If you are the contact for your company’s 401(k) plan audit, you have probably received requests for your 401(k) provider’s SOC-1 or bridge letter. Perhaps we asked you what you do to comply with the user controls listed in the SOC-1. Here’s the scoop on why we need these items.
What is the SOC-1? This report is essentially your provider’s description of all the controls they have in place over the processes that affect the services they provide you, specifically the reports that serve as the basis for your plan financial statements. They have an audit firm come out and examine the controls they have in place to meet certain objectives, and that firm issues a report as to whether those controls were designed, implemented, and operated effectively for a certain period. The objectives that are of particular interest to us as auditors of your plan include the logical and physical access controls over IT systems, controls over the allocation of income and investments to participants, controls over online deferral elections and enrollment, and controls over electronic payments to participants. Assuming the report was a “clean” unmodified opinion and there are no significant exceptions on these controls, it allows us as auditors to reduce our testing during your audit (less work for you)!
Why do we need a bridge letter? More often than not, the SOC-1 reports mentioned above cover a different period than your plan year. For example, they will be examined for the period from October 1 of one year to September 30 of the next year, while your plan audit is for the calendar year ended December 31. The 401(k) provider will often issue a “bridge” or “gap” letter that indicates that there have been no significant changes in controls through a certain date (hopefully your plan year-end) that allows the auditor to feel comfortable that we can rely on the SOC-1 for our audit.
If this letter is not available, we may need to contact the service provider separately to inquire about such changes.
What are the user controls? In the aforementioned SOC-1 report, the provider identifies a list of user controls. They essentially say you can only rely on their controls if you, as the user of their services, have these user controls in place at your business. An example of a user control we often see is that the user (you) ensures that participant information sent to the provider is accurate. It is important for companies to obtain the SOC-1 from their 401(k) provider (or any other provider that is used and relied upon), read through the required user controls that apply, and ensure that these controls are in place. You use the provider reports as a basis for your financial statements and support for your participants’ balances. You need to be able to trust their accuracy. Since the effectiveness of the controls at the provider depend on the effectiveness of your user controls, implementing those user controls is critical. From an audit perspective, for us to rely on SOC-1 to reduce our testing, we have to test that you have the user controls in place. So, read these reports, establish the user controls, have confidence in your provider, and reduce some of your audit costs!