AICPA SOC 1 reports Used in employee benefit plan audits

AICPA SOC 1 reports Used in employee benefit plan audits Employee Benefit Plan Audit Quality Center

Handouts for today’s event You can download presentation slides (in PDF or PowerPoint format) and other handouts by clicking on in the toolbar at the bottom of your screen Webinar presentation slides Instructions on how to obtain your CPE Certificate EBPAQC Tools and Resources (Updated) EBPAQC Tools: Documentation of a Use of a Type 2 Service Auditor’s Report in an Audit of an EBP’s Financial Statements Planning Tool: Summary of Common EBP Audit Deficiencies, Audit Guidance and Resources

Presenters Lara Stanton, Sikich LLP David Torrillo, Torrillo & Associates, LLC Beth Garner, BDO Patricia McCormick, Deloitte & Touche LLP

Beth Garner, CPA BDO

Course objective After this webinar, you will be able to: Identify the unique control environment of employee benefit plans Use SOC reports in risk assessment Understand SOC 1 reports and the related standards Apply the concepts discussed in the webinar to real examples from SOC reports Use the EBP Audit Quality Center Tool to document your use of a SOC 1 report

Introduction Businesses outsource certain processes to third party service organizations Significant outsourced processes may impact the business’s user entities financial statement assertions (FSAs) SOC review engagements are an independent examination of the system at the service organization that addresses areas that impact user entity’s FSAs Considers the (1) design and implementation, and (2) operating effectiveness of the relevant internal controls Key consideration in the risk assessment process for user auditors 6

Who is involved? Service organization – An organization (or segment) that provides services to user entities that are relevant to those user entities’ internal control over financial reporting Service auditor – A practitioner who reports on controls at a service organization User entity – An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity’s internal control over financial reporting User auditor – An auditor who audits and reports on the financial statements of a user entity Subservice organization – A service organization used by another service organization to perform some of the services provided to user entities that are relevant to those user entities’ internal control over financial reporting 7

Basics of SOC 1 reports

Use of service organizations What if EBPs use service organizations? How can auditors evaluate design & confirm implementation of key controls (and, potentially, operating effectiveness?) SOC 1 Reports can help! Auditors may use the work performed by the service auditor 9

Overview of SOC 1 reports SOC 1 Report - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR) Prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16 (AT 801), Reporting on Controls at a Service Organization; specifically intended to meet the needs of the management of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions and are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of complying with laws and regulations (e.g., SarbanesOxley Act); use is generally restricted to the management of the service organization, user entities of the service organization and user entities’ auditors Two types of SOC 1 reports: Type 2 Report on fairness of presentation of management’s description of service organization’s system and suitability of design and operating effectiveness of the controls to achieve related control objectives included in the description throughout a specified period 10 Type 1 Report on fairness of presentation of management’s description of service organization’s system and suitability of design of the controls to achieve related control objectives included in the description as of a specified date

Overview of SOC 2 and SOC 3 reports SOC 2 Reports Focus on non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system Can also be divided into a Type I and Type II report SOC 3 Reports Typically issued for data centers and can be issued on multiple Trust service principles (security, availability, processing integrity, confidentiality or privacy) This report is a general use report and can be freely distributed These reports are not typically seen in the EBP environment 11

Understanding SOC 1 reports & related standards Risk assessment – AU-C 402 Evaluation of controls SOC 1 reports 12 Pan sponsor controls

Purpose – SOC 1 Purpose To provide user entities and their independent auditors with information and a CPA’s opinion about controls at the service organization relevant to user entities’ internal control over financial reporting Covers fair presentation, design and operating effectiveness Restricted use report Management of the service organization User entities of the service organization’s system during some or all of the period covered by the report (for Type 2 reports) Independent auditors of user entities Indirect users Does not include potential users 13

Intended use Intended use Report on controls that are likely to be relevant to user entities’ internal controls over financial reporting For use in a financial statement audit 14

Components of a SOC 1 report Independent Service Auditor’s Report Company Overview and Control Environment SOC 1 report Management’s Description of System and Control Objectives 15 Independent Service Auditor’s Test of Operating Effectiveness and Results of Tests

Report of independent service auditors Reference to management’s assertion and criteria Description and suitability of control objectives Design and implementation of controls over a period of time (Type 2) Covers operating effectiveness of controls over a period of time (Type 2) Distinction between inclusive and carve-out method Qualifications Restricted use paragraph 16

