作为一个 福利计划审计员 for over 10 years, I found it surprising how many of my clients didn’t know their recordkeeper had a SOC 1报告, let alone what to do with it once they got it for the audit. The truth is that the United 状态s Department of Labor (痛单位) publication 履行受托责任 provides an overview of the basic fiduciary responsibilities applicable to retirement plans under the Employment Retirement Income Security Act (写), 和 monitoring service organizations 和 controls is one of them.

Outsourcing of recordkeeping services is very common 和 is a way to reduce costs 和 increase efficiencies in administering employee benefit plans. While choosing a recordkeeper is important, the fiduciary responsibility doesn’t stop there. Management should be periodically monitoring the service organization to ensure they are meeting the agreed upon procedures as it relates to the plan.

These are some steps plan management can take to fulfill this responsibility on a yearly basis:

审核报告

一旦收到SOC 1报告, management should read the audit report 和 look for the following:

  • 日期
    • Review the dates covered 和 verify the report properly covers the plan year 和 if not, that there is an applicable bridge letter to support the audit opinion through the end of the plan year.
  • 审计意见
    • Look for an unmodified, clean report opinion with no modifications.
    • 如果一个合格的, 免责声明, 或者注意到反对意见, management needs to determine the impact it has on the plan. 请参见下面评估任何偏差.
  • 脱离干系
    • Some service organizations may use another service organization to process certain transactions as part of their agreement. If the transactions are significant to the plan operations, plan management should obtain the other service organization’s SOC 1报告 as well.

评估发现的任何偏差

You have read the report 和 determine that the opinion had deviations noted. 现在? Plan management must underst和 the controls that were identified to have deviations 和 analyze the impact they have on the plan’s operations. Review the service organization’s response 和 how the deviation affects the service organization’s controls.

继续, significant deviations can be a sign that plan management needs to evaluate if another recordkeeper is needed.

Verify 和 document the complementary user controls at the plan level

The service organization’s controls alone are not sufficient to ensure controls around plan operations. Each SOC 1报告 will have what is referred to as complementary user controls. These are the controls that are identified by the service organization that should be in place at the plan level to ensure the service organization controls are effective. These controls are defined 和 included in the SOC 1报告. Plan management is responsible for reviewing these controls, verifying they are properly designed 和 implemented, 然后有效地操作它们.

要做到这一点, management should document the plan’s controls that cover each user control, 谁来执行,多久执行一次. Management should focus their attention on the “key user” controls, which are those that affect participant benefits, data, 和选举. Management should also note that one plan control could cover multiple user controls.

Below is an example of documenting user controls at the plan level:

Ultimately plan management is responsible for monitoring outsourced plan recordkeeping as required by the 痛单位. When choosing a service organization to provide recordkeeping services, management should look for a provider that has a Type II SOC 1报告, request this report annually to be used in their monitoring process, review the audit report 和 evaluate deviations, 和 then verify all complementary user controls are in place at the plan level.

For more information regarding SOC 1报告ing or how LBMC’s 审计与保证 practice can help, 今天就明升体育app下载的团队.

Content provided by LBMC audit professional, Kayla Carr.