AICPA logo
AICPA logo
  • Home

Employee benefit plans: SOC 1 reports and service organizations resource center

Most employee benefit plans use service organizations (e.g., bank trustees, insurance companies or benefits administrators) to process transactions and maintain plan records. Often Service Organization Control Reports® (formerly known as SAS 70 reports) are obtained and used by the auditor to understand the controls at the service organization and potentially reduce the amount of substantive testing required. The Center has compiled the following resources to assist employee benefit plan auditors in effectively using SOC 1 reports in their employee benefit plan audits.

Professional Standards

AICPA AU-C section 402, Audit Considerations Relating to an Entity Using a Service Organization (AICPA Professional Standards)

This standard provides guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions.

SSAE No. 18, Attestation Standards: Clarification and Recodification

This standard addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant.

The AICPA has compiled resources and tools related to SOC reports, including guides, resources, publications, webcasts and articles.

Employee Benefit Plan Audit Quality Center

The Center is a voluntary membership organization for firms that perform or are interested in performing ERISA employee benefit plan audits.