This session will take a deep dive into using SOC 1 (SSAE 18) reports in an EBP audit to aid the auditor in addressing common issues, as well as effectively leveraging them appropriately and at the right time. Part of this discussion will cover how SOC reports will not always address information provided electronically, or initiated and authorized electronically, at the plan sponsor. After attending this session, attendees will be able to:
• Identify SOC 1 reports and the related standards.
• Analyze impact of carve-outs, exceptions and report qualifications.
• Apply results from SOC 1 reports to risk assessment and substantive audit procedures.
• Differentiate between electronic information received at plan sponsor and what information is actually covered by the SOC 1 report.
• Differentiate between cybersecurity and SOC reports in the EBP industry and how SOC reports address or don’t address those concerns.
• Use the AICPA EBPAQC's SOC 1 tool to understand the critical importance of properly documenting the use of SOC 1 report.
• Apply session take-aways to develop/enhance best practices within their respective firms.