Remainder of SOC report Suggest reporting be done under AICPA SOC 1 report Specific layout is not mandated Required components: Report of independent service auditors Management’s assertion Description of the system Information provided by the service auditor (i.e., testing procedures, in the case of a Type 2 report) Other information provided by the service organization (optional) 17

Risk assessment 18

ERISA Section 103(a)(3)(C) (formerly limited scope audits) Auditor should not assume there is no responsibility to obtain an understanding of the controls maintained by the certifying institution over assets held and investment transactions executed by the institution. If provider is also providing participant level services such as processing of participant level transactions, SOC 1 should be obtained (See recordkeeper responsibilities) Still need to comply with GAAS requirements to understand the business. SOC reports may be necessary given the extent to which activities have been outsourced. 19

Auditor’s perspective Assessing Control Risk Although a Type 2 report may be used to reduce substantive procedures, neither a Type 1 nor a Type 2 report is designed for providing a basis for assessing control risk sufficiently low to eliminate the need for performing any substantive tests for all the assertions relevant to significant account balances or transaction classes. 20

First steps First steps once SOC Report is obtained: 1. Determine SOC 1 report is correct one & is appropriate for engagement (e.g., location, timing, and services) 2. Determine Type of Report (Type I or Type 2) 3. Review service auditor opinion & note any qualifications within the opinion paragraph 21

Next steps Once engagement teams have obtained SOC reports & reviewed them briefly Time to review the SOC reports carefully and evaluate them Don’t forget to document the review and consider the results in your risk assessment! 22

Which SOC reports are needed? 23 There may be a number of service providers involved Depends on the type and structure of the particular plan Consider where relevant controls are performed

Which SOC reports are needed? Recordkeeper – Generally considered significant in that they touch nearly every transaction and record/maintain participant/plan records – Also considered Financial Reporting Control Process – Receive contributions, process transfers, distributions/loans, initiate/settle trades based on transactions requested and allocate income, and provide reports to participants and plan sponsors – Access provided to plan sponsors and participants Custodian – Generally are considered significant for full scope audits since they are responsible for the maintenance of records and processing of investment related transactions (interacting with recordkeepers) – Also considered Financial Reporting Control Process – Also receive contributions and process distributions/loans but in a limited scope audit, recording contributions/processing distributions/loans may not be considered significant 24

Which SOC reports are needed? Payroll and Contribution Related Activities – Generally considered significant to DC plans – Consider the controls at the plan sponsor and whether they are adequate to prevent or detect material misstatements in the user entity’s financial statements – Identify input/output controls (e.g., add new employees, terminate employees, approve and make updates to salary rates and deductions) – Monitoring and review procedures (e.g., review output including checks and reports) – Knowledge of user entity staff and expected level of payroll (e.g., mostly salaried employees) – If determined that there are sufficient procedures at the user entity and a SOC 1 Report is not deemed necessary, there should be adequate documentation of this rationale within the working papers 25

Which SOC reports are needed? 26

Independent service auditor opinion

Lara G. Stanton, CPA Sikich LLP

Nature and Impact of Qualifications Design Deficiencies Identify key controls that are missing Determine if mitigated by complementary user entity controls May impact sample sizes and audit procedures 29 Operating Effectiveness - IT Must address risks raised by this qualification Design audit procedures to address risk (e.g., confirmations) Generally, no assurance can be taken for any control objectives that are processed electronically Operating Effectiveness Non-IT Impact will vary and depend on nature of qualification and operations of plan Determine if mitigated by complementary user entity controls May allow for assurance in other areas not impacted by qualification No Activity for Year Generally, no impact to the audit procedures Allows assurance to be taken in other areas

Example 1: Qualified opinion – ITGC Qualification: ABC Recordkeeper states in its description that is has controls in place to properly approve and document new access requests and to timely revoke user access for terminated employees. However, for the period January 1, 2020 through December 31, 2020, several instances were noted that controls related to logical access for key applications and system software did not timely revoke terminated employee access, nor were periodic reviews of access performed, and therefore controls were not operating effectively to achieve the control objective, “ Controls provide reasonable assurance that logical access is restricted appropriately”. Impact: Example 1 Considerations: Terminated employee access not timely revoked – What access? Network? Application? If network was revoked, may be impossible with physical access controls to actually get into office to try to log onto computer – What population? Sometimes entire population tested so all instances of non-compliance identified – Was any additional testing performed by service auditor? Did they review access used for that employee? Example 2 Consideration: Terminated employee access not timely revoked – 30 What review? What did it cover? Were all other reviews performed that would catch discrepancies from missed review? This is a key control so have to consider mitigating controls.

