Oversight Over Outsourced Service Providers and Review of a SOC 1 Report

Many employee benefit plans (the Plan) engage consultants (such as record keepers, trustees, and custodians) to provide services and process transactions on behalf of the Plans. By contracting consultants, organizations can focus on day-to-day tasks knowing that they have these experts on their side, who also help streamline the process of administering the Plan for the plan sponsor.

Commonly misperceived, not all responsibilities for outsourced services fall under the role of service providers. In fact, the Employee Retirement Income Security Act of 1974 (ERISA) requires that the named fiduciary of the Plan (the Plan administrator, unless otherwise defined in the Plan Document) has overall authority and responsibility for management and oversight of the Plan. While Plan administrators may engage consultants to help with the process of administering the Plan, the Plan administrator still officially retains any overall authority and responsibility for management and oversight of the Plan. As a result, an effective system of internal control for the Plan depends on the sufficiency of the controls inclusive of both the Plan Sponsor and any outsourced service providers.

How Your Plan Can Monitor the Controls of Service Providers

To assist Plan sponsors in evaluating the portion of the control environment outsourced to them, many service providers provide an SSAE 18, System and Organization Controls 1 report (SOC 1). This describes the control environment and any results from tests of operational effectiveness over certain control objectives (related to the preparation and presentation of financial information). The SOC 1 is reviewed and opined upon by a separate, independent auditor (referred to as a service auditor).

How to Utilize a SOC 1 Report:

Below are some tips on how to get the most from your service provider’s SOC 1:

  • Make the SOC 1 part of the Plan oversight process. Ensure obtaining and reviewing the SOC 1 report is part of the Plan administrator’s routine oversight responsibilities.
  • Document the review of the SOC 1 report. The best way to indicate the completion of a review of the SOC 1 is to prepare a detailed, documented account of the review:
    1. Period of Coverage. SOC 1 reports are often not for a full twelve-month period as a Plan year would be. As a result, request that your service provider supply you with a bridge or gap letter to cover the control environment for any portions of the Plan year that are not covered by the SOC 1 report,
    2. Service Auditor’s Opinion. Review the opinion issued by the service auditor to verify there are no qualifications or modifications to the opinion that would indicate that controls are not operating sufficiently.
    3. Control Objectives. Review the control objectives identified in the SOC 1 to verify it includes all the types of transactions relevant to the Plan (i.e. enrollment of participants, allocating contributions and investment income to participant accounts, participant-directed investment elections, processing participant distributions, etc.). You can also expect to see control objectives relating to the service provider’s information systems (IS) environment. Also note that each control objective will be tested for operating effectiveness.
    4. Results of the Tests of Operating Effectiveness. The service auditor will include a conclusion on their tests of operating effectiveness and identify if they found any deviations. Should any deviations occur, you must review the factors surrounding those deviations and determine if your Plan may be affected by the deviation.
    5. User Controls. The SOC 1 lists user controls that the service provider expects the Plan administrator to have in place to rely on the SOC 1. You should review these user controls in detail and document the Plan’s controls that have been implemented to ensure the SOC 1 user controls are being satisfied. As part of this review, you should also gather evidence to verify the controls are not just designed but are operating as intended, and all personnel performing administrative functions on behalf of the Plan are following the guidelines of these controls.
    6. Distribute the review to the Plan’s oversight committee. Discuss the documented review with the Plan’s oversight committee and record the discussion in the minutes of the meeting.

For assistance with your SOC 1 Report or employee benefit plans, please contact your local Sikich advisor.

By Brent DeMay, Partner, Accounting

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author