What Is a SOC-1 Audit Report and Why Does My City Need It?
The service organization controls-1 (SOC-1) Audit Report is available on the TMRS City Portal. This article explains what it is and why your city needs it for your financial audit. In this discussion, the “plan” is TMRS and “participants,” “employers,” and “users/user entities” are TMRS cities.
For all fiscal years ending after June 15, 2015, GASB 68 requires your city to record a net pension liability (NPL) or net pension asset (NPA); and being in TMRS requires that you include disclosures in your financial report as a participant in an agent, multiple-employer plan. Many of the records and calculations necessary for your city auditor to issue an opinion on the NPL and related disclosures are maintained only by TMRS. Therefore, your financial audit will now require a coordinated approach in which TMRS’ external auditor performs certain procedures and your city auditor performs others. Your city’s external auditor has the ultimate responsibility for expressing an opinion on the NPL for your city.
With these significant reporting changes, the AICPA updated Chapter 13 of the State and Local Government Audit and Accounting Guide (referenced throughout this passage as AICPA guidance) to provide governmental employers with best practice solutions for their reporting requirements.
The city and its auditor must obtain sufficient appropriate evidence regarding the city’s specific total pension liability, deferred outflows of resources, deferred inflows of resources, and pension expense. AICPA guidance includes a best practice solution to meet this requirement, which includes:
- The plan actuary (for TMRS, this is GRS) issues a separate actuarial valuation report specific to each employer, which includes an actuarial certification letter addressed to employer/city management; and
- The plan (TMRS) engages its auditor (KPMG) to issue a service organization controls 1 (SOC 1) Type 2 report on controls over census data maintained by the plan.
The actuarial valuation report and certification letter specific to each employer are contained in the GASB Employer Reporting Package.
Additionally, the city and its auditor must become comfortable with the city’s fiduciary net position (FNP), the city’s “asset-side” of the net pension liability. To meet this requirement, the AICPA guidance includes a best practice solution:
- The plan (TMRS) prepares a schedule of changes in fiduciary net position, by employer; and
- The plan (TMRS) engages its auditor (KPMG) to issue an opinion on the schedule, as a whole, combined with a SOC 1 Type 2 report, on the controls over the calculation and allocation of additions and deductions to employer accounts.
TMRS has prepared the Schedule of Fiduciary Net Position, by city. It is available on the TMRS website on the Financial Reports page.
The SOC-1 Type 2 Audit
SOC-1 audits examine a service organization’s controls (TMRS’ controls) relevant to a user organization’s (TMRS city) internal controls over financial reporting. A SOC-1 Type 2 audit covers the suitability of control design, as well as the effectiveness of those controls, over a period of months.
In fall 2013, TMRS engaged external auditor KPMG to conduct its first SOC-1 Type 2 audit. TMRS and KPMG worked together to identify the control objectives that are critical for the proper administration of a public pension plan, including participant (city) census data, contributions, distributions, and the computer controls relevant to those processes (system maintenance, applications maintenance, logical access, backups, and physical access). Since the report contains detailed control processes, the SOC-1 report cannot be published or provided on the general TMRS website. The report (pdf) is accessible to cities via the TMRS City Portal.
SOC-1 reports generally contain four required sections, completed by TMRS, KPMG, or a combination of both parties:
- Section 1, completed by KPMG, is the Independent Service Auditor’s report or audit opinion which is the “conclusion” reached after all test work has been completed.
- Section 2, Management’s Assertion, completed by TMRS, contains TMRS’ assurance that controls have been monitored by management during the reporting period.
- Section 3, completed by TMRS, includes general information about the System/TMRS, organization structure/departments, and detailed narratives of the controls and procedures in place during the audit period.
- Section 4, completed jointly by TMRS and KPMG, contains a listing of the control objectives and their related controls. KPMG then provides the results of their testing, noting the operating effectiveness of those controls.
Many accounting functions at TMRS (the service organization) rely on the processes that occur at each employer/city (referred to in the SOC-1 audit report as “user entity”). In March 2014, TMRS provided a memorandum to all participating municipalities emphasizing the importance of the SOC-1 audit and the controls that should be in place at your city (“GASB Pension Standards and audit implications, including User Entity Controls"). These Complementary User Entity controls are also listed in Section 3 of the SOC-1 audit report. TMRS believes that these controls, at a minimum, should be in place at your city. For TMRS to be able to generate complete and accurate information, we need to receive complete and accurate information from your city (i.e., good data in = good data out). You and your city auditor must evaluate your own controls and determine if the User Entity Controls listed in the report are in place at your city and are operating effectively.
You and your city auditor should review the SOC-1 Audit Report on the TMRS City Portal and become familiar with its contents.
As noted in the AICPA guidance, the SOC-1 audit is one element of the procedures that you and your city auditor should follow to understand and become comfortable with the NPL recorded in your financial statements.
“The employer auditor is solely responsible for the audit of the employer’s financial statements, and therefore, is responsible for determining the sufficiency and appropriateness of audit evidence necessary to reduce audit risk to an appropriately low level.” We encourage you and your auditor to review the pension chapter of the AICPA State and Local Government Audit and Accounting Guide.
SOC-1 Audit Measurement Date and Coverage
In accordance with GASB Statements No. 67 and 68, TMRS’ consulting actuary, Gabriel Roeder Smith (GRS) completed the actuarial reporting valuation as of December 31. To correspond with the actuarial reporting valuation, TMRS assumes that participating employers (cities) will also be using a measurement date of December 31, which determines the net pension liability (NPL), for their financial reporting.
KPMG, LLP has now completed the third SOC-1 audit of the TMRS' processes covering the period of May 1, 2016 to April 30, 2017. The SOC-1 report covers the calendar year activities which generated inputs for the actuarial reporting valuation (as of December 31); in addition, it also covers the year-end processes used to determine the interest credit and allocation of funds for the Schedule of Fiduciary Net Position, by city.
The purpose of a bridge letter is for the service organization (TMRS) to provide information regarding internal controls from the end of the SOC-1 report through the city’s fiscal year-end. As the SOC-1 audit covers the measurement date of December 31, we do not anticipate that a bridge letter will be needed or requested by your city auditor.