Skip to main content

Practice Aid: Using a SOC 1 Report in Audits of Employee Benefit Plans

Practice Aid: Using a SOC 1 Report in Audits of Employee Benefit Plans


ISBN: 978-1-945-49818-3

Feb 2018

80 pages

Select type: Paperback

In Stock



Designed to cover the complexities of SOC 1 reports and employee benefit plans, this practice aid describes how a SOC 1 report should be considered in the audit of an employee benefit plan and what audit procedures should be applied to the information in the SOC 1 report.


1 Introduction 1

Purpose of This Practice Aid 1

SOC Reports 1

Background 1

Types of SOC 1 Reports 3

Applicability to Employee Benefit Plans 4

2 A Brief Overview 7

Risk Assessment Procedures and Related Activities 7

The Auditor’s Understanding of the Entity and Its Environment, Including Its Internal Control 7

Understanding the Entity and Its Environment 7

Understanding the Entity’s Internal Control 8

Control Activities and the Information System, Including the Accounting System 9

Identifying and Assessing the Risks of Material Misstatement 10

Risk Assessment and a Plan’s Use of IT 10

3 Using the Services of a Service Organization 13

Determining Whether the Service Organization Is Part of the Employee Benefit Plan’s Information System 16

Understanding the Services Provided by a Service Organization 17

Obtaining Information About the Nature of the Services 18

The Nature and Materiality of the Transactions 18

Degree of Interaction 18

Nature of the Relationships 19

Procedures When the Plan Auditor Cannot Obtain a Sufficient Understanding From the Employee Benefit Plan 19

Using a SOC 1 Report to Obtain an Understanding of the Services Provided to the Employee Benefit Plan 20

Evaluating a SOC 1 Report 22

Subservice Organizations 23

4 Responding to the Assessed Risks of Material Misstatement When the Plan Uses a Service Organization 25

Performing Further Procedures in Response to Assessed Risk 25

Procedures When a SOC 1 Report Is Not Available 25

Obtaining and Using a Type 2 SOC 1 Report 26

Planning Checklist for Audits of Employee Benefit Plans That Use a Service Organization 27

SOC 1 Report Considerations in Planning an ERISA Limited-Scope Audit 27

Frequently Asked Questions—How Does a Plan Auditor Obtain a SOC 1 Report? 28

5 How to Use a SOC 1 Report 29

Type of SOC 1 Report 29

Type 1 SOC 1 Reports 29

Type 2 SOC 1 Reports 29

Timing Considerations 30

The Service Auditor’s Report 31

Description of the Service Organization’s System 31

Control Objectives, Related Controls, and Assertions 33

Complementary User Entity Controls 33

Tests of the Operating Effectiveness of Controls 34

Frequently Asked Questions—Using SOC 1 Reports 35

6 Responding to Testing Exceptions and Control Deficiencies and Other SOC 1 Report Considerations 37

Effect on the Plan Auditor 37

Other SOC 1 Report Considerations 38

Deviations in the Results of Tests 38

Deviation in IT and Non-IT Controls 38

Glossary 41

Appendix A—Practice Tools 43

Exhibit A-1—Audit Program: Auditing the Financial Statements of an Employee Benefit Plan That Uses a Service Organization 43

Exhibit A-2—Planning Checklist for Audits of Employee Benefit Plans That Use a Service Organization 47

Exhibit A-3—Documentation of Use of a Type 2 Service Auditor’s Report in an Audit of an Employee Benefit Plan’s Financial Statements 50

Appendix B—An Overview of SOC 1, 2, and 3 Reports 61