User Controls Considerations For Service Organization Control Reports

Employee Benefit Plan Services

User Controls Considerations For Service Organization Control Reports

As part of exercising their fiduciary responsibility, plan sponsors should obtain and evaluate a “Service Organization Control Report” for organizations providing outsourced services for their employee benefit plans. These reports, which have been subjected to a service auditor’s report under SAS No. 70, “Service Organizations”, will begin to be subject to a new standard, SSAE No. 16, “Reporting on Controls at a Service Organization”. The new SSAE No. 16 reports, which are effective for periods ending on or after June 15, 2011, also permit earlier application. Information related to these reports can be found on the AICPA website at the following link:
https://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/SOC/Pages/SORHome.aspx

The principles behind a service organization control report is that the service organization performs certain processes related to transactions of the plan, and the report, along with the opinion from the independent service auditor, is intended to provide comfort to the plan sponsor that the service organization is processing the plan’s transactions in a reasonable manner. A significant caveat, which is included in the body of a service organization control report, is a reminder to plan sponsors that the plan sponsor is primarily responsible for their “user controls”. This caveat typically indicates that plan sponsor user controls are not the responsibility of the service organization.

A few examples of user controls might include:

  • That plan sponsors are responsible (and should have controls) for approving the detailed plan setup with the service organization, since the plan sponsor would have access to their plan document to determine whether the setup with the service organization is proper.
  • Plan sponsors would typically be required to have internal controls in place for communicating changes to their plan document to the service provider.
  • Plan sponsors would typically need to have controls in place to identify when employees become eligible (as defined in the plan document) to participate in the plan.

Monitoring service organization control reports for processes contracted out to outside service providers and monitoring their own user controls with respect to information provided to the service organization are important examples of exercising fiduciary responsibility. Plan sponsors would be well served to document these processes.

NEED MORE INFORMATION?

If you need more information regarding this or any other topic affecting your retirement plan, fill in the form below to arrange a free consultation today.

The information contained herein is not necessarily all inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriate qualified professionals for your plan’s individual facts and circumstances.

Learn More About our Employee Benefits Services>>

How Can We Help?

Previous Post

Next Post

Read More
Image of icons representing employment benefits.

Employee Benefit Plan Services

When Consistent Quality and Convenience Matters The role of a plan administrator comes with great responsibility as the complexity of employee benefit plans requires businesses to follow extensive accounting and […]

Learn More