If you are a Plan Sponsor and need an audit from a CPA, one of the first things the CPA may ask you for is something called a SOC Report. This may have left you scratching your head in confusion. This blog will help to clarify.
Many third-party providers such as record-keepers, custodians, trustees and even payroll service providers will have something called a SOC Report (Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting) prepared to provide information related to the internal controls over specific portions of their internal operations.
Usually, these reports provide a description of the internal controls in place over functions such as:
- New plan setup
- Accuracy of participant transactions
- IT controls (access security)
- Program changes
- Backup daily maintenance
- Daily asset pricing
- Custody of assets
- Reconciliations and various other controls specific to the responsibilities of the third-party provider.
The report may also include information from an independent auditor on testing that was performed on the performance of the controls over a specified period (usually one year). These reports are important for your plan as they document the work completed by your service providers with regard to the plan and the accuracy, completeness and timelines of those activities.
If your plan requires an audit, your auditor will request a copy of relevant SOC Reports as part of their audit documentation request. They also provide valuable information to you as the Plan Sponsor regarding the controls they have in place to ensure your plan transactions are completed accurately, completely, and timely.
Ask for a copy of the report, review it and ask questions if you have any concerns regarding the testing findings identified by the SOC auditor. These reports also describe the processing conducted by your service provider. You can review the report and the test findings related to the areas of service you rely upon. If you see significant testing findings reported by the auditor that performed the test work in the SOC Report, discuss the service provided to your plan to make sure you are comfortable with the accuracy and timeliness of all the transactions for your plan participants.
One other area of importance in the SOC Repot is called “user entity controls”. These are controls within your organization that the service provider is relying upon. As the Plan Sponsor, you should review these controls and make sure you have them working properly. Your auditor will also need to verify that these controls are in operation and may want to do some testing around the controls so having good documentation of these controls will help your audit proceed smoothly.
Do you need an audit for your 401(k) plan? Consider a specialized firm like Summit CPA Group. We can provide a quality benefit plan audit that is efficient and accurate. We also offer flat-fee pricing so there are no surprises on your bill when the job is complete. If you would like to discuss our audit process in more detail, contact our office at (866) 497-9761.