Seeking SOC-1 Reports for 403(b) Audit
I’m currently on the lookout for a specific SOC-1 report needed for a 403(b) Audit I’m conducting. I’ve managed to obtain the SOC-1 reports for the primary company, but it appears that several control objectives are covered by a subservice provider, which has its own SOC-1 report. This subservice was recently acquired by a larger corporation, but their website offers very limited options for contacting them regarding this issue. I attempted to reach out to one of their contacts via email, but unfortunately, I have not heard back.
Has anyone else faced challenges in locating SOC-1 reports? If so, how did you manage to find the information you needed—did you eventually locate the report or did you resort to expanded testing? Any insights would be greatly appreciated!
One response
It sounds like you’re in a bit of a tough spot, especially with the added challenge of the recent acquisition. Hunting down SOC-1 reports can indeed be tricky, particularly when a subservice provider is involved. Here are a few suggestions that might help you in your search:
Reach out to your main company contacts: Since you have the SOC-1s for the main company, try reaching out to your contacts there. They may have a direct line to someone in the acquired company or may be able to provide you with the SOC-1 you’re looking for.
LinkedIn networking: If you notice any employees from the subservice provider or the larger corporation on LinkedIn, consider connecting with them and sending a polite message asking for assistance in obtaining the SOC-1 report.
Professional groups or forums: If you’re part of any professional groups or forums (like those on LinkedIn or industry-specific networks), you might post your question there. Someone might have gone through a similar situation and could share their contacts or strategies.
Internal Audit or compliance teams: Sometimes, other departments within your organization may have had experiences with the same subservice provider. Check with internal Audit or compliance teams if they have a way to access these reports.
Consider expanded testing: If after all efforts you still can’t locate the SOC-1, it might be prudent to plan for expanded testing as a fallback. Document your efforts to obtain the report, as it could be helpful if you need to explain your Audit approach.
Navigating these situations can be frustrating, but persistence often pays off. Good luck!