Skip to main content

Practice Aid: Using a SOC 1 Report in Audits of Employee Benefit Plans

Practice Aid: Using a SOC 1 Report in Audits of Employee Benefit Plans


ISBN: 978-1-945-49818-3

Feb 2018

80 pages

Select type: Paperback

In Stock


1 Introduction 1

Purpose of This Practice Aid 1

SOC Reports 1

Background 1

Types of SOC 1 Reports 3

Applicability to Employee Benefit Plans 4

2 A Brief Overview  7

Risk Assessment Procedures and Related Activities 7

The Auditor’s Understanding of the Entity and Its Environment, Including Its Internal

Control 7

Understanding the Entity and Its Environment 7

Understanding the Entity’s Internal Control 8

Control Activities and the Information System, Including the Accounting System 9

Identifying and Assessing the Risks of Material Misstatement 10

Risk Assessment and a Plan’s Use of IT 10

3 Using the Services of a Service Organization 13

Determining Whether the Service Organization Is Part of the Employee Benefit Plan’s

Information System 16

Understanding the Services Provided by a Service Organization 17

Obtaining Information About the Nature of the Services 18

The Nature and Materiality of the Transactions 18

Degree of Interaction 18

Nature of the Relationships 19

Procedures When the Plan Auditor Cannot Obtain a Sufficient Understanding From the Employee Benefit Plan 19

Using a SOC 1 Report to Obtain an Understanding of the Services Provided to the

Employee Benefit Plan 20

Evaluating a SOC 1 Report 22

Subservice Organizations 23

4 Responding to the Assessed Risks of Material Misstatement When the Plan Uses a Service

Organization 25

Performing Further Procedures in Response to Assessed Risk 25

Procedures When a SOC 1 Report Is Not Available 25

Obtaining and Using a Type 2 SOC 1 Report 26

Planning Checklist for Audits of Employee Benefit Plans That Use a Service

Organization 27

SOC 1 Report Considerations in Planning an ERISA Limited-Scope Audit 27

Frequently Asked Questions—How Does a Plan Auditor Obtain a SOC 1 Report? 28

5 Howto Use a SOC 1 Report 29

Type of SOC 1 Report 29

Type 1 SOC 1 Reports 29

Type 2 SOC 1 Reports 29

Timing Considerations 30

The Service Auditor’s Report 31

Description of the Service Organization’s System 31

Control Objectives, Related Controls, and Assertions 33

Complementary User Entity Controls 33

Tests of the Operating Effectiveness of Controls 34

Frequently Asked Questions—Using SOC 1 Reports 35

6 Responding to Testing Exceptions and Control Deficiencies and Other SOC 1 Report Considerations 37

Effect on the Plan Auditor 37

Other SOC 1 Report Considerations 38

Deviations in the Results of Tests 38

Deviation in IT and Non-IT Controls 38

Glossary   41

Appendix A—Practice Tools 43

Exhibit A-1—Audit Program: Auditing the Financial Statements of an Employee Benefit Plan That Uses a Service Organization 43

Exhibit A-2—Planning Checklist for Audits of Employee Benefit Plans That Use a Service Organization 47

Exhibit A-3—Documentation of Use of a Type 2 Service Auditor’s Report in an Audit of an Employee Benefit Plan’s Financial Statements 50

Appendix B—An Overview of SOC 1, 2, and 3 Reports 61