Example 2: Qualified opinion – ITGC Qualification: ABC Recordkeeper states in its description that is has controls in place to provide reasonable assurance that changes to applications programs and related database management systems are documented, tested, approved, and implemented. However, as noted in Section IV in the description of controls and results of tests, controls related to changes in applications programs and related database management systems are not documented, tested, approved, and implemented as designed during the period January 15, 2020 to April 1, 2020. As a result, controls were not operating effectively to achieve Control Objective X, “Controls provide reasonable assurance that changes to application programs and related data management systems are documented, tested, approved, and implemented in a timely basis” for the period from January 15, 2020 to April 1, 2020, specifically as it relates to the XX reconciliation program. Impact: Note: Few things to observe here, 1; relates to a shorter period than entire period under examination and 2; relates only to a specific program (not the recordkeeping system) Based on reading through more of the description, the qualification relates to only a short period of time at the beginning of the examination period and operating effectively for the remainder of the period. Additionally, periodic reviews (e.g. quarterly) occur which is a key control that occurred subsequent to this period which should catch any issues that may have occurred previously as per service auditor, for remaining period, controls operated effectively. 31

Example 3: Qualified opinion – non-ITGC 32

Example 4: Qualified opinion – non-ITGC 33

Example 5: Qualified opinion – the BIG one 34

Example 5: Emphasis of a Matter Emphasis of a Matter: The Service Organization states in its Description that it has controls in place to provide reasonable assurance that conversions are authorized, and are recorded and processed accurately, completely, and in a timely manner. However as noted in Section IV of the report, there were no conversions of new clients during the period January 1, 2020 to December 31, 2020; therefore, we did not perform any tests of operating effectiveness of controls related to the control objective, “Controls provide reasonable assurance that new plan set up and conversions are processed and recorded on a timely, accurate and complete manner.” Impact: Based on the description, the emphasis of a matter relates to the set up of new plans BUT discusses only converted plans (e.g. plans whose assets are transferred along with participant accounts to new recordkeeper/custodian). Therefore, new plan set up (e.g. initial year) is not impacted. Further, since no conversions were processed, the service auditor is merely stating they could not test any operating effectiveness controls as no activity occurred. There is no impact as no activity occurred during the period under examination. 35

How do you arrive at a qualified opinion? Assume discussions were held with management about findings and conclusion that they added up to qualified opinion Even if you disagree with opinion, or don’t understand how qualified opinion was derived, have to accept service auditor opinion Assume service auditor already considered mitigating controls at service organization before concluding that qualified opinion was appropriate Service organization may try to present why a qualified opinion won’t make an impact, however, remember that is management representation only. However, as discussed, depending upon nature, perhaps user entity has some mitigating controls – some qualifications won’t be possible to overcome by plan sponsor controls. 36

Lessons From a DOL Inspection: Qualifications of SOC Report A SOC 1 report with significant qualifications, particularly in areas of ITGC may be difficult to argue reliance upon those control objectives impacted, as the service auditor report literally says the control objective “was not achieved” and that there were issues that could impact your plan’s audit. Even with no assurance taken, expectation is a memo at a minimum that outlines how auditor responded to risks presented by the SOC report, and how it impacted testing (e.g. procedures, sample sizes, additional reviews) A team should exhibit extreme caution in concluding no impact and taking assurance on the SOC report in these cases, as most likely a reduction in risk is not supported – A memo alone is most likely not adequate to override a service auditor opinion that is qualified in order to allow reliance on the SOC report 37

Carve-outs

Subservice Organizations If a service organization uses a subservice organization, the service auditor’s report may either include or exclude the subservice organization’s relevant control objectives and related controls in the service organization’s description of its system and in the scope of the service auditor’s engagement. These two methods of reporting are known as the inclusive method and the carve-out method, respectively. (AU-C 402 .A42) Carve-Out vs. Inclusive Method 39 Once determine sub-service organization is significant, the Service Organization must determine whether it will be shown inclusive or carve-out Both identified in service auditor’s opinion – usually inclusive as part of “description of system” and carve out in a later paragraph Inclusive subservice organizations must meet same requirements under SSAE 18 and provide rep letters Requires subservice organizations to provide management assertions if inclusive method is used

