Importance of SOC 1 Reports for Employee Benefit Plans
A Systems and Organization Controls report (or SOC 1 report) provides plan management with the ability to evaluate the service organizations it uses to produce the plan’s accounting information.
A service provider — whether it is providing participant record keeping, claims processing or some other service — typically commissions a SOC 1 report to assure plan management that appropriate controls are in place and that policies and procedures are being followed.
It’s a Two-Way Street
Yet a SOC 1 report is a two-way street. It also evaluates whether Complementary User Entity Controls (CUECs) are being followed. These are the complementary controls that plan administrators (i.e. user entities in this case) must have in place to ensure proper coordination between the plan sponsor and the service organization — and to ensure that there are no gaps in controls.
In other words, they are the specific internal controls that a user organization must implement in order for the service organization’s controls to achieve their stated objectives.
Understanding Complementary User Entity Controls
The area of participant eligibility offers a good example of a CUEC. The service provider may very well have controls in place to ensure that participant eligibility data is accurately entered and properly maintained. Yet that control is of limited effectiveness if plan management does not have a CUEC in place to monitor and review participant eligibility prior to requesting that the participant be added to the service organization’s system.
Another example would be an investment manager that interfaces with its clients through a proprietary system. The service provider cannot guarantee that its controls will result in accurate and appropriately authorized investment decisions if the user organization does not put in place controls to ensure that access to the investment manager’s interface is only granted to those who should have it.
Some other common plan management issues and their corresponding CUECs include:
Issue #1: Ensuring that plan data is input and processed accurately and completely.
CUEC: The Director of Human Resources reviews all pay increases, status changes, time sheets and withholding forms to ensure that all fall in line with the payroll data transmitted to the service organization.
Issue #2: Accurately communicating any modifications made to the plan recordkeeping agreement and any plan documents.
CUEC: The Board of Directors and the Director of Human Resources establish procedures for reviewing and approving plan documents as well as any plan changes. All changes are communicated directly to the service organization through documented phone calls and emails.
Issue #3: Maintaining adequate controls over physical access to the service organization’s systems at the plan sponsor’s location.
CUEC: The HR Director serves as the security administrator and has authority to add and delete users with access to the online portal. User access is updated by the director on an “as needed” basis for employee turnover or changes in job function.
Issue #4: Timely review of plan reports and statements provided by the service organization and prompt notification of any discrepancies.
CUEC: The HR department reviews the service organization’s data packets on a monthly basis and ties any significant changes to their records. Any discrepancies are brought to the service organization’s attention for reconciliation of the issues.
Putting SOC 1 to Work
Instead of simply turning over the SOC 1 report to your benefit plan auditors, it is critical that you seek out the Complimentary User Entity Controls within the report and verify that your organization is addressing all of the CUECs noted. If the SOC 1 report identifies noncompliance of the service organization’s controls, CUECs at the plan should be documented and enhanced.
The combination of the SOC 1 report and the evaluation of CUECs can help plan management meet its fiduciary duties to implement effective internal controls. This ensures that the plan’s activities and investments are reported in the financial statements at amounts in accordance with professional standards, regulatory requirements and the plan document.