This article focuses on how to address the carveouts of subservice organizations in a SOC 1 report (Service Organization Controls Report). SOC 1 reports cover key controls at the organizations that provide various services to the benefit plan (e.g., payroll providers, recordkeepers, custodians, etc.). These reports should be obtained and reviewed by the plan sponsor so they understand the systems in place at the service organization, including key controls that address financial statement assertions. The reports are also generally used by the auditor for performing the plan audit. We have found carve-outs of subservice organizations within the SOC 1 report (and how best to address them) to be a common hurdle in using the SOC 1 report effectively.
Subservice organizations are third-party entities that provide services to the service organization providing services to the plan. Some typical examples of carved out processes are IT general controls, pricing services and certain investment related services. Subservice organizations are required, under SSAE 16 (Statement on Standards for Attestation Engagements No. 16), to either report their controls in the SOC 1 report using the inclusive method or exclude them from the SOC 1 report using the carve-out method. The inclusive method includes controls surrounding any key aspects of the subservice organization’s system in the service organization’s SOC 1 report. Under the carve-out method, controls for the subservice organization are excluded from the service organization’s SOC 1 report and are referred to as carve-outs.
The plan sponsor would ordinarily obtain and review the service organization’s SOC 1 reports and review and consider any complementary user entity controls (e.g., controls the plan sponsor is expected to have in place). This review would ordinarily be documented and address whether the complementary user entity controls are in place and operating effectively for the plan. The plan sponsor should also identify any carve-outs. Generally, carve-outs will be noted in the independent service auditor’s report on the SOC 1 report. Sometimes, the carve-outs are located within the body of the report, often under the company information, overview and/or scope of report sections.
As a general rule, carve-outs are significant if they directly impact the plan and its data. For instance, consider whether there is another data processing center that has access to the plan’s data or makes updates directly to the plan’s records or a subservice organization that provides investment related services. This review and conclusion regarding the significance of carve-outs should be documented. If there are significant carveouts, consider obtaining the subservice organization SOC 1 reports related to the carve-outs. These reports would be reviewed in a similar manner to the service organization’s SOC 1 reports. What if a carve-out SOC 1 report is not available? Possible alternative procedures that the plan sponsor may want to consider include, but are not limited to, the following:
- Perform a review of the current procedures in place at the plan sponsor to address the specific carve-out and document that the controls are properly covered. However, in most instances, this will likely not cover outsourced controls adequately.
- Contact either the service organization or the subservice organization directly, discuss the controls and procedures in place, document those discussions and obtain any supporting documentation to confirm such controls and procedures are in place. This discussion would ordinarily focus only on key processes and controls that impact the sponsor’s plan.
- Request that the plan auditor work with the service organizations to perform the necessary steps to address and document these controls.
- Request that the subservice organizations have SOC 1 reports prepared. Since reviews of SOC 1 reports are part of the audit planning process, the plan sponsor should consider obtaining the relevant SOC 1 reports and performing the reviews now. The time to review these reports can be lengthy, but it is the plan sponsor’s responsibility to understand how the controls impact the plan’s operations and controls. If the sponsor is proactive with this review, it generally results in a more efficient audit.
This article originally appeared in BDO USE, LLP’s “EBP Commentator” newsletter (Winter 2014). Copyright © 2014 BDO USA, LLP. All rights reserved. www.bdo.com