SOC 1 Reports and Limited Scope Audit Certifications Are Not the Same

Posted by Maria T. Hurd, CPA

SOC 1 Reporting - Limited Scope Audits Every year, at least one retirement plan service provider tells us that a plan qualifies for a limited scope audit because their company has an SOC 1 report.  As explained in our last blog (insert link here),  Type 1 SOC 1  reports address the adequacy of the design of internal controls at a service provider and Type 2 SOC 1 reports address the effectiveness of said controls.   Auditors can rely on such reports to reduce the extent of substantive testing or change the nature of tests in any significant audit area covered by the report.  The modification of the type and extent of audit procedures resulting from the auditor’s reliance on an SOC 1 report is not a limited scope audit. An auditor is able to issue a completely unmodified opinion even after reducing testing in all audit areas as a result of a totally clean SOC 1 report.

On the other hand, only eligible regulated institutions including banks, trust companies, and insurance companies can certify the completeness and accuracy of investment values on the financial statements, allowing the auditor to exclude only investment testing from the scope of the audit. The exclusion of investment testing from the audit procedures pursuant to a limited scope certification results in a limited scope audit.  Since investments comprise a significant total of the total plan assets, auditors must disclaim an audit opinion when performing limited scope audits, even if every other significant audit area was tested to its full extent, without regard to an SOC 1 report.

In fact, for a limited scope audit, the auditor has no responsibility to obtain an understanding of the controls maintained by the certifying institution over assets held for investment and investment transactions executed by the institution.  Therefore, in a limited scope audit, to the extent that the eligible institution is only providing investment transaction services, an SOC 1 report for the trust department does not need to be obtained or summarized.  However, if the eligible institution is also providing services such as accounting for transactions in participant account balances, an SOC 1 report would be necessary if the auditor would like to reduce the extent and nature of substantive testing with respect to those audit areas.

For more in-depth information about the SOC 1 reports and the limited scope certification requirements, please visit our team’s previous blogs on those topics at the following links:

Limited Scope Audits: Worthless or Worthwhile?

Advanced Limited Scope Audit Issues

Limited Scope Audits

Limited-Scope Certification vs. SSAE 16 Report: Not Mutually Exclusive

Service Organization Control (SOC) Reports Help to Gain Understanding

Photo by Juhan Sonin (License)

Comments are closed.