Are Your SOCs in Order? – Service Organization Controls

Retirement plan sponsors rely heavily on outside service providers to manage many aspects of their retirement plan. From participant recordkeeping and investment education to transaction processing and compliance testing. Due to the sensitive nature of these services, sponsors should feel confident with their providers to maintain proper internal controls over these functions. Service Organization Controls (SOC) reports do just that.

What is a SOC Report?

If you hire a service organization, like Greenleaf Trust, to handle your retirement plan assets, you may have heard of a SOC Report. A SOC Report is a formal report prepared by an independent CPA firm that verifies how well a service organization implements and maintains processes for protecting client information and following the internal controls set in place. The auditor’s assessment details the service organization’s internal controls over financial reporting and evaluates the design of the operations and processes. Although a SOC Report is not required, it provides retirement plan sponsors, fiduciaries, and auditors assurance that the service provider has a good process in place, and they are following that process.

There are two main types of SOC reports relevant to retirement plan services:

• SOC 1 Report: Focuses on controls relevant to financial reporting. For retirement plans, this includes the assessment of IT Controls and data security and privacy, accuracy of participant account balances, contribution processing, loan repayments, and distributions. Plan auditors often request SOC 1 reports to support their annual audit procedures.
• SOC 2 Report: Evaluates controls related to security, availability, processing integrity, confidentiality, and privacy. For service providers handling sensitive participant data, SOC 2 reports demonstrate a commitment to protecting information and mitigating cybersecurity risks.

Why SOC Reports Matter to Plan Sponsors

Under the Employee Retirement Income Security Act (ERISA), retirement plan sponsors have a fiduciary responsibility to act in the best interest of the participants and their beneficiaries. When working with various service providers, sponsors rely heavily on the provider covering some of the risks associated with those responsibilities which require the sponsor to monitor the controls the provider has in place. Service providers should offer safeguards to keep the participants’ personal information and accounts in good standing while following ERISA. A SOC report doesn’t eliminate all risks but provides transparency into the provider’s internal controls. The sponsor should carefully review the SOC report to fully assess the various functions the provider offers. By reviewing the SOC report, the sponsor can assess the controls surrounding security (are records and assets protected), accuracy (are financial transactions being processed accurately), and compliance of the provider (is the provider following the regulations of ERISA and the DOL).

What should plan sponsors look for in a SOC Report?

When reviewing a SOC report from your retirement plan provider, sponsors should:

• Evaluate the type of SOC report – SOC 1 focuses on financial reporting controls, while SOC 2 covers security, confidentiality, and privacy. Both are valuable depending on the type of service being provided. SOC 1 Type 2 reports also cover and assess the security and privacy of financial reporting and client data.
• Review the scope and testing period to confirm relevant services are included.
• Examine any control exceptions and inquire of the provider to explain any findings and the resolution.
• Review the opinion of the auditor: look for an “unqualified opinion” which indicates no major issues were found.
• What applicable user controls the sponsor must follow. The most common user controls surround the sponsors internal systems used, data transmission, authorization of governing documents, and authorization of logical access to the providers systems.

Where can you find the SOC Report?

SOC Reports are not available to the public, which is unfortunate as that would be beneficial for sponsors to have access to the reports when scoping out a potential service provider. However, when prospecting a new provider, a sponsor could request a copy of the SOC Report to review prior to hiring (if available). This will allow the sponsor to fully evaluate the internal controls of the provider to ensure they meet the needs of the participants and sponsor.

To conclude:

SOC reports are a vital tool for retirement plan sponsors and fiduciaries managing retirement plans. By utilizing these independent audits, sponsors can reinforce their oversight, potentially reduce risk, and ensure participants’ retirement assets and personal data remain secure. At Greenleaf Trust, we annually undergo a SOC 1, Type 2 audit to provide our clients with the assurance and trust that we have the operations and controls in place to properly service their retirement plans.