Gaining Comfort That an External Plan Service Provider Has Adequate Security and Controls
By Mike Goode
Say you’re a plan sponsor, and you’re using (or seeking to use) external services for:
- Mandatory distributions / automatic rollovers,
- Account consolidation
- Assisting terminated participants with their distribution options
- Locating missing plan participants
Question: What gold-standard certification is going to give you comfort that your provider-of-choice meets the highest standards of excellence for transactional controls, security, availability, confidentiality and privacy?Answer: Service Organization Controls (SOC) examinations. SOC examinations are conducted in accordance with attestation standards established by the American Institute of CPAs (AICPA), and designed to provide comfort that service organizations meet the key principles identified above, through an independent service audit. A “system” is broadly-defined -- comprised of infrastructure, people, procedures and data used to complete the services provided, and encompassing information and asset security.
SOC 1 – Type II is an examination of the provider’s internal controls over processing user entities’ transactions, and on the suitability of the design and operational effectiveness of its controls to achieve control objectives. In addition, it provides an opinion on the operating effectiveness of the controls to achieve the control objectives throughout the audit period.The SOC 1 – Type II report also includes a detailed description of the service auditor’s tests of controls and results.
The SOC 2 – Type II examination focuses on the provider’s controls relevant to security, availability, processing integrity, confidentiality, or privacy, using the trust services criteria.This SOC 2 – Type II report also includes a description of the service auditor’s tests of controls and results.
Make sure that the service organization you choose has an ongoing commitment to meet these standards, is continuously and independently audited against them, and has integrated these principles into their culture for operations and IT. Accepting anything less could be flirting with disaster, and could end up increasing your fiduciary liability.
On an annual basis, RCH is independently audited against the standards set forth for SOC 1 – Type II and for SOC 2 – Type II. Most recently, on January 7th and 8th, 2015, RCH received our SOC 2 – Type II report, and our SOC 1 – Type II examination reports, respectively. Both reports included favorable opinions of RCH’s controls and security framework, as tested and evaluated by the independent service auditor.