Compliance October 15, 2024

What is a SOC Report and Why Should Plan Sponsors Know About Them?

Requesting service organization control reports from service providers is an important part of the vetting process when looking to ensure safe cybersecurity practices.

Reported by
Art by James Yang
What is a SOC Report and Why Should Plan Sponsors Know About Them?

Updated with corrections.

When vetting third-party providers, especially those who will have access to participant data and information, it is important that plan sponsors conduct proper due diligence, which includes asking the right questions and requesting the right information.

More specifically, one key aspect of ensuring that service providers are up to par with their cybersecurity policies is requesting a service organization control, or SOC, report from the provider.

Get more!  Sign up for PLANSPONSOR newsletters.

A SOC report is a third-party assessment of an organization’s ability to protect data and implement controls. However, there are different types of SOC reports, and Jon Atchison, senior team lead on CAPTRUST’s governance, risk and compliance team, says while people tend to use the different names interchangeably, they are very different animals.

First, a SOC 1 report covers internal controls for financial statements and reporting. Atchison says there may be a small amount of information security data in a SOC 1 report, but it is “very high level.”

In comparison, he says, a SOC 2 report is where information security is evaluated. When requesting a SOC 2, a plan sponsor can request a provider to obtain an evaluation against the five trust services criteria, which include security—the most common criteria—as well as confidentiality, processing, integrity privacy and availability.

Lastly, a SOC 3 report is a tailored version of the SOC 2 report that has been approved for public distribution. Atchison explains that a SOC 2 report is the full report that will include the auditor’s opinion, sub-processors, stated controls and each test that the auditor performed, as well as information on any gaps the auditor found in the state of controls. These gaps are typically referred to as an “exception,” Atchison says.

“Exceptions are not … all bad, but it’s something that you want to evaluate,” Atchison says. “A SOC 3 is not going to have that level of detail, and, therefore, it may not be of better value to a plan sponsor when they evaluate a third party. It can be helpful from a high level, but the real value is going to be found in the SOC 2 report.”

Typically, a SOC 2 report can be shared by the service organization to the plan sponsor that is being evaluated under a nondisclosure agreement. More likely than not, Atchison says, a plan sponsor would want to directly engage with the service organization and have the sponsor’s legal department review the NDA to make sure it complies with the sponsor’s own risk tolerances.

SOC 2 reports also come in different types. For example, a SOC 2 Type I report analyzes a company at a certain point in time, but it does not involve the results of testing operating effectiveness. A SOC 2 Type II report is more comprehensive in that it covers a period of time, usually between three and 12 months, during which the auditor can observe the controls’ efficacy.

For a plan sponsor, Atchison says a SOC 2 Type II report will provide the most value, as it covers a longer period of time and can validate the effectiveness of the state of controls. Therefore, he says, it provides the most assurance.

How to Interpret a SOC Report

While a SOC report is tailored to a specific audience, as those with cybersecurity expertise will likely best understand the auditor’s findings, Atchison says the beginning of the report is written more in business parlance, so people who may not have technical training can read and comprehend the auditor’s summary.

Several different opinions can result from a SOC report, and plan sponsors should understand the differences.

Atchison says the best of all possible opinions would be a “nonqualified opinion,” meaning the auditor did not find anything to give him or her concern about the state of controls and the operations, based on the trust services criteria being evaluated.

A qualified opinion, on the other hand, is an opportunity for the service organization to improve on some of the auditor findings, but the auditor ultimately did not consider it to be pervasive or detrimental to the overall opinion. This opinion essentially indicates that most controls were effective, but there were some areas that need improvement.

“If you think about it, auditors are paid to find things, and this is exactly why [providers] do this,” Atchison says. “Because [providers] want to get better, and they ultimately want to have an ability to provide assurance to their clients that their security controls are up to standard.”

An opinion that a company would not want to see is an “adverse opinion,” which Atchison says is a truly negative outcome, indicating that there were material or pervasive issues with the data security controls.

In addition, an auditor could have a “disclaimer of opinion,” which is issued when the auditor is unable to form an opinion due to various limitations imposed by the scope of the audit or when there are other issues that impacted the auditor’s ability to form an opinion.

Beyond the SOC 2 Report

If a company is seeking assurance beyond a SOC 2 Type II report, it can engage with a third party to perform comprehensive penetration tests on their networks.

The hired third party could, for example, conduct an external penetration test in which the third party acts as an attacker and attempts to overcome some existing controls to get into an organization’s network through unauthorized means or a vulnerability. An internal penetration test would simulate an attacker going into a provider’s network and test how far the attacker could go and what information the attacker could access.

Separately, a plan sponsor could also request a shared assessment, also called a standardized information gathering questionnaire, a lengthy questionnaire that any organization can fill out on its own and provide to its clients to demonstrate the type of programs they are running. A shared assessment typically covers more than 19 different security domains and can range up to hundreds of questions.

“The standard information-gathering approach is done by internal staff; it’s not done by an independent third party,” Atchison notes. “So, therefore, there’s only so much assurance you can provide, and that’s where I think the engagement with a third party can really add value to your [shared assessment], because [it] can be validated by an independent [party that says], ‘Yes, they did have good controls, and we tested them.’”

Atchison says the time it typically takes to request and receive a SOC 2 report from a service organization depends on whether the plan sponsor already has a relationship with the vendor or not. If there is an existing relationship, he says, an NDA may already be in place, which could lead to a quicker turnaround.

