SOC Report. SSAE 16 or 18. What do these terms mean? Your employee benefit plan auditor may request these reports from you during a plan audit and you may be wondering what they are asking for.
A SOC (System and Organization Controls) report is a report on controls at a service organization which are relevant to the user entities’ internal control over financial reporting. The report is also referred to as an SSAE (Statement on Standards for Attestation Engagements) 18 report (formerly 16 until May 2017), which is a regulation created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) for defining how service organizations should report on various compliance type controls. Basically, when you hire a third party service provider to do a service for you, you are relying on their internal controls as an extension of your controls. Your employee benefit plan auditor will typically want to review those reports to see if your service providers (record-keepers, trust companies, payroll providers, etc.) have certain controls in place, whether those controls have been tested, and if there are issues with the controls. They use the report to help determine how much audit testing is needed.
Plan sponsors have a responsibility to understand this report as well since it is considered an extension of their controls. The service provider is handling sensitive data of your plan participants. If your service provider is having a lot of issues, you may need to implement more controls on a plan sponsor level or it may be enough to warrant switching service providers.
Some Key Components of the SOC Report to Review and Understand
Service Auditor’s Report
When reviewing a SOC report, one of the first components to review is the service auditor’s report. There are some key things to look for when reviewing.
Is it a Type 1 report or a Type 2 report?
Another term you may hear your employee benefit auditors refer to is a type 1 or type 2 SOC report. In essence, a type 1 report simply lists the controls the service provider has in place, whereas a type 2 SOC report actually does some tests on those controls and comes to a conclusion on the effectiveness of the controls. In an employee benefit plan audit, it is the hope to be able to obtain a type 2 SOC report so your auditor can feel comfortable that the internal controls are not only in place but that they have been tested by an independent party as well. When reviewing the service auditor’s report, if they don’t refer to the effectiveness of the controls, it is most likely a type 1 report (meaning no detailed testing was done on those controls).
Does it cover a recent period?
You will want the audit report to cover a recent timeframe—preferably the timeframe that correlates with the year of the employee benefit plan you are having audited. It isn’t uncommon for these audits to be done on a different timeframe than your plan year, but try to make sure it is the most recent report available, and request a bridge or gap letter to cover any months they are not covering of your plan year.
Is it a reputable auditor?
You will also want to see who is preparing the service auditor’s report. Is it a well-known reputable accounting firm? If you are not familiar with the name of the firm, you may want to do some inquiries to make sure it is a firm that is indeed competent and capable of issuing quality work.
Oftentimes service providers may outsource some of their functions as well. You will want to see what they are outsourcing, and if you feel that item is significant, you may even want to obtain a SOC report for that subservice organization as well to make sure they don’t have any major compliance issues.
Complementary User Controls
The plan sponsor will want to pay close attention to the complementary user control section of the SOC report. The service provider is relying on their customers (the plan sponsor in this example) to have certain controls in place on their end in order for the service provider controls to be effective. The plan sponsor will want to get familiar with those controls and make sure if they do not have those controls in place that they get them implemented.
Description of Tests of Controls and the Results of Testing (In the Case of a Type 2 Report)
The report will go through the various controls that are in place, describe the tests that were performed to test those controls, along with the results of the testing. Typically your employee benefit plan auditor will look to see if tests were performed in the following areas and will want to see if there were a lot of negative testing results (some of the areas recommended to be reviewed by the AICPA Employee Benefit Plan Audit Quality Center):
- Information technology (such as access to programs and how changes are made to programs)
- New plan setup in relation to plan provisions as well as plan participants (accounts and investments)
- Eligibility, enrollment and participant data
- Contributions on a plan level and participant level
- Participant income and expense allocations
- Distributions to participants/beneficiaries
- Plan expenses
- The safekeeping and valuation of investments held
- Purchases/sales of investments and market gain/loss
- Investment income
- Investment election changes
Regardless of whether or not your plan needs an audit, it is recommended that you get familiar with these reports to ensure optimal internal controls. As a plan sponsor, it is your responsibility to protect participant data. When switching service providers, you may want to review these reports as well prior to making the decision to switch to them to make sure the results are positive and the controls are in line with what you would like to see tested.