Description and Purpose of Carve Outs The subservice organization's relevant control objectives and related controls – Excluded from the description and from the scope of the service auditor's engagement If the services are relevant to the user entity’s financial statements, then the user auditor performs the same procedures on the subservice organization – Typically obtain SOC 1 report – If no SOC 1 report available, perform alternative procedures similar to those when no SOC report is available – Document conclusion on considerations of all carve outs 40

Subservice Organizations Identify the Role of the Subservice Organization Determine the significance of the sub-service organization’s role in the service organization’s system Depends on relationship to achieving the related control objective Carved-out and inclusive organizations are included within the service auditor’s opinion and must also be addressed in the assertion letter from management. Note: inclusive organizations will also have to provide a separate management assertion. Sub-service organization sections in general information section of SOC 1 reports will generally list carved out entities (including inclusive) and then vendors so readers can address appropriately Vendors are informational, not required to do the work to the extent that carve out entities may require and are not identified within the service auditor opinion. 41

Step 1- Identify subservice organizations relevant to the audit – Determination of the significance of the sub-service organization’s role in the service organization’s system – Depends on relationship to achieving the related control objective – Sub-service organization sections in general information section of SOC 1 reports will generally list carved out entities (including inclusive) and then vendors so readers can address appropriately – Vendors are informational, not required to do the work to the extent that carve out entities may require 42

Step 2- Assess relevant subservice organizations – As stated in AU-C Section 402.18, relevant subservice organizations should be assessed in the same manner as primary service organizations (i.e. obtain an understanding of the subservice organization, evaluate the design and implementation of relevant Complementary Subservice Organization Controls (“CSOCs”), and evaluate operating effectiveness as applicable). Depending upon whether the carve-out method or inclusive method is used, the user auditor may need to request additional SOC1 reports for the subservice organization. 43

Examples of carve-outs: Carve-Out and function: Procedures to address it: 1. ABC Technology Group – provides technology services such as granting/revoking access to certain applications, data center operations and software updates. Control procedures and associated testing for these areas are documented in the ABC SOC 1 report. 1. Auditor should obtain the additional SOC 1 report for ABC Technology Group since it covers ITGC that impacts our service organization and evaluate it as part of risk assessment. 2. Custodian provides services related to (1) the recording and monitoring of investment transaction activity, (2) the collection and recording of investment income and (3) the valuation of the investments. 44 2. Carve-out could be significant to the plan’s operations depending upon what investments the plan holds, and the scope of the audit. This carve-out should be reviewed to determine if any additional procedures, including obtaining the additional SOC 1 report to cover relevant controls over these functions as performed by Custodian is deemed necessary.

Examples of carve-outs: Carve-Out and function: 1. Check writing, Printing Services and Document Processing (incoming mail processing services) – provided by ABC organization. 2. Trust Services – provided by Trustee Z Organization. (Similar – carve outs for pricing services) 3. WWW Services – provides software-asa-services for the recordkeeping system, the Voice Response Unit system, and to host the web server 45 Procedures to address it: 1. Most likely not a significant carve-out to the audit based on nature of services provided. Document conclusion and pass further consideration. 2. Depends upon services provided, scope of audit. May not be significant to a limited scope audit but might be to a full scope audit. 3. Significant -Obtain the WWW Services SOC 1 report in order to adequately cover ITGC since they do all development and changes to the recordkeeping system as well as process all plan and participant level transactions and generates plan and participant statements.

Example of Presentation of Sub-Service Organization Carve-Outs (Should match opinion) Universal Security – provides physical security to the data center (grants and revokes access, video surveillance) ABC IT – provide software and software updates to recordkeeping system (e.g., recordkeeping software used to maintain participant records and record transactions to the plan and participant accounts) WEE BackUp – performs all backup of systems and stores backed up files 46 Vendors (Other than may be present in description of the system) NSCC – pricing and dividend information Iron Mountain – Off-site backup tape and document storage Xerox – staffs the mail room ABC Print – prints and mails participant statements

Evaluation of SOC report

David A. Torrillo, CPA Torrillo & Associates, LLC

Evaluation of control objectives: Consider each area per financial statements (e.g. contributions, distributions, investments) Look for controls related to financial statement assertions for each area – (e.g. Distributions – consider controls around proper authorization (participant, plan sponsor), calculation, and recording to plan & participant records) Next, look for how controls are tested. Must go beyond inquiry & observation. Inspection of documents, checklists for evidence or reperformance. Have to consider any noted deviations or qualifications as applicable Evaluate design and implementation, then operating effectiveness – may be able to take credit for D&I but not operating effectiveness 49

