By Danielle Kimmell, CPA, and Susan Burnoski, CPA
Plan sponsors and administrators have a fiduciary responsibility to monitor any outside service organization (OSO) utilized in the administration of their retirement plans. This includes understanding and monitoring internal controls and, in most cases, the OSO provides a Service Organization Control (SOC) Report. The SOC informs plan sponsors of the controls in place and an independent firm typically attests to the fair nature of the described controls and whether the controls are running effectively.
Occasionally, significant providers in the retirement plan industry have qualifications within their SOC reports that have the potential to impact the scope and amount of testing for plan audits. In 2020, Empower/Great-West had a significant qualification within their SOC report. MassMutual plans could be impacted by this qualification as Empower acquired MassMutual’s retirement plan business in January 2021.
- Empower’s SOC report for the fiscal year-end September 30, 2020, was qualified by Deloitte;
- This qualification may impact plans that utilize Empower or certain Great-West companies affiliated with Empower;
- The qualifications in the report relate to controls around (a) application changes and (b) logical access controls to applications and underlying databases;
- Because of the pervasive nature of these key controls related to the software tools and access to such tools, plan auditors will not be able to place reliance on the control environment of Empower/Great-West; and,
- Since controls cannot be relied upon, plan auditors will need to assess control risk at high, which will result in expanded or larger sample sizes.
If you utilize Empower or Great West, the following actions steps should be taken:
- Obtain and read the Empower SOC report for the fiscal year ended September 30, 2020, and discuss the results with your Empower representative;
- Inform those charged with governance (e.g., Investment/Plan Committee or Board of Directors);
- During your annual monitoring and evaluation of your plan providers, consider the results of Empower’s SOC report and their responses/changes as a result of the report qualifications; and
- Review the Key User Entity Control Section of the SOC report and evaluate the procedures you, as the plan sponsor, have implemented.
If you have a plan audit performed by AGP that utilizes Empower, your audit teams will communicate the impact of the qualification in the audit planning phase. If you would like to discuss earlier, we recommend contacting your service team prior to planning.
The following AICPA and DOL links provide more in-depth information about effectively monitoring outsourced plan functions:
For more information, contact Apple Growth Partner’s Employee Benefit Niche Group Leaders: