Auditors likely have asked you about SOC (System and Organizational Controls) reports and complementary user entity controls (CUECs) of your service providers and maybe you aren’t 100 percent sure what they are referring to or why it is important.
Many service providers, such as your third-party administrator, external payroll providers, asset custodians or trust companies will have an independent external audit of their internal controls. You have a right to obtain and review those reports to see if those service providers have any significant issues in their internal controls. Your review could influence if whether you want to continue using those service providers or if there are areas you feel need to be monitored more closely. As a company that hires a service provider, you become a user entity of that provider. Within the SOC reports there is a section regarding CUECs. These are the controls that the service provider expects their clients to have in place for their own controls to be effective. It is your responsibility as a plan sponsor to understand those controls and ensure that the controls are implemented. If you do not have them implemented, the controls of the service organization cannot be relied upon.
We realize that these third-party service providers are hired to help you in administering your employee benefit plans, but ultimately you can’t delegate the fiduciary responsibility of the plan sponsor to any other party. The plan sponsor has an obligation to implement strong internal controls and needs to ensure strong controls of outsourced tasks are in place.
The CUECs will address areas such as the setup of a new plan, participant enrollment, participant eligibility, contributions, distributions, and loans.
Your benefit plan auditor will verify that you have those controls implemented by discussing them with you and asking for support for some of those controls.
To be prepared for this at audit time please ensure the following:
- Obtain and review SOC reports from your service providers relating to the plan and look for any exceptions that are noted.
- Confirm that the SOC reports cover the plan year that is being audited and when needed, obtain a bridge letter to cover any gaps in time. Ensure the report is issued by a reputable auditor.
- Review the CUECs and document how you are fulfilling each of the controls (document who performs and how frequently).
- Maintain evidence that demonstrates how you are fulfilling each CUEC.
- For example, one common CUEC is the plan sponsor’s responsibility to maintain accurate participant demographic data. To support this, you could provide personnel file documentation showing hire dates. Another example involves distributions. Auditors may need proof that demographic data was reviewed and approved, which could include a signed distribution form confirming approval and verification.
We know this can be a confusing area to navigate so please do not hesitate to contact us if you have any questions.
