Service Organization Control (SOC) Reports Help to Gain Understanding

Posted by Maria T. Hurd, CPA

Disclaimer: All blog posts are valid as of the date published.

SOC Reporting - Delaware 401k AuditorAs stated in our previous blog It Takes a Village, plan sponsors use many specialized service providers to successfully administer and account for all the financial activity in their plans. Independent third-party specialists can include payroll companies, third party administrators, investment custodians and institutional trustees. Each of these specialized service organizations generates data or other information that is incorporated in the retirement plan’s financial statements.

Because the auditor is responsible for auditing all the information that affects the plan’s financial statements, including the information generated by the service organizations, the auditor must find a way to corroborate the completeness and accuracy of the information they process. One of the most efficient ways to gain an understanding of the adequacy and effectiveness of the internal controls at the service organizations is to obtain a Service Organization Control (SOC) Report.

Type 1 – A Type 1 Service Organization Control (SOC) Report provides a description of the internal controls in place at the service organization and the service auditor’s opinion on whether the internal controls, as described by the service organization, are suitably designed.

Type 2 – A Type 2 SOC 1 Report also contains an opinion on whether the controls are operating effectively. These reports have been designated as SOC 1 reports.

If the plan sponsor is using a service organization to initiate, execute, compute, or record plan transactions, the plan auditor can rely on a Type 2 SOC 1 report to reduce, BUT NEVER TO ELIMINATE, the extent and nature of the audit procedures performed with respect to a significant audit area. For example, plan auditors sometimes rely on a Type 2 SOC 1 report that shows no exceptions on the timely and accurate processing of transactions initiated and authorized online directly by participants. These auditors can consider sending “negative confirmations” rather than “positive confirmations” to verify that transactions reflected in the plan’s financial statements were properly authorized and accurately processed. Such a decision to reduce the nature and extent of testing must be considered on a case-by-case basis, taking into account controls in place at the plan sponsor as well as at the service organization.

Service auditors used to issue their reports on internal controls at the service providers under Statement of Auditing Standards 70 (SAS 70). Effective for plan years ending on or after June 15, 2011, these engagements fall under Statement of Standards for Attestation Engagements (SSAE) No. 16. Like the SAS 70 reports, SOC 1 Reports were always intended for use by plan auditors and plan sponsors because of their focus on financial reporting. The new SOC 2 Reports (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy) provide detailed information about controls other than those over financial reporting, specifically addressing the explosion of new technologies such as cloud computing. The new SOC 3 report (Trust Services Report for Service Organizations) covers the same subject matters as SOC 2 but provides a short-form publicly available report that service organizations can use for marketing purposes.

The most common misconception amongst service providers and clients is that the old SAS 70, or the new SOC reports allow the auditors to complete a limited scope audit. This is not the case. Next week’s blog will discuss limited scope audits. For now, suffice it to say that auditors only can rely on SOC reports to reduce the nature or extent of audit procedures, but never to eliminate the need to perform procedures on a significant audit area. Less audit testing generally results in cheaper audit fees and happier audit clients.