Data and Research October 15, 2024

Higher Contributions, Net Replacement Rates Make World’s Best Pensions

Mercer CFA Institute Global Pension Index again ranks Netherlands as having the best retirement system; focuses more on how to improve retirement
outcomes in defined contribution plans.

Reported by

Which countries have the best retirement systems? The Netherlands, Iceland and Denmark are the top three, according to the 2024 Mercer CFA Institute Global Pension Index. The top three were unchanged from last year’s report.

The 16th annual survey benchmarked and compared the retirement systems of 46 countries, with a secondary purpose of highlighting shortcomings in each system and suggesting areas of reform.

Among the characteristics present in the top-rated plans, the researchers identified:

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

  • A public pension for the aged poor of at least 25% of the
    average wage;
  • A net replacement rate (including both public and private pensions)
    of at least 65% for a median-income earner with a full career;
  • Private pension coverage of at least 80% of the working-age
    population;
  • Pension contributions that are being invested for the future of at
    least 12% of wages;
  • Pension assets of at least 100% of GDP;
  • A well-governed and well-regulated private pension system.

Each country was scored according to three metrics:

  • Adequacy (40% weight): system design, government support, home ownership, savings, growth assets and benefits;
  • Sustainability (35% weight): government debt, public expenditure, demography, economic growth and pension coverage; and
  • Integrity (25% weight): regulation, communication, protection, governance and operating costs.

The Netherlands had the highest overall score (84.8) and the highest adequacy score (86.3). Iceland, No. 2 on the list, had a total score of 83.4 and the highest sustainability score of 84.3. Denmark, ranked third, had a total score of 81.6. Finland, with a score of 75.9, had the highest integrity score at 90.8.

The United States ranked 29th out of 46 with a total score of 60.4, an adequacy score of 63.9, a sustainability score of 58.4 and an integrity score of 57.5.

According to the report, increasing longevity, higher interest rates and the rising costs of care are putting pressure on governments to support pension systems. As a result, several countries have slightly lower scores than in previous years.

“In a world where fertility rates are falling and life expectancy is rising, retirement income systems are center stage,” said Pat Tomlinson, president and CEO of Mercer, in a statement. “Ensuring strong alignment in private and public retirement income arrangements, increasing employee coverage and encouraging higher labor force participation for those who wish to work at older ages are just a few ways to improve long-term outcomes for retirees.”

Rankings

The rankings were based on total index value. Grade A systems had an index value of greater than 80, B+ systems had an index value ranging from 75 through 80, B systems from 65 through 75, C+ systems from 60 through 65, C systems from 50 through 60 and D systems from 35 through 50. E systems were those with an index value less than 35, although no countries scored so low.

Of the countries considered, only the Netherlands, Iceland, Denmark and Israel had a grade of A, which Mercer and the CFA Institute described as first-class and robust retirement systems that deliver good benefits, are sustainable and have a high level of integrity.

Singapore (78.7), Australia (76.7), Finland (75.9) and Norway (75.2) earned B+ scores. Chile (74.9), Sweden (74.3), the U.K. (71.6), Switzerland (71.5), New Zealand (68.7), Mexico (68.5), France (68) and Germany (67.3) were among the countries that received scores of B. B+ and B countries have retirement systems that have a sound structure and “many good features” but have room for areas of improvement that differentiate them from an A-grade system

The UAE (64.8), Kazakhstan (64), Hong Kong (63.9), Colombia (63), Saudia Arabia (60.5) the U.S. (60.4) and Spain (63.3) had C+ grades. Poland (56.8), China (56.5), Malaysia (56.3), Brazil (55.8) and Japan (54.9) were among the countries with a C grade. C+ and C countries were described as countries in which the retirement systems have some good features, but also some major risks or shortcomings that need to be addressed.

South Africa (49.6), Turkey (48.3), Argentina (45.5), the Philippines (45.8) and India (44) received D grades as countries with systems that have some desirable features, but also major weaknesses and omissions that need to be addressed.

From DB to DC 

The global pension landscape is changing, as more and more countries and plans shift to defined contribution plans from defined benefit plans, noted Margaret Franklin, president and CEO of the CFA Institute, in the report.

The Netherlands, for example, is in the process of transferring its entire retirement system from defined benefit plans to defined contribution plans by 2028 as part of the Netherlands’ Future Pension Act.

“The ongoing shift to defined contribution pension plans introduces many financial planning challenges, which are falling squarely on the shoulders of tomorrow’s retirees,” Franklin wrote in the report. “DC plans require individuals to make complex financial planning decisions that may significantly impact their financial circumstances, and yet many individuals are not well prepared to manage the required decisions. The Index serves as an important reminder of the gaps that remain in providing long-term financial security and advice for individuals.”

Regarding defined contribution plans specifically, the report found that “the focus must be on the provision of regular income during the retirement years,” and that “retirees need some long-term protection from future risks.”

As people live longer and as birthrates decline, numerous countries and plans are shifting toward defined contribution plans which put the burden of risk on retirees. Franklin wrote that pension funds must evolve to provide a range of options and support to help individuals achieve the best possible retirement outcomes.

In addition, David Knox, an Australia-based senior partner in Mercer and the report’s lead author, wrote “significant retirement income system reforms are needed to meet the financial needs of retirees and their evolving work expectations. There is no single solution to getting retirement systems onto more solid ground. Now is the time for governments, policymakers, the pension industry and employers to work together to ensure that older populations are treated with dignity and can maintain a lifestyle similar to what they experienced through their working years.”

«