Employee Benefit Plan Auditors – How to Effectively Use SOC Reports
Often the audit team member who draws the short straw gets to read and document the Service Organization Controls (SOC) report. The basic premise is that the use of a SOC report can reduce the overall work in an ERISA audit. This is often true. And sometimes the best use of a SOC report is simply to support required controls documentation.
In an audit performed in accordance with U.S. Generally Accepted Auditing Standards (GAAS), there is a requirement to identify areas of significant risk. There also is a requirement that, for each risk area identified, auditors must determine that controls are sufficiently designed and implemented to meet to relevant control objectives. While the preceding comes off sounding like just a lot of industry jargon, it is an important point not to be missed.
Much of a plan’s recordkeeping is outsourced to service organizations, and arguably covers areas of risk for a plan. Therefore, there is no practical alternative to using such a report to support the activities pertaining to the plan’s financial records. The descriptions of such controls, and conclusion about proper design and implementation, have already been completed by the service auditor. In fact, the only nuisance with respect to incorporating it into your audit documentation is that, occasionally, reports are secured documents requiring a few extra steps to allow an auditor to cite and document the necessary information.
Another requirement related to controls documentation is that auditors must document both manual and automated controls, and must have an understanding of general IT controls that impact significant financial reporting areas. IT controls information is frequently included in the SOC report and should be used as part of the plan auditor controls documentation to document an understanding of the four basic areas of general IT controls: risk assessment, data back up and retention, logical and physical security, and application change management.
Rather than devote time to controls documentation, many auditors skip ahead to the testing section of SOC reports, to see if there is work which can be relied upon to reduce their work. And that, of course, is one of the main principles behind the use of these reports, but, SOC reports are tests of controls. Tests of controls are used to reduce sample sizes for substantive tests, and there are strict conditions that must be met to allow those reduced sample sizes. The use of SOC reports, even if all conditions are met, cannot be used to eliminate substantive audit tests. The ideal scenario for use of a SOC report to reduce substantive tests is a situation in which all of the required conditions are met, and the population being substantively tested by the plan’s auditor consists of hundreds or thousands of items.
Another good use of a SOC report is documentary evidence for the sources of fair values of investments. Generally, an auditor can find detailed descriptions of controls in place with respect to pricing.
In summary, let’s be honest and say that the analysis of a SOC report can be a little bit of drudgery. Used in the right way, however, the documentation should provide a better understanding of the plan, and in some cases reduce the overall number of items tested. Basically and most importantly, it can be used, to meet required audit standards.
Recent articles authored by Lauren Corey follow:
Designing Your Retirement Plan’s Internal Controls in Order to Prevent Errors
There’s never a good time for discovering that your organization’s retirement plan has errors, but the good news is that you can evaluate the internal controls of your plan at any time of year. This type of project might be of particular interest to plans that are approaching large plan status (generally, over 120 if the plan has filed previously).
Recently, the Internal Revenue Service (IRS) issued guidance citing the importance of internal controls in retirement plans and, in particular, how such controls impacts the correction process for a plan found to have errors. The existence of retirement plan internal control procedures is a requirement for a plan that otherwise qualifies for self-correction. The IRS also comments that plans that hire service providers are not relieved of this responsibility.
Management personnel of many plans take the approach of learning about common errors found in plans, which isn’t a bad strategy. In fact, that’s a great place to start. But if you have an interest in a sound design to prevent problems from occurring in the first place, an internal control review is something you should consider. For example:
These are just some examples of areas where controls are sometimes overlooked. If any of the above questions have given you pause, perhaps you should perform an evaluation or consult with an expert.