Using Service Organization Control (SOC) 1 Reports to Reduce Audit Testing

Authored on

Posted by Maria T. Hurd, CPA

SOC 1 Reports - ERISA Limited Scope AuditType 1 SOC 1 reports provide plan auditors with an evaluation of the adequacy of the design and implementation of controls at a service provider and Type 2 SOC 1 reports discuss the operating effectiveness of the controls as designed.

In no event does reliance on a clean SOC 1 result in the elimination of all audit testing with respect to a significant audit area.

Often, service providers to a plan will provide an SOC 1 report INSTEAD of the specific information requested by an auditor to conduct substantive testing of a significant audit area.  When this happens, the representative at the service provider often indicates that the auditor can rely on the opinion of the national firm regarding the entity’s controls to skip an audit procedure for which they are having trouble producing the requested backup.

SOC 1 reports never address the client under audit specifically. In fact, the financial activity for any given plan under audit is likely immaterial to the service provider as a whole.   As a result, when a Type 2 SOC 1 report indicates that a certain process was processed appropriately without exception, the auditor can use that knowledge to consider reducing the extent of testing or change the nature of testing performed, but never to eliminate testing for the plan under audit.

In other words, if the operating effectiveness of relevant internal controls has been tested by a service auditor that reports no exceptions for that process on the Type 2 SOC 1 report, the auditor of the plan may be able to reduce substantive procedures for that audit area, but substantive procedures are still required.

Photo by Raymond Bryson (License)

Disclaimer: This blog post is valid as of the date published.

About the Author

Director Accounting & Auditing

More Insights from Maria

© 2022 Belfint Lyons & Shuman | All Rights Reserved  | Privacy Policy |

Belfint Lyons Shuman is a Certified Public Accounting (CPA) firm that audits Defined contribution plans (profit-sharing, 401(k), 403(b) , 401(a), 457(b))), and Defined benefit plans (pension and cash balance), and Health and welfare plans. We serve a variety of plan sponsors including for-profit, nonprofit, governmental, and Taft-Hartley collectively-bargained plans located in Delaware, Pennsylvania, New Jersey, Maryland, Washington, D.C., Virginia, Massachusetts, and nationally. For additional information contact us at