Practice Aid: Using a SOC 1 Report in Audits of Employee Benefit Plans

Chapter

1 Introduction 1

Purpose of This Practice Aid 1

SOC Reports 1

Background 1

Types of SOC 1 Reports 3

Applicability to Employee Benefit Plans 4

2 A Brief Overview 7

Risk Assessment Procedures and Related Activities 7

The Auditor’s Understanding of the Entity and Its Environment, Including Its Internal Control 7

Understanding the Entity and Its Environment 7

Understanding the Entity’s Internal Control 8

Control Activities and the Information System, Including the Accounting System 9

Identifying and Assessing the Risks of Material Misstatement 10

Risk Assessment and a Plan’s Use of IT 10

3 Using the Services of a Service Organization 13

Determining Whether the Service Organization Is Part of the Employee Benefit Plan’s Information System 16

Understanding the Services Provided by a Service Organization 17

Obtaining Information About the Nature of the Services 18

The Nature and Materiality of the Transactions 18

Degree of Interaction 18

Nature of the Relationships 19

Procedures When the Plan Auditor Cannot Obtain a Sufficient Understanding From the Employee Benefit Plan 19

Using a SOC 1 Report to Obtain an Understanding of the Services Provided to the Employee Benefit Plan 20

Evaluating a SOC 1 Report 22

Subservice Organizations 23

4 Responding to the Assessed Risks of Material Misstatement When the Plan Uses a Service Organization 25

Performing Further Procedures in Response to Assessed Risk 25

Procedures When a SOC 1 Report Is Not Available 25

Obtaining and Using a Type 2 SOC 1 Report 26

Planning Checklist for Audits of Employee Benefit Plans That Use a Service Organization 27

SOC 1 Report Considerations in Planning an ERISA Limited-Scope Audit 27

Frequently Asked Questions—How Does a Plan Auditor Obtain a SOC 1 Report? 28

5 How to Use a SOC 1 Report 29

Type of SOC 1 Report 29

Type 1 SOC 1 Reports 29

Type 2 SOC 1 Reports 29

Timing Considerations 30

The Service Auditor’s Report 31

Description of the Service Organization’s System 31

Control Objectives, Related Controls, and Assertions 33

Complementary User Entity Controls 33

Tests of the Operating Effectiveness of Controls 34

Frequently Asked Questions—Using SOC 1 Reports 35

6 Responding to Testing Exceptions and Control Deficiencies and Other SOC 1 Report Considerations 37

Effect on the Plan Auditor 37

Other SOC 1 Report Considerations 38

Deviations in the Results of Tests 38

Deviation in IT and Non-IT Controls 38

Glossary 41

Appendix A—Practice Tools 43

Exhibit A-1—Audit Program: Auditing the Financial Statements of an Employee Benefit Plan That Uses a Service Organization 43

Exhibit A-2—Planning Checklist for Audits of Employee Benefit Plans That Use a Service Organization 47

Exhibit A-3—Documentation of Use of a Type 2 Service Auditor’s Report in an Audit of an Employee Benefit Plan’s Financial Statements 50

Appendix B—An Overview of SOC 1, 2, and 3 Reports 61            

Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting profession nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession's technical and ethical standards.
The AICPA’s founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public interest.