their review of a SOC-1 report? Start with gathering data from the SOC-1 report from items #1 - #4 previously noted. Summarize this information into a concise report and provide the report with management’s conclusion to your oversight committee.

Still looking for advice on how to summarize this information? Reach out to me at bjb@muncpas.com. I have developed a SOC-1 review template to assist plan sponsors with performing this task.

Monitoring the service providers to your retirement plan is a key fiduciary task of plan oversight. The timely and accurate review of the SOC-1 reports of your plan’s key service providers will allow management to properly evaluate the reliability of service providers to accurately process data and transactions of your plan’s participants.