Addressing SOC 1 Report Carve Outs
May 31, 2014
This article focuses on how to address the carveouts of subservice organizations in a SOC 1 report (Service Organization Controls Report). SOC 1 reports cover key controls at the organizations that provide various services to the benefit plan (e.g., payroll providers, recordkeepers, custodians, etc.). These reports should be obtained and reviewed by the plan sponsor so they understand the systems in place at the service organization, including key controls that address financial statement assertions. The reports are also generally used by the auditor for performing the plan audit. We have found carve-outs of subservice organizations within the SOC 1 report (and how best to address them) to be a common hurdle in using the SOC 1 report effectively.
Subservice organizations are third-party entities that provide services to the service organization providing services to the plan. Some typical examples of carved out processes are IT general controls, pricing services and certain investment related services. Subservice organizations are required, under SSAE 16 (Statement on Standards for Attestation Engagements No. 16), to either report their controls in the SOC 1 report using the inclusive method or exclude them from the SOC 1 report using the carve-out method. The inclusive method includes controls surrounding any key aspects of the subservice organization’s system in the service organization’s SOC 1 report. Under the carve-out method, controls for the subservice organization are excluded from the service organization’s SOC 1 report and are referred to as carve-outs.
The plan sponsor would ordinarily obtain and review the service organization’s SOC 1 reports and review and consider any complementary user entity controls (e.g., controls the plan sponsor is expected to have in place). This review would ordinarily be documented and address whether the complementary user entity controls are in place and operating effectively for the plan. The plan sponsor should also identify any carve-outs. Generally, carve-outs will be noted in the independent service auditor’s report on the SOC 1 report. Sometimes, the carve-outs are located within the body of the report, often under the company information, overview and/or scope of report sections.
As a general rule, carve-outs are significant if they directly impact the plan and its data. For instance, consider whether there is another data processing center that has access to the plan’s data or makes updates directly to the plan’s records or a subservice organization that provides investment related services. This review and conclusion regarding the significance of carve-outs should be documented. If there are significant carveouts, consider obtaining the subservice organization SOC 1 reports related to the carve-outs. These reports would be reviewed in a similar manner to the service organization’s SOC 1 reports. What if a carve-out SOC 1 report is not available? Possible alternative procedures that the plan sponsor may want to consider include, but are not limited to, the following:
This article originally appeared in BDO USE, LLP’s “EBP Commentator” newsletter (Winter 2014). Copyright © 2014 BDO USA, LLP. All rights reserved.
If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.CONTACT AN ADVISOR
Subscribe to our newsletters to get inside access to timely news, trends and insights from Smith + Howard.