As a benefit plan auditor for over 10 years, I found it surprising how many of my clients didn’t know their recordkeeper had a SOC 1 report, let alone what to do with it once they got it for the audit. The truth is that the United States Department of Labor (DOL) publication Meeting your Fiduciary Responsibility provides an overview of the basic fiduciary responsibilities applicable to retirement plans under the Employment Retirement Income Security Act (ERISA), and monitoring service organizations and controls is one of them.

Outsourcing of recordkeeping services is very common and is a way to reduce costs and increase efficiencies in administering employee benefit plans. While choosing a recordkeeper is important, the fiduciary responsibility doesn’t stop there. Management should be periodically monitoring the service organization to ensure they are meeting the agreed upon procedures as it relates to the plan.

These are some steps plan management can take to fulfill this responsibility on a yearly basis:

Review of audit report

Once the SOC 1 Report is received, management should read the audit report and look for the following:

  • Dates
    • Review the dates covered and verify the report properly covers the plan year and if not, that there is an applicable bridge letter to support the audit opinion through the end of the plan year.
  • Audit opinion
    • Look for an unmodified, clean report opinion with no modifications.
    • If a qualified, disclaimer, or adverse opinion is noted, management needs to determine the impact it has on the plan. See below on evaluating any deviations.
  • Carve-outs
    • Some service organizations may use another service organization to process certain transactions as part of their agreement. If the transactions are significant to the plan operations, plan management should obtain the other service organization’s SOC 1 report as well.

Evaluate any deviations identified

You have read the report and determine that the opinion had deviations noted. Now what? Plan management must understand the controls that were identified to have deviations and analyze the impact they have on the plan’s operations. Review the service organization’s response and how the deviation affects the service organization’s controls.

Continued, significant deviations can be a sign that plan management needs to evaluate if another recordkeeper is needed.

Verify and document the complementary user controls at the plan level

The service organization’s controls alone are not sufficient to ensure controls around plan operations. Each SOC 1 report will have what is referred to as complementary user controls. These are the controls that are identified by the service organization that should be in place at the plan level to ensure the service organization controls are effective. These controls are defined and included in the SOC 1 report. Plan management is responsible for reviewing these controls, verifying they are properly designed and implemented, and then operating them effectively.

To do this, management should document the plan’s controls that cover each user control, who performs it and how often. Management should focus their attention on the “key user” controls, which are those that affect participant benefits, data, and elections. Management should also note that one plan control could cover multiple user controls.

Below is an example of documenting user controls at the plan level:

Ultimately plan management is responsible for monitoring outsourced plan recordkeeping as required by the DOL and ERISA. When choosing a service organization to provide recordkeeping services, management should look for a provider that has a Type II SOC 1 report, request this report annually to be used in their monitoring process, review the audit report and evaluate deviations, and then verify all complementary user controls are in place at the plan level.

For more information regarding SOC 1 reporting or how LBMC’s Audit and Assurance practice can help, contact our team today.

Content provided by LBMC audit professional, Kayla Carr.