Service organization control (SOC) reports come in several varieties. They generally pertain to service organizations, like retirement plan recordkeepers or third party administrators (TPAs). The American Institute of Certified Public Accountants (AICPA) determines the scope of each SOC report.
Types of SOCs
The AICPA has three categories service organization SOC reports:
SOC 1: Report on controls at a service organization relevant to user entities’ internal control over financial reporting. If your retirement plan is being audited, the auditor might look for your service providers’ SOC 1 reports to assess his or her comfort level with those service providers’ financial statements. There are two subcategories of SOC 1 reports that have different emphases.
SOC 2: Trust Services Criteria; Report on controls at service organizations relevant to security, availability, processing integrity, confidentiality, or privacy. This report, if it paints a good picture, should give you comfort that, among other things, your plan participants’ identities won’t be stolen by a hacker. As with SOC 1, there are two SOC 2 subcategories.
SOC 3: Trust services criteria for general use reports. These are described as “general use reports” that don’t go into the same level of depth as SOC 2 reports.
Reason for SOCs
Service organizations generally pay to have their control systems reviewed by CPAs, who can in turn create the appropriate SOC report from the assembled information. These reports “are designed to help service organizations that provide services to other entities build trust and confidence in the service performed and controls related to the services,” according to the AICPA.
As part of your due diligence procedure, when vetting prospective service providers for your retirement plan, review their SOC reports. If that step was overlooked in past years, request and review the SOC reports they can provide. In addition, have your CPA also read them to make sure you didn’t overlook any red flags.
If the reports raise any issues, document your concerns and monitor the providers’ progress towards addressing them. And if that doesn’t happen, it’s probably time to start a fresh vendor search.
For a no-obligation discussion on the possible impact and steps you should take now, contact Meresa Morgan, our Audit Shareholder with significant experience in this area.