Advice
If you’re a retirement plan sponsor, you’re probably used to wearing a lot of hats—compliance checker, decision-maker, risk manager. It’s a role that comes with big responsibilities, and one of the most important is making sure everything tied to your plan’s operations is solid, secure, and well-documented.
That’s where SOC reports come in.
You might’ve heard the term before—System and Organization Controls report—but maybe you’ve never taken a close look at one. Or maybe you’ve reviewed one, filed it away, and didn’t think twice. Either way, it’s worth understanding what SOC reports actually do and why they matter—especially when you’re relying on outside service providers to help run your plan.
Let’s Start with the Basics: What Is an SOC Report?
At its core, a System and Organization Controls (SOC) report is an independent audit report. It’s created by a third-party auditor who takes a close look at how a service organization handles certain systems and processes—particularly those tied to financial reporting, data security, and internal controls.
In other words, if your plan provider or recordkeeper manages sensitive participant data, handles transactions, or processes contributions, the SOC report helps you assess how well they’re managing that responsibility.
There are different types of SOC reports, but the one you’re most likely to encounter as a retirement plan sponsor is SOC 1, which focuses on controls related to financial reporting. That’s the one you’ll want to pay attention to.
Why It Matters: You Can Delegate Tasks—But Not Responsibility
Here’s the thing: as a plan sponsor, you’re a fiduciary. That means you’re legally and ethically obligated to act in the best interests of your plan participants. And while you can outsource the work, you can’t outsource the accountability.
So, even if you rely on a service provider to handle daily operations—like processing payroll contributions or maintaining plan records—you’re still on the hook for making sure those functions are being handled correctly and securely.
The SOC report helps you meet that obligation.
It gives you visibility into your provider’s controls—how they manage risk, how they handle data, and whether they’re following through on their responsibilities. Reviewing it helps you verify that your providers are doing what they say they’re doing.
What You’ll Find in the SOC Report
Now, let’s talk about what’s inside.
If you’re reviewing your provider’s SOC report—say, 1st Source Bank’s Retirement Plan Services division’s report—you’ll want to pay attention to a few key sections:
- The Independent Service Auditor’s Report – This is the auditor’s official opinion on the effectiveness of the service provider’s controls.
- Complementary User Entity Controls – These are controls that you, the plan sponsor, are expected to have in place. Think of them as your part of the security equation.
- Auditor’s Test of Controls and Results – This section shows what specific controls were tested, how they were tested, and whether any exceptions were found.
If there are exceptions noted, it doesn’t always mean there’s a red flag—but it’s something you’ll want to investigate further. Context matters.
How Often Should You Review It?
SOC reports aren’t a one-and-done thing. Most service providers, including 1st Source Bank’s RPS division, go through this audit annually. The report is usually available at the end of Q1 or beginning of Q2 each year.
As a plan sponsor, you should review the report every year and keep a record of when you did. It doesn’t need to be overly complicated—a simple note with the review date and any follow-up actions will do the trick.
Doing this shows that you’re actively monitoring your service providers and taking your fiduciary role seriously. That’s a big deal in the eyes of regulators, auditors, and—most importantly—your plan participants.
The Bottom Line: It’s About Trust—and Verification
In a perfect world, every service provider would always follow best practices, every control would work flawlessly, and every system would be airtight. But the real world? It’s full of complexities—and occasional surprises.
That’s why SOC reports matter. They give you a structured, credible way to evaluate risk, verify performance, and protect your participants.
It’s not just about checking a compliance box—it’s about fulfilling your duty as a plan sponsor. And while reviewing a report might not be the most exciting task on your list, it’s one of the smartest things you can do to safeguard your plan.