Use of Service Organizations and Fiduciary Responsibility
If a retirement plan uses a service organization, then the retirement plan is relying on the service organization’s internal controls when processing transactions. In effect, the service organization’s internal controls become part of the retirement plan’s internal controls and therefore, it is the fiduciary responsibility of retirement plan management to understand the controls and have procedures in place to ensure that the controls are operating in a manner that will process information correctly. Engaging a service provider does not relieve the fiduciary responsibility of plan management relating to operation and administration of the plan.
How should plan management demonstrate that their fiduciary responsibilities with regard to service organizations are met? Many of these service organizations engage public accounting firms to audit their internal controls. These audits are performed usually annually, but sometimes more frequently, under Statement on Standards for Attestation Engagements (SSAE) 16 and the reports that are issued are referred to as Service Organization Controls Audit (SOC 1SM) reports. These SOC 1SM reports are available from the service providers and are usually posted on its administrative user website. Retirement plans relying upon service organization’s internal controls, should review the SOC 1SM report each year (or more frequently if the service provider issues reports more frequently) and document such review as demonstration of meeting their fiduciary responsibilities. The review should be performed to gain an understanding of the operating effectiveness of the service organization’s internal controls, but also to ensure that the retirement plan management has implemented all of the complementary user entity controls (“CUECs”) noted within the SOC 1SM report. These CUECs are the controls that the service organization expects retirement plan management to have in place, in order to ensure the proper processing of transactions. CUECs typically relate to logical access, data establishment, reconciliation/review of information and timely communications.
The SOC 1SM reports can be rather voluminous and overwhelming to review. Withum has developed a practice aid to assist retirement plan management in reviewing the SOC 1SM report. The aid is designed to focus upon the relevant aspects of the SOC 1SM report and to provide plan management with a template to document a review. Any questions regarding the service organization controls or the CUECs should be discussed with the service provider. If management becomes aware of control deficiencies as a result of the review process, management should discuss the deficiencies with the plan’s ERISA counsel or plan auditor to more fully understand the impact upon the retirement plan.
To request a copy of this practice aid or if you have any questions, please email [email protected].
How Can We Help?