Statement on Standards for Attestation Engagements No. 16, otherwise known as SSAE 16, provides guidance for service auditors, or the independent audit firms that actually prepare reports on a service organization’s systems. (Auditing Standard No. 70 [SAS 70] was split into two new standards, SSAE 16 and AU-C 402 – Auditing Standard on the Use of Service Organizations.)

Although intended for service auditors, the issuance of the new guidance under SSAE 16 impacts you, the plan sponsor, as it changed the format and terminology of the report provided by the service auditor.

For purposes of EBP audits, plan sponsors will generally need to obtain the relevant SOC 1 reports, as these reports are intended for use by user entities and cover those internal controls relevant to financial reporting. Expect your plan auditor to request these during the planning phase of the audit for any of the plan’s significant transactions that are outsourced to service organizations.

You also have responsibilities related to these reports, as part of your required fiduciary duty, to provide oversight to the plan’s operations. Plan sponsors should generally perform the following:

1. Obtain all relevant SOC 1 reports for any outsourced services from the service organizations.

2. Review the key areas of the SOC 1 reports, including (a) the independent
service auditor’s report, noting any qualifications, and (b) the general areas of testing performed by the service auditor.
Watch for any noted qualifications and/or exceptions or deviations as they could negatively impact the recording of the plan’s transactions and eventual plan reporting. If you note any such items, discuss these findings with the plan auditor and the service organization, if necessary, to determine any impact to the plan.

3. Review any carve-outs and identify those that are significant to the plan’s operations. (Carve-outs are for those subservice organizations used by the service organization to perform certain processes or services and, consequently, the subservice organization’s controls are not included within the SOC 1 report.) Work with your service organization and/or your auditor to identify these carve-outs. You may need to obtain additional reports to adequately cover the plan’s operations.

4. Review the user entity controls (formerly referred to as user controls under SAS 70) and confirm these controls, as applicable, have been implemented and are operating effectively as part of the plan’s operations. Any user entity controls not in place at the plan sponsor could have an adverse effect on the integrity of the data contained in the reporting documents.

Documentation of the performance of the above steps is a critical component of complying with your plan sponsor responsibilities and provides evidence of compliance with your oversight duties.

About Blackman & Sloop CPAs, P.A.:

Blackman & Sloop is a full-service CPA firm headquartered in Chapel Hill, North Carolina and is actively involved in auditing, taxation, management consulting, financial planning, and related services. The firm directs a large part of its services toward providing management with advice on budgeting, forecasts, projections, financing decisions, financial analysis, and tax developments. The firm also performs review and compilation services and prepares not-for-profit, corporate, individual, estate, retirement plan, and trust tax returns as well as technology consulting services regarding installation and training on QuickBooks. Blackman & Sloop provides services in Raleigh, Durham, Chapel Hill, RTP, Hillsborough, Pittsboro, Charlotte, and the rest of North Carolina. To find out more please visit

Contact: CPA

Toll Free: 1-877-854-7530
The Exchange West
1414 Raleigh Rd, Suite 300
Chapel Hill, NC 27517


*This article originally appeared in BDO USA, LLP’sEBP Commentator Summer 2013“. Written by Darlene Bayardo, Director, National Assurance Audit of Employee Benefit Plans, BDO CPA. Copyright © 2013 BDO USA, LLP. All rights reserved.