The Importance of SOC certifications for Retirement Plan Administration

In the US, retirement plans are an important financial resource for many retired citizens, and organizations handling these funds have to adhere to the strictest and most rigorous operating standards so that their customers’ hard-earned money is safe and there is no threat of being exploited.

Retirement plan administrators provide various types of yearly services on an organizational retirement plan, such as a 401(k), profit sharing plan, defined benefit plan, and cash balance plan. Increasingly, technology is playing a growing role in the administration business. For example:

1. Many complicated actuarial calculations and statistical tests, previously undertaken manually, are now managed through software applications.
2. Many business management tools are now available to ensure workflow management and efficient client communication.
3. Many activities that required mailing physical documents are now performed electronically through a secure web connection.

Some of these services are outsourced by the plan administrators to trusted third-party vendors such as Congruent Solutions to reduce their burden. So, when these organizations choose a third-party vendor to carry out data processing and reporting, trust becomes the deciding factor. In this era of virtual hacking and financial scams, one cannot overemphasize the importance of trust – especially when it comes to dealing with the extremely sensitive financial data of senior citizens.

Also, in the current scenario, when most organizations are compelled to embrace work from home (WFH) for most of their employees, this trust factor becomes even more relevant and significant. Elements such as data security, availability, and integrity become pertinent and mandatory.

With plan administration and its related outsourced processes being such an important and complex function, many organizations will not even consider contracting with an administrator (or its extended outsourced third-party vendor) if they do not have SOC 1 and/or SOC 2 certification.

The SOC 1 audit provides transparency into the administrators’ (or its extended outsourced third-party vendor’s) internal controls while SOC 2 audit reports on the suitability of design and operating effectiveness of controls relevant to security, confidentiality, availability, processing integrity, and privacy.

A trusted vendor is one who complies with the Systems and Organization Controls (SOC) standards prescribed by the American Institute Of Certified Public Accountants. The purpose of the SOC standards is to give trust and confidence to organizations when they engage with third-party vendors. A SOC-certified service provider is one who has been audited by an independent certified public accountant and certifies that the firm has the appropriate SOC safeguards and procedures in place.

Category of SOC certification

There are two categories of SOC certification:

SSAE 18 (SOC 1) certification: These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and certified public accountants (CPAs) that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

SOC 2 certification: These reports are prepared in accordance with AT section 101. They are intended to meet the needs of a broad range of users who need detailed information and assurance about the controls at a service organization. The controls pertain to security, availability, and processing integrity of the systems that the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

Types of SOC certification

There are two types of SOC certification:

Type I reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Type II reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Framework and areas covered under SSAE 18 (SOC 1) & SOC 2 certifications

SSAE 18 (SOC 1) certification

• Addresses – Internal controls over financial reporting (ICFR) of user entities
• Control domain options – Transaction processing controls and supporting IT general controls
• Defined scope of system – Classes of transactions, Procedures for processing and reporting transactions, accounting records of the system, Handling of significant events and conditions other than transactions, Report preparation for users, other aspects relevant to the processing and reporting user transactions.

SOC 2 certification

• Addresses – Operational controls
• Control domain options – Security, Availability, Confidentiality, Processing Integrity and Privacy
• Defined Scope of system
• Infrastructure – The physical and hardware components of a system (facilities, equipment, and networks)
• Software – The programs and operating software of a system (systems, applications, and utilities)
• Procedures – The programmed and manual procedures involved in the operation of a system (automated or manual)
• People – The personnel involved in the operation and use of a system (e.g., developers, operators, users, and managers)
• Data – The information used and supported by a system (e.g., transaction streams, files, databases, and tables)
• Control categories – Common criteria controls such as Organization and Management (CC 1.0), Communications (CC 2.0), Risk Management and Design Implementation of Controls (CC 3.0), Monitoring of Controls (CC 4.0), Logical and Physical Access Controls (CC 5.0), System Operations (CC 6.0), Change Management (CC 7.0), Additional criteria controls such as Availability (A1.1 – A1.3), Confidentiality (C1.1 – C1.6) and Processing integrity (PI1.1 – PI1.6) & Privacy Controls split across eight broad categories such as Notice and Communication of Commitments and System Requirements, Choice and Consent, Collection, Use Retention and Disposal, Access, Disclosure and Notifications, Quality, Monitoring and Enforcement

Congruent’s commitment to quality

Congruent’s efforts in completing these examinations demonstrate our ongoing commitment to clients to serve as a dependable, transparent, secure third party vendor focused on minimizing risk (through effective controls), increasing value, and maintaining service standards.

Our SOC 1 Type II audit not only verifies that Congruent has internal controls, but it also examines the effectiveness of the policies and procedures in practice relating to our data processing and reporting.  The SOC 2 Type II audit provides assurances regarding Congruent’s controls relating to the five trust principles of security, system availability, data confidentiality, processing integrity, and privacy of personal information.

The benefit of Congruent’s SOC reports to clients

Our clients stay reassured knowing that an independent auditor (CPA) has assessed our controls and has verified that they were implemented, suitably designed, and are operating effectively.

In current times, data protection is of utmost importance because companies work with cloud and related IT services. Also, regulators, examiners, and auditors insist on security and reliability in performance. Congruent Solutions understands this very well and takes data protection very seriously. Our clients have confidence in their decision to partner with Congruent knowing that we are committed to quality and strong internal controls.

Towards this, Congruent Solutions has actively sought and been successfully re-certified for SOC 1 Type II and SOC 2 Type II. This is a credible stamp of acknowledgment and approval of the company’s steadfast commitment to security and compliance.