Why Oversight Of Your Vendors Is Critical
As a plan sponsor, one of your responsibilities is hiring and contracting with vendors to help you manage your company’s employee benefit plan (EPB). These vendors may range from bank trust departments, insurance companies, payroll companies, and recordkeeping companies. But when you were contracting with these vendors, did you ever consider how their business operations – particularly their internal control environments – could affect the quality of services provided to your EBP?
For instance, you as a plan sponsor may choose not to maintain plan enrollment forms that document an employee’s contribution percentages and investment fund allocation options. The service organization you’ve contracted with provides an automated system which allows plan participants to go into the system and change their percentages or allocations. In this arrangement, your plan participant data is maintained by the service organization – not you. As such, you can’t just assume that this information is protected and backed up. You have to accept a level of oversight and accountability of your service provider.
Outsourcing exposes plan sponsors to risk and underscores the need for effective vendor due diligence and monitoring. In order to understand the design and implementation of controls at a service organization, many plan sponsors obtain a service organization control (SOC) report. Let’s find out how a SOC report can assist you as a plan sponsor.
Listen to episode 169 of unsuitable on Rea Radio, “The Cybersecurity Battle Plan For Businesses,” featuring Paul Hugenberg, co-founder and CEO of InfoGPS Networks.
What Is A SOC Report?
Many vendors and providers that service EBPs have SOC reports issued annually by independent auditors. A SOC report is the result of an engagement where an audit of internal controls (policies, procedures, and technologies), which a service provider has implemented to process and protect client data, is performed. This report is provided to the service organization by an independent auditor and is intended to provide the service organization’s customers (and their customer’s auditors) with some assurance on the internal controls over outsourced services.
Three Different Types Of SOC Reports
There are three different types of SOC engagements that a service organization may have performed that result in an issued report: a SOC 1, SOC 2 or SOC 3 report.
- A SOC 1 report is designed for financial transaction processing. It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement reporting. Service organizations specify their own control objectives and control activities.
- A SOC 2 report is an examination of controls over a selection of five trust services criteria (security, processing integrity, availability, confidentiality and privacy). These reports are oriented toward information security of hosted systems and the data they store or process.
- A SOC 3 report is a high level summary of a SOC 2 report.
Each SOC report can be produced either as a Type I (point-in-time) or Type II (period of time) report. Type II reports are preferred, since they test the operating effectiveness of controls throughout a portion of the year.
As an important part of monitoring plan activities, you should request and obtain a SOC 1 report from your record keeper, payroll service provider, and trustee/custodian, when available.
How To Request A SOC Report
As an important part of monitoring plan activities, you should request and obtain a SOC 1 report from your record keeper, payroll service provider, and trustee/custodian, when available. Many of these reports are provided to you with your annual reporting packages. You should read the results of the SOC 1 reports and also consider the section of the report that addresses complimentary user entity controls (CUECs). CUECs are controls that are outlined by the service provider to be implemented at the plan sponsor to assist the vendor in accomplishing their outsourced responsibilities. If a SOC 1 report is not provided with your annual reporting package, you should request the report from your vendor through your assigned customer service representative at the service organization.
Should you have any questions on obtaining and reviewing SOC reports, our EBP audit team here at Rea is happy to assist you in learning how to review these reports as part of monitoring EBP internal controls or performing general vendor due diligence.
By Kim Veal (Cleveland)