berrydunn.com | GAIN CONTROL

SOC Reports:What are they and what should you do with them?

AGENDA

• SOC REPORTS OVERVIEW

• RELEVANT SECTIONS TO REVIEW

• SOC REVIEW CHECKLIST

2

SOC REPORTS OVERVIEW

3

SOC REPORTS OVERVIEW

Terms to know:

• SOC – Service Organization Control• Service organization – the third-party service provider that

performs a task or function for other entities• Service auditor – the CPA firm doing the SOC exam• User organization – customers of the service organization• User auditors –the customer’s financial statement auditors

4

SOC REPORTS OVERVIEW

Things to know SOC 1 (SSAE 16) SOC 2

What is it? Report on internal controls on financial reporting

Report on internal controls based on Security, Availability, Processing Integrity, Confidentiality, Privacy

Who needs it?

A company that acts as a service organization that processes data or provides services critical to their customers’ financial reporting

For example: third-party administrators, e-commerce industries that process data, payroll administrators, insurance organizations

A company that acts as a service organization that may host or support customer data

For example: data centers, software-as-a-service (SaaS) organizations, printing services, managed service providers

What does it cover?

Relevant internal controls on financial reporting as defined by the service organization

One of more of the AICPA defined Trust Service Principles (TSPs) and criteria

What does it look like?

Report consisting of: 1. Auditor’s Opinion2. Written Description3. Controls and Results of Tests

Who uses it? Service organization, user organizations, user auditors

5

SOC REPORTS OVERVIEW

Type 1Audit of design effectiveness.

• Provides assurance that the controls are properly designed and in place at a point in time

• An “inquiry and observation” only audit

• Ideal for first time auditees

• Limited usefulness for user organizations

Type 2Audit of design and operating effectiveness.

• Provides assurance that the controls are properly designed, in place and operating effectively over a period of time

• Much more detailed “prove it” testing, observation inspection and reperformance

• More appropriate for financial auditors who are assessing controls at the service organization

• Provides reasonable assurance control objectives are met

6

SOC REPORTS OVERVIEW: PRIMARY COMPONENTS

I. Independent Service Auditor’s Report: Addresses the report type, reporting period, opinion, and any qualifications or disclaimers

II. Description of the System: Free-form narrative description of processes and controls provided by the service organization

III. Information Provided by the Auditor: Identifies the procedures (tests) performed by the auditor and results

IV. Other Information: May contain other information provided by the service organization (section not tested by the auditor)

7

SOC REPORTS OVERVIEW

Why Review a SOC Report?

• Risk Management

• Vendor Due Diligence

• Financial Statement Impacts

8

RELEVANT SECTIONS TO REVIEW

9

RELEVANT SECTIONS TO REVIEW

• Independent Service Auditor’s Report

What type of report is it?

Is the time period parallel to your audit period?

Is the scope of the report relevant to your operations?

Are there any disclaimers?

Is the opinion qualified (bad) or unqualified (good)?

• Control Objectives

• Results of Tests

• User Control Considerations (UCCs)

10

RELEVANT SECTIONS TO REVIEW: AUDITOR’S REPORT

11

RELEVANT SECTIONS TO REVIEW: AUDITOR’S REPORT

12

RELEVANT SECTIONS TO REVIEW: AUDITOR’S REPORT

13

RELEVANT SECTIONS TO REVIEW

• Independent Service Auditor’s Report

• Control Objectives

Is there sufficient coverage of relevant controls?

Is the “big picture” of the control environment captured?

• Results of Tests

• User Control Considerations (UCCs)

14

RELEVANT SECTIONS TO REVIEW: CONTROL OBJECTIVES

CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIESAlthough the control objectives and related control activities are described in Section Three, they are, nevertheless, an integral part of ABC’ control environment.

The description of the service auditor’s tests of operating effectiveness and the results of those tests are also presented in the testing matrices in Section Three, adjacent to ABC’ description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. The control objectives include:

Control Objective 1: Controls provide reasonable assurance that the creation and modification of contract records are properly authorized and that customer data is accurately and completely input into the system.

Control Objective 2: Controls provide reasonable assurance that the creation of, and modifications to, participant accounts are properly authorized and information is accurately and completely input into the system.

Control Objective 3: Controls provide reasonable assurance that the participant or plan statements are prepared completely, timely, and accurately.

Control Objective 4: Controls provide reasonable assurance that contributions and loan repayments are authorized and are recorded completely, accurately, and timely to a participant account.

Control Objective 5: Controls provide reasonable assurance that distributions and participant loans from the Plan are authorized and recorded completely, accurately, and timely.