Example of exceptions Exception noted: Auditor response: 1. Of 29 users (including service Ids) tested, 2 individuals were found to maintain inappropriate access to database configurations. (Logical Access) 2. Two out of 50 plan implementations, in relation to distribution rules, were not accurately set up in recordkeeping system based on the plan set up documentation. 3. One out of 25 account change requests was processed without authorization from the participant. 1. Inappropriate access can lead to unauthorized system modifications which can impact transaction processing and reporting. 2. Improper setup of plan provisions can pose a risk that inaccurate processing of transactions, specifically distributions in this case could occur. Can review any mitigating plan sponsor controls in place. 3. Unauthorized account changes can pose a risk that unauthorized or inaccurate processing of transactions could occur. A mitigating control was in place through the quality control review per above that did catch this error. 50

Example of exceptions Exception noted: Auditor response: 1. For 4 out of 50 terminated users 1. Inappropriate access/untimely removal selected, the termination event was of terminated employees can pose a not communicated to IT in a timely risk to the data of the plan. Consider: manner to facilitate timely removal of access to network, physical access to system access. building, or if it was timely removed just not in compliance with policy. 2. An annual entitlement review for authorized users with access to the 2. Key control in detecting any recordkeeping system was not inappropriate access to any system, performed. program or incompatible duties. Does pose a risk that errors would not be 3. Six of the 60 daily checklists caught without such a review and reviewed did not contain evidence of depends on other mitigating controls. secondary review, however no errors were noted. 3. Most likely little to no impact. Controls appear to be operating, but service auditor was not able to see evidence for all transactions selected. Have to evaluate overall. 51

Impact of exceptions on risk assessment Will vary depending on operations and who performs controls. Consider: Evaluating the impact of the exception on the specific audit Identifying mitigating controls may lessen or reduce impact Documenting auditor’s conclusion on impact (or no impact) Remembering management responses may be informational but not audited Other considerations – Although exceptions may have been reviewed by management and determined to be isolated incidents, consider if controls in place are adequate to prevent/detect further errors from occurring – Service auditor may have completed testing of additional items or may have performed additional procedures to mitigate effect of exception 52

Impact of exceptions on risk assessment Examples of common exceptions: – Errors in processing transactions – Lack of evidence to review – Exception may have led to qualification Considerations when addressing impact of exceptions on risk assessment: – Are there other controls in place at the service organization to mitigate risk of error? (e.g. other levels of review? Different access levels?) – Any CUEC that can help mitigate impact? (e.g. detailed review/approval of reports?) – Consider nature of exception (e.g. IT or non-IT and how exactly does it relate to your plan) – Exception may have led to qualification – further impact to address 53

SolarWinds supply chain attack Microsoft Corp President, Brad Smith, has said “[this is] the largest and most sophisticated attack the world has even seen” (Reuters) SolarWinds security advisory: Breach was identified in December of 2020, and gave hackers access to thousands of companies and government offices that use its products, including U.S. government agencies https://www.solarwind s.com/sa-overview/se curityadvisory Who was impacted? – Users of the Orion network monitoring software What does this mean for employee benefit plan audits? – The next security attack may be around the corner. What does this mean for SOC 1 reports? – Cybersecurity is typically covered in a separate SOC 1 report 54

Addressing differences in period covered by SOC report vs. engagement period covered 55 For example: Calendar year end under audit is 12/31/XX, but the SOC report year end period is 9/30/XX If there are differences, will need to determine the impact of the difference and, if deemed significant, will need to potentially perform alternate procedures: o Inquiries to the service organization about changes (bridge/gap letters) o Review documentation related to any changes at the service organization o Obtain additional evidence to cover period difference (e.g., additional SOC reports, agreed upon procedures) o Inquiries to plan management as to how they address any time differences o Adjust audit procedures to address differences o May impact reliance on SOC report if time period is significantly different o Bridge letters can help to a certain extent but don’t replace other procedures

Complementary user entity controls

Patricia McCormick, CPA Deloitte & Touche LLP

What is a Complementary User Entity Control (CUEC) Controls that may be performed at the user entity in order to achieve the control objectives stated in the SOC 1 report 58

CUEC’s- The Independent Service Auditor’s Report 59

CUEC’s- Management’s Assertion 60

What does this tell us about CUECs? CUECs are important!! If CUECs are not designed and operating effectively at the user entity, the user entity cannot rely on certain control objectives stated in the SOC 1 report. 61

