Retirement plans rely on multiple service providers such as recordkeepers, custodians, and third-party administrators to process transactions and maintain participant data. Because so many critical plan functions are handled by outside parties, it’s important for plan sponsors to understand how controls at these service providers are evaluated and relied upon.
This is where System and Organizational Control (SOC) 1 reports come into play. A SOC 1 report provides independent assurance over the controls at a service organization that are relevant to your plan’s financial reporting. These reports help confirm that key processes such as contributions, distributions, loans, and participant account activity are being followed as designed.
As a plan sponsor, it’s important that all SOC 1 reports are obtained each year from relevant service providers. At a minimum, reports should be obtained from your outside payroll provider and recordkeeper that is processing day-to-day transactions for the plan. These reports should be reviewed in detail, with a particular focus on the results of the tests of controls for each control objective. If any deviations are identified, you must assess the impact this may have on your particular plan, if any.
While service providers may perform day-to-day plan functions, plan sponsors retain fiduciary responsibility for oversight. SOC 1 reports typically include a section titled “complementary user entity controls”. This section outlines controls that the plan sponsor is expected to have in place for the service provider’s controls to be effective. If these complementary controls are not in place at the plan sponsor level, reliance on the SOC 1 report may be limited. As part of the detailed review of the SOC 1 report, these user entity controls should be reviewed against current internal control policies at the plan sponsor level to identify any potential gaps.
From an audit and compliance perspective, timely review of SOC 1 reports by plan sponsors helps streamline the audit process and avoid delays. Confirming that reports cover the appropriate period, any exceptions are reviewed and documented, and that relevant complementary user entity controls are addressed can prevent last-minute questions and reduce audit findings.
If you have questions about SOC 1 reports, service provider or plan sponsor responsibilities, please feel free to reach out. Our team is available to help you!
