Why Plan Sponsors Need to Start Reading SOC 1 Reports
Employee benefit plans (user entities) use service organizations to provide a variety of functions, including, participant record keeping, trust reporting, plan testing, claims processing, and payroll. Delegating these functions can be efficient and cost effective, but it does not relieve plan management of its responsibility. When an outside service provider is hired to perform these services, plan management is in essence entrusting the service provider to be an extension of the plan.
For years the terms SAS 70, SOC 1 (System and Organization Controls) and, most recently, SSAE 16 were used synonymously to describe reports issued for service organizations, relevant to their internal controls over financial reporting. Effective May 1, 2017, Statement on Standards for Attestation Engagements (SSAE) 18 became the new guidance, superseding SSAE 16 and SAS 70. SSAE 18 formalizes SOC 1 as the only applicable reference going forward.
SOC 1 reports enable plan management to identify controls currently in place at their service provider and determine whether or not they are operating effectively. There are two types of SOC 1 reports – Type I and Type II. A Type I report includes only the policies and procedures placed in operation, while a Type II report additionally tests the operating effectiveness of those policies and procedures.
Plan management should understand the control objectives described in the SOC 1 and how they relate to their plan. Most important for plan sponsors is the section of the SOC 1 report that identifies complimentary user controls. Complimentary user controls are controls that must be performed by plan management in order for the controls at the service organization to be operating effectively. The SOC 1 report is very clear that certain control objectives can only be achieved if complimentary user entity controls are in place and operating effectively. Due to the fact that these controls will be different for each plan, it is up to plan management to determine if these controls are in place and operational.
For example, say a plan sponsor relies on its service organization to enroll new participants and set up retirement accounts on their behalf. The SOC 1 has a control objective which was tested to ensure controls are in place to provide reasonable assurance that new participant accounts are authorized and processed accurately and completely in accordance with instructions received from the participant or plan sponsor. The service organization may have the proper controls in place to do this; however, in order to ensure they are properly performed, the SOC 1 complimentary user entity controls require the plan sponsor to:
- Determine if a participant is eligible for the plan.
- Ensure forms are accurate, complete, and properly authorized.
- Send participant data in the agreed upon format.
- Resolve rejected items and re-submit in a timely manner.
- Monitor who has access to the plan at the plan sponsor.
This means that the control objective could have limited effectiveness if plan management doesn’t have the proper complimentary user entity control in place to monitor and review participant eligibility prior to requesting that the participant be added to the plan. Before giving an employee an enrollment packet, the plan sponsor is responsible for ensuring that employees are eligible per the plan document to participate in the plan. In addition, the plan sponsor is required to ensure that it is monitoring the employee(s) who have access to the online portal.
Many plan sponsors often don’t realize that, even when they’ve delegated these functions to a service organization, they are still responsible for having controls in place and ensuring that policies and procedures are being followed.
When a plan is required to have an audit in accordance with the Employee Retirement Income Security Act of 1974 (ERISA), the plan auditor will often need to rely on the SOC 1 report. As more transactions become paperless, SOC 1 reports are vital to ensure that the reliance placed on service organizations is appropriate.
Plan sponsors should prepare for their ERISA audits by reading the SOC 1 reports and reviewing the complimentary user entity controls within the report to verify that they have established and documented that the necessary controls are in place.