What is a SOC1 report?

A Service Organization Controls Report (commonly referred to as a “SOC1” report), is a report on the controls in place at a service organization (such as a third party administrator, plan custodian, or payroll provider). The report is provided by a CPA firm and contains an audit opinion regarding the controls in place at a service organization. It also includes a description of controls, user controls, and, in the case of a Type II report, tests of controls and findings. (A Type I report contains the description of controls, but not tests of controls.) The Type II report covers a period of time (generally one year), while the Type I report is as of a point in time.

What do I do with the SOC1 report?

First, be sure to read the auditor’s report for any exceptions. If there are exceptions, review the exceptions to determine whether they impact your benefit plan. Don’t be afraid to contact the service provider, or even the SOC1 auditor, if you have concerns regarding the impact on your plan. As a fiduciary, it’s your responsibility to evaluate your plan’s service providers.

After reading the auditor’s report, read the description of the controls in place at the service organization to gain a better understanding of how the service organization provides services to your plan, as well as what controls are in place to protect your information. Also note what sub-service organizations the service organization uses to determine whether or not you should obtain and review the sub-service organizations’ SOC1 reports, as well.

Next, review the “user controls” or “client control considerations.” These are the controls that the service provider expects to be in place at your company, in order for its controls to work. These may be listed in one section of the report or throughout the tests of controls section. Evaluate whether or not you have these controls in place, and, if you do not, consider implementing them.

Finally, review the tests of controls performed by the auditor. Specifically, look for exceptions noted by the auditor, as well as management’s response to the exceptions. Consider whether or not the exceptions may impact your plan. If you determine they could impact your plan, consider additional reviews you may implement internally to mitigate the risk of errors within your plan.

Then what?

Now it’s time to give the SOC1 report to your plan auditors. Your auditors may also ask you to address the user controls, which you have already done if you’ve followed my advice. So, next time you receive a SOC1 report, don’t simply forward it to your auditors. Follow the steps above. You never know…..you may identify an issue before the auditor does, which is much better for both you and the auditor!