Service organization control (SOC) reports come in several varieties. They generally pertain to service organizations, like retirement plan recordkeepers or third party administrators (TPAs). The American Institute of Certified Public Accountants (AICPA) determines the scope of each SOC report.
Types of SOCs
The AICPA has three categories of SOC reports on the services provided by a service organization:
SOC 1: ICFR: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. If your retirement plan is being audited, the auditor might look for your service providers’ SOC 1 reports to assess his or her comfort level with those service providers’ financial statements. There are two subcategories of SOC 1 reports that have different emphases.
SOC 2: Trust Services Criteria: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. This report, if it paints a good picture, should give you comfort that, among other things, your plan participants’ identities won’t be stolen by a hacker. As with SOC 1, there are two SOC 2 subcategories.
SOC 3: Trust Services Criteria for General Use Report. These are described as “general use reports” that don’t go into the same level of depth as SOC 2 reports.
Reason for SOCs
Service organizations generally can provide these reports more efficiently and cost effectively than qualified plans and have made these services the focus of their business model. They generally pay to have their control systems reviewed by CPAs, who can in turn create the appropriate SOC report from the assembled information. These reports “are designed to help service organizations that provide services to other entities build trust and confidence in the service performed and controls related to the services,” according to the AICPA. The success or failure of the SOCs can impact an organization’s reputation, financial statements and stability.
As part of your due diligence procedure, when vetting prospective service providers for your retirement plan, review their SOC reports. If that step was overlooked in past years, request and review the SOC reports they can provide. In addition, have your CPA also read them to make sure you didn’t overlook any red flags.
If the reports raise any issues, document your concerns and monitor the providers’ progress toward addressing them. And if that doesn’t happen, it’s probably time to start a fresh vendor search.