Importance of SOC 1 Report User Controls
Whether you sponsor a defined contribution plan or a defined benefit plan, service providers are a key component in the administration of your plan as a fiduciary. To provide assurance over the services they provide, management of these service organizations engages independent auditors to perform analyses over their internal control structure. The result from these analyses is a SOC 1 report. There are two types of SOC 1 reports:
- Type 1 Report – A Report on Controls Placed in Operation. This report is an auditor’s report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 Report – A Report on Controls Placed in Operation and Tests of Operating Effectiveness. The Type 2 report mirrors the Type 1 report but also includes the service auditor’s opinion on the operating effectiveness of the controls and includes a description of the service auditor’s tests of the operating effectiveness of the controls and the results of those tests.
SOC 1 USER Controls
Plan administrators hiring a service organization, commonly referred to as a third-party administrator “TPA”, can often develop a sense of comfort in evaluating, selecting and monitoring the TPA if that provider has obtained a SOC 1 report. SOC 1 reports not only contain a detailed description of the internal controls in place at the service organization as detailed above but may also include the results of testing those controls performed by an independent auditor. Plan administrators are responsible for reading these reports and must pay particular attention to the following:
- User Organization Controls – Be mindful of a section of the SOC 1 report listing “user controls.” This is equivalent to a disclaimer from the TPA that the service organization controls cannot be guaranteed to achieve their stated objectives if the user organization does not implement certain specific controls internally. The TPA will disclose specific user controls within its report, which will promote an overall control structure between the service organization and the plan sponsor. These user controls detail out what plan sponsor controls should be in place to ensure there is proper coordination between the plan sponsor and the service organization, and no gaps in controls. For instance, an investment manager that interfaces with its clients through a proprietary system cannot guarantee that its controls will result in accurate and appropriately authorized investment decisions if the user organization does not put in place controls to ensure that access to the investment manager’s interface is only granted to those who should have it.
- Carve-Outs – Pay careful attention to aspects of the service package that are “carved out” of the SOC 1 report. These are parts of the process that your TPA may have outsourced to additional TPAs, and, therefore, the controls around this part of the process are not described or tested within that SOC 1 report. Evaluate the significance of any carve-outs noted in the report to the services provided to you. If the controls at these sub-service organizations are potentially significant to your ability to rely on the service organization, you should request a SOC 1 report from the sub-service organization as well and review it using the same criteria and scrutiny.
- Noncompliance Identified – SOC 1 Type 2 reports outline in detail what controls were tested and the results of testing. A comprehensive review of the report should include noting any controls for which the testing yielded exceptions and an evaluation of the potential for those exceptions to impact the user organization. If a user organization determines that a service organization’s control testing exception is not acceptable with respect to the reliance placed on that TPA, the user organization must consider what controls it has in place or could put in place to prevent or detect and correct the types of errors that the service organization was meant to be relied upon to prevent.
- Period Covered – Audits of service organizations typically cover a period that does not coincide with the calendar year; many SOC reports cover periods ending September 30. A plan sponsor with a calendar year-end who only receives a SOC report covering 9 months of that year should be concerned that the controls documented in the report may not have been in place or have changed for the remaining three months during which the plan relied on the provider. Management commonly supplements their SOC reports by issuing letters to cover the gap in coverage, which would explain any changes in controls during the period not included in the report.
These reports are provided to users of service organizations upon request. The TPA’s internal control structure noted within the SOC 1 report can be a useful tool for monitoring the service provider. However, the responsibility to administer benefit plans in accordance with the plan documents remains with the plan sponsor.
Implementation of these user controls are vital to ensure that your plan is properly interacting with the service organization. Instead of simply turning over the SOC 1 to your benefit plan auditors, it is critical that you seek out the user controls within the report and verify that your organization is addressing all of the controls noted. Below you can find five common user controls and an example of an effective way to address the control.
- User Control: The Plan Sponsor is responsible for establishing controls to verify data is input and processed accurately and completely as supported by source documentation.
- Control Response: Payroll is reviewed and initialed by a designated employee. Part of the review process includes reconciliation between the payroll report and the trial balance to confirm accuracy. The Director of Human Resources reviews all pay increases, status changes, time sheets and withholding forms to ensure all falls in line with the payroll data transmitted to the service organization.
- User Control: The Plan Sponsor is responsible for establishing controls to review, approve and communicate any modifications made to the plan recordkeeping agreement and any plan documents.
- Control Response: The Board of Directors and the Director of Human Resources are responsible for reviewing and approving plan documents as well as any plan changes. All changes are communicated directly to the service organization through documented phone calls and emails.
- User Control: To the extent that a plan sponsor has access to the service organization’s systems, the plan sponsor is responsible for establishing and maintaining adequate controls over physical and logical access at the plan sponsor locations.
- Control Response: The Director of Human Resources is the security administrator within the online bridge system. The Director has authority to add and delete users with access to the online portal. User access is updated by the Director on an “as needed” basis for employee turnover or changes in job function.
- User Control: The plan sponsor is responsible for establishing control activities relating to the timely review of plan reports, distribution reports, conversion reports, participant records, and statements provided, and provide notification of any discrepancies in a timely manner.
- Control Response: The HR department reviews the service organization’s data packets on a monthly basis and ties any significant changes to their records. Any discrepancies are brought to the service organization’s attention for reconciliation of the issues.
- User Control: The plan sponsor is responsible for evaluating the significance of manual adjustments to the plan financial statements identified during the reconciliation from the plan financial statements to the plan sponsor data.
- Control Response: The Human Resources department performs a monthly reconciliation between internal records and the service organization records to determine if any necessary adjustments have not been communicated. Any manual adjustments are communicated by management to the plan sponsor immediately.
The process of addressing these user controls should be collaborative and ongoing. Ensuring these user controls are in place plays an instrumental role to support the operating effectiveness of your plan administration.