So, what is a SOC report? Many plan sponsors of 401(k) and other benefit plans outsource critical plan tasks to outside service providers or vendors like payroll servicers, third-party administrators, and recordkeepers. This makes you the customer, or to use the official term, the “user entity.”

As we’ve discussed before, no matter who handles the day-to-day operations of your plan, the user entity, or plan sponsor, still bears the risk of being ultimately responsible for the effectiveness and compliance of those operations with the Department of Labor (DOL) and IRS regulations. 

This is where the vendors’ Service Organization Control, or SOC, reports come in.

 

What is a SOC report?

Service Organization Control (SOC) reports outline the service providers’ internal controls over financial reporting, as well as show the results of tests of those controls for operating effectiveness. These reports are, by definition, prepared by a certified public accountant (CPA) or other outside auditor on the vendor’s end.  

As a plan sponsor, to properly assess and manage the risks associated with delegating common 401(k) plan tasks to outside service providers, you need to review their SOC reports. SOC reports also help you evaluate whether service providers meet necessary control standards when selecting them as vendors in the first place.

 

Types of SOC reports

There are two main types of SOC reports:

  • Type I: Describes procedures and controls established at a specific time.
  • Type II: Includes Type I details and tests effectiveness over time.

Type II reports are particularly valuable because they confirm the ongoing effectiveness of controls. So as a plan sponsor, this is the type you’ll want to request. 

Obtaining your service providers’ SOC reports doesn’t get you off the hook entirely, however. You must also implement your controls, known as complementary user-entity controls, to ensure overall compliance.

 

What controls are expected on your end

Examples of complementary user-entity controls include to:

  • Certify that participants are eligible for the plan; 
  • Ensure payroll info is accurate, complete and properly authorized; 
  • Quickly resolve rejected items and resubmit updates, ensuring that disbursements get the appropriate approval; 
  • Verify that only authorized personnel can access participant logins and passwords for making online plan election changes; 
  • Review that changes in investment options offered by the plan are authorized; and 
  • Ensure participants can’t exceed contribution limits.

 

What to look for in SOC reports

When reviewing SOC reports, consider:

  • Period Covered: Ensure it matches your plan’s reporting period.
  • Auditor Reputation: Verify the auditor’s credibility.
  • Opinions and Exceptions: Look for any modifications or deficiencies.
  • Subservice Organizations: Ensure these are covered or obtain their reports if necessary.

Cybersecurity is another crucial aspect that impacts the effectiveness and compliance of your plan. Understand your vendors’ cybersecurity measures to protect sensitive information. 

 

In summary, SOC reports are essential for maintaining effective control over outsourced services, helping you fulfill your fiduciary duties, and protect plan participants. They help you choose the right outside provider for your plan, and stay on top of any potential deficiencies before they become major issues. 

And yes, come audit time, your 401(k) plan auditor will ask to review your vendor SOC reports. When choosing a plan auditor, work with a firm that will liaise directly with your vendors, so you don’t have to. 

At Cassell Plan Audits, we pride ourselves on being the missing puzzle piece connecting all of your outside service providers. In need of audit help? Contact us today.