CUECs Illustration Control Objective 3: Controls provide reasonable assurance that written withdrawal and distribution requests are valid and processed in an accurate, complete and timely manner Control Title Control Activity Tests Performed by Service Auditor Results of Tests Performed by Service Auditor 3.1 Requests for withdrawals are reviewed for completeness prior to processing in the recordkeeper system Inspected a sample of withdrawals processed during the examination period and verified that the requests were authorized and reviewed No exceptions noted Complementary User Entity Controls: The Plan Sponsor is responsible for reviewing reports provided by the recordkeeper and communicating any discrepancies in writing within a timely manner If applicable, disbursement requests are authorized by the appropriate party and in compliance with plan provisions 62

Common CUECs The plan sponsor is responsible for administering access to the Service Organization website accounts to only authorized personnel The plan sponsor is responsible for maintaining plan documents and notifying the service organization of any changes The plan sponsor is responsible for providing complete and accurate participant data to the recordkeeper The Plan Sponsor is responsible for reviewing reports provided by the recordkeeper and communicating any discrepancies in writing within a timely manner The Plan Sponsor is responsible for verifying that disbursement requests are authorized by the appropriate party and in compliance 63 with plan provisions

CUEC Mapping CUEC Control at the Plan The plan sponsor is responsible for administering access to the Recordkeeper website accounts to only authorized personnel On an as-needed basis, access to the Recordkeeper website is reviewed and approved by Bonnie Leigh, Senior Benefits Manager. The plan sponsor is responsible for providing complete and accurate participant data to the recordkeeper On a biweekly basis, Shelby Sue, Benefits Manager, reviews an automatic feed transfers employee information (name, DOB, DOH, salary) from the Plan Sponsor’s payroll system to the Recordkeeper. 64

Question: Are all CUECs relevant to all plans? Question: As a user auditor, do you need to test the operating effectiveness of all CUECs? 65

How do you determine what CUECs are relevant? AU-C Section 315, Understanding the Entity and Assessing the Risks of Material Misstatement .13 The auditor should obtain an understanding of internal control relevant to the audit It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. . 21 The auditor should obtain an understanding of control activities relevant to the audit, which are those control activities the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks The auditor should obtain an understanding of the process of reconciling detailed records to the general ledger for material account balances. 66

How do you determine what CUECs are relevant? Do any controls detailed in the SOC 1 directly address a risk of material misstatement at the assertion level? Are you using any reports or information from the service organization that cannot be directly tested in substantive procedures to address a risk of material misstatement at the assertion level? Contribution deferral report? Investment allocation report? Electronic distribution authorization? 67

What procedures should be performed over relevant controls? In all instances, relevant controls should be evaluated for design and implementation purposes (AU-C 330.08)- The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if: The auditor’s assessment of risks of material misstatement at the relevant assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing, and extent of substantive procedures) or Substantive procedures alone cannot provide sufficient appropriate audit evidence at the relevant assertion level. (Ref: par. .A21–.A26) 68

Auditor responsibilities To rely or not? Testing of operating effectiveness Documentation and relation to risk assessment 69

Other issues

What if there isn’t a SOC report? Work still has to be performed on significant areas: Must still evaluate design Confirm implementation of controls Need to develop alternative procedures in order to accomplish this: Visit to service organization to do inquiries & observations? What information is already available? Can test transactions be run through the system? Tool is still useful as it lists all relevant areas for consideration by control objective. 71

What if there isn’t a SOC report? Documentation of alternate procedures might include: Screen prints (e.g., access to website or results of test transactions) Written documentation of control systems from inquiries Copies of checklists/other information used to document control procedures performed by service organization Obtaining User manuals, system overviews, technical manuals, etc. 72

EBPAQC tool Use the EBPAQC tool, Documentation of use of a type 2 service auditor’s report in an audit of an employee benefit plan’s financial statements, to document work performed and conclusions. – https://www.aicpa.org/content/dam/aicpa/interestareas/employeebenef itplanauditquality/resources/toolsandaids/downloadabledocuments/soc 1-type-2-report-documentation-tool.docx 73

Question & answer session

Question & answer session Beth Garner Patricia McCormick David Torrillo Lara Stanton

CPE certificate Don’t forget to download your CPE certificate! Click on Now!

We welcome your feedback! Please complete the online evaluation

Thank you