A System Organization Controls report, or SOC report, is an integral part of an organization’s employee benefit plan. This report details the controls used by a service provider through review, evaluation, and testing. The report is often used by employee benefit auditors, but the information provided by the report can also be beneficial to plan sponsors.
The SOC report provides plan sponsors with information that can help with the evaluation and selection of new or current providers. The report also provides an understanding of how providers perform outsourced operations that are impactful to the execution of a benefit plan. SOC reports can also reveal potential deficiencies, allowing for time to mitigate risk and avoid major issues.
A plan sponsor’s ultimate responsibility is to fulfill fiduciary duty through informed decision-making and action that benefits plan participants. The SOC report can assist plan sponsors with these responsibilities by providing them with accurate, detailed information regarding providers and controls.
Unfortunately, it is quite common for plan sponsors to disregard a SOC report until an auditor asks for it. The report can be extremely long and since it is not required of sponsors, many will not review it. While it is not expressly required for sponsors to read and understand the report, not doing so can limit their ability to fulfill their responsibilities. Sponsors that do review these reports proactively benefit from doing so and are able to make decisions and changes to service providers when necessary.
The most common SOC reports that sponsors will come across are the SOC1 and SOC2. These two types of SOC reports focus on different areas of the plan. SOC1 reports focus on controls related to financial transactions while SOC2 reports cover security and privacy. The SOC1 is further divided into Type I and Type II reports. Type I reports show if controls are implemented and the appropriateness of the design of these controls. Type II reports provide tests of the operating effectiveness of each control.
The most valuable sections of SOC1 reports that sponsors can review include the following:
- Independent Service Auditor’s Report
- Control Objectives
- Complementary User Entity Controls
- Subservice Organizations
- Complementary Subservice Organization Controls
Each of the above-named sections provides sponsors with information that can assist them in fulfilling their fiduciary duty. Reading these sections very carefully can help sponsors mitigate risk and make decisions regarding service providers.
For more information regarding the importance of SOC reports or the impact they can have on an employee benefit plan, please reach out to Melissa Shronce at melissa@dhw.cpa or (828)322-2070.