Control Objective 6: Controls provide reasonable assurance that the purchase and sale of investments and each participant’s share of investment income or loss are properly authorized and recorded for the correct amount, in the proper period, and to the correct account.

Control Objective 7: Controls provide reasonable assurance that the compliance tests required under Employee Retirement Income Security Act (ERISA), Department of Labor (DOL), and Internal Revenue Code (IRC) rules and regulations are prepared and Internal Revenue Service (IRS) forms are timely prepared and sent to clients.

Control Objective 8: Controls provide reasonable assurance that changes to plan administration software are authorized, approved, and implemented in accordance with management’s instructions.

Control Objective 9: Controls provide reasonable assurance that logical access to plan administration software and related data files is restricted to properly authorized individuals.

Control Objective 10: Controls provide reasonable assurance that critical applications and data are backed up regularly and backup media is archived off-site for a reasonable amount of time.

Control Objective 11: Controls provide reasonable assurance that facilities and computing equipment are physically and environmentally safeguarded.

15

RELEVANT SECTIONS TO REVIEW

• Independent Service Auditor’s Report

• Control Objectives

• Results of Tests

Are there any deviations noted? How are they relevant to your operations?

Do the deviations impact you?

• User Control Considerations (UCCs)

16

RELEVANT SECTIONS TO REVIEW: RESULTS OF TESTS (SOC 1)

17

RELEVANT SECTIONS TO REVIEW

• Independent Service Auditor’s Report

• Control Objectives

• Results of Tests

• User Control Considerations (UCCs)

Are you doing all these?

18

RELEVANT SECTIONS TO REVIEW: UCCs

• UCCs are controls at your organization that should be in place to supplement the controls at the service organization

• These controls are your responsibility and the control is only effective if you do your part

• Does your organization have these controls in place?

• Review UCCs in conjunction with signed Service Level Agreements

19

RELEVANT SECTIONS TO REVIEW: UCCs

“PURPOSE AND SCOPE OF THE REPORT

This report is intended to provide ABC customers and other interestedparties with information about ABC’s controls that may affect the processingof transactions for its customers. The information contained in this report,when combined with an understanding of the controls in place at thecustomer, is intended to assist the customer’s independent auditor inplanning the audit of the customer, and in assessing control risk forassertions in the customer’s financial statements that may be affected bycontrols at ABC. It is the responsibility of each user of this report to evaluatethe information contained in this report, in relation to the controls in place atthe customer. If certain complementary controls are not in place at thecustomer, ABC controls may not compensate for such weaknesses.”

20

RELEVANT SECTIONS TO REVIEW: UCCs

USER CONTROL CONSIDERATIONS

ABC procedures are designed with the assumption that certain internal controls are implemented by customers of ABC. The application of such internal controls by the customer is necessary to achieve the control objectives identified. There may be additional control objectives and related controls that would be appropriate for the processing of transactions that are not identified.

This section describes certain internal controls that the users should consider to achieve the control objectives identified in this report. The user control considerations presented below should not be regarded as a comprehensive list of all the controls that should be employed by users.

1. The client should review all plan setup reports, conversion reconciliations, and notices during the conversion process.

2. The client is responsible for submitting all plan provision changes in writing and authorizing the request prior to forwarding to ABC.

3. The client is responsible for determining employee eligibility unless the client has elected in a Plan Services Agreement (PSA) that these services be provided by ABC or a third party.

4. The client should review participant enrollment forms for accuracy and completeness and authorize the forms prior to providing them to ABC.

5. The client is responsible for providing missing information on all returned forms.

6. The client should forward all transaction requests for processing on a timely basis and retain copies of all documents on file.

7. The client is responsible for ensuring that loan requests are within the plan and loan program guidelines prior to authorizing and forwarding the request to ABC.

8. The client is responsible for verifying distribution requests and monitoring requirements for hardship distributions before paperwork is forwarded to ABC.

9. The client is responsible for notifying ABC of participant status changes (retirement, termination, or death, etc.) in writing and in a timely manner.

10. The client is responsible for providing ABC with written instructions regarding forfeitures and allocations of forfeitures.

11. The client should provide ABC with year-end and census information in good order and in a timely manner.

12. The client should notify ABC of any participants exceeding 415 limitations or with excessive contributions.

13. The client should verify and maintain all regulatory testing results.

14. Plan sponsors and participants should keep passwords and PINs confidential and change passwords and PINs on a periodic basis.

21

SOC REVIEW CHECKLIST

22

INTERESTED IN MORE? CONTACT US.

Tina Papadopoulos, CISAManagement and Information Technology Consulting Group

tpapadopoulos@berrydunn.com

207.541.2253

23