SSAE 16 or SOC reports are typically used by auditors in order to support tasks that have been outsourced by their clients. However, these reports, which document the controls and results of control testing at a service organization, can be utilized by plan administrators to enhance existing controls and mitigate risks surrounding their ERISA plans. While these services have been outsourced, plan administrators still have a fiduciary duty to all plan participants to establish effective controls over these functions in order to protect plan assets. Specifically, an entity will want to utilize a SOC 1 or 2 report. By obtaining and reading these reports, plan administrators can:
- Learn about the various controls in place at a service organization and if those controls are operating effectively
- Assess the risk of gaps occurring between the controls in place at the service organization and the controls in place at their company
- Determine complimentary controls needed at the company level to mitigate existing risk or to eliminate gaps in controls
- Gain insight into any potential fraud exposure that an entity may be exposed to by the service organization
By obtaining and reviewing these reports on an annual basis, plan administrators can ensure that it is proactively analyzing risk and adjusting controls when necessary to mitigate risks. If you have any questions regarding SOC reports, please contact a member of the Schneider Downs team for more information.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.