Monitoring Service Provider Performance: The Role of Type II SOC 1 Reports

It’s not uncommon for sponsors of employee benefit plans to outsource key functions like accounting and recordkeeping to third-party service providers. But this doesn’t absolve plan sponsors the responsibility for monitoring these key functions adequately or the overall financial reporting responsibility.

SOC 1 reports can build trust and confidence in the service that is being delivered through verification that processes and controls in place are working as prescribed. A SOC 1, Type II report provides great insight into key processes and procedures that are being performed outside your company by a third party. In fact, monitoring the performance of outside service providers is a fiduciary responsibility for plan sponsors. The best way to do this is to obtain a Service Organization Controls report — also known as a Type II, SOC 1 (“Type II”) report — from service providers, not to be confused with a Type I, SOC 1 report (“Type I”).

What Types of Service Providers?

The variety of services provided to plan sponsors from third parties include plan administration, custody of investments, and recordkeeping/participant accounts. You should also request the Type II report from your payroll services provider and the plan administrator that maintains participant account balances. This is because plan contributions, loan repayments, and participant account information are all contained in the payroll information your payroll provider processed.

Difference Between Type I and Type II

The amount of reliance the plan sponsor can place on how effective each key outsourced function is performing depends on the type of SOC report obtained. A Type I report is a layout of procedures and controls that a service organization established within a specified point in time. A Type II report includes all the information in a Type I report but also supplies evidence as to how effective those procedures and controls were over a specified period of time, which is achieved through an audit performed by a public accounting firm over the procedures and controls, and an opinion on the effectiveness of the controls to be issued.

Assuring Adequate Internal Controls

Keep in mind that the Type II report not only monitors the performance of service providers but also evaluates and describes complementary user entity controls in place at the plan sponsor. These user controls are the equivalent of a disclaimer from the service organization that their controls cannot be guaranteed to achieve their stated objectives if the plan sponsor’s organization does not implement certain specific controls internally.

Without adequate complementary user entity controls, a system of internal controls may prove to be ineffective. It is critical to understand and implement these controls as contemplated by the service organization that works with the plan sponsor. The user controls will also promote a positive overall control structure between the service organization and the plan sponsor.

Auditors routinely request Type II reports during the audit process; however, you can – and should – be proactive by obtaining a Type II report from service providers long before your auditor requests one.

Reviewing SOC 1 Reports

In addition to reviewing the complementary user controls in Type II reports, you should also look at these items:

• Period covered. The system description and controls tested included in the report covers a specific period and cannot be projected for future periods. If the Type II report obtained doesn’t cover the necessary reporting period, you should request a GAP letter when it becomes available, which will verify that operating effectiveness is still being achieved through the end of your reporting period.
• Modifications to the service auditor’s opinion. These could indicate a deficiency in the design or effectiveness of the service organization’s internal controls that may be significant enough to indicate a potential deficiency in the controls.
• Subservice organizations / Carve-outs. These are organizations that have engaged with your third-party provider to perform certain outsourced functions relevant to the plan’s internal control. The outsourced functions by your engaged third-party organization can be very important to your control environment. You should be assessing the carve-outs on an individual basis and concluding on which additional Type II reports should be obtained and reviewed accordingly. For example, your Plan Trustee outsources all investment valuation procedures to a 3rd party. If that subservice organization isn’t doing the necessary things to properly value investments, that would be a significant issue.
• Control objective exceptions. The testing section of the report may contain information about exceptions noted during testing. If the exceptions indicate an increased risk, you should consider whether additional controls or other actions should be taken to mitigate this risk, based on management’s response/remediation.
• Management’s response/remediation. The report may contain a management response that describes ways to resolve exceptions, such as modifying control activities or implementing additional controls. This could be valuable in considering the risk to the plan or the timeframe for testing potential errors if this is considered necessary.

Assisting in Evaluation

We can assist in evaluating SOC 1 reports provided by your service providers, as well as internal controls over financial reporting and appropriate monitoring activities. We have the tools and resources to make this evaluation of the SOC 1 report less of a burden and more of a value-add process. If you have questions about using and/or reviewing Type II, SOC 1 reports, contact your BMF Advisor.