Seeking SOC-1 Reports for 403(b) Audit
I’m in the process of locating a specific SOC-1 report for a 403(b) Audit I’m conducting. I already have the SOC-1 reports for the primary company, but several control objectives involve a subservice that has its own SOC-1. This subservice was recently acquired by a larger organization, and unfortunately, their website provides limited contact resources regarding this issue. I attempted to reach out to one of their contacts via email, but have yet to receive a reply.
Has anyone else faced challenges while trying to obtain SOC-1 reports? If so, did you find an effective way to get the information you needed, or did you simply resort to expanded testing? Thank you!
One response
It sounds like you’re in a challenging position while trying to get the necessary documentation for your Audit. Finding SOC-1 reports can indeed be tricky, especially if the subservice provider has recently been acquired and their communication avenues are limited.
Here are a few suggestions that might help you locate the SOC-1 report:
Reach Out to Your Main Company Contact: Since you already have the SOC-1s for the main company, consider reaching out to your contact there. They may have a better connection with the acquired subservice or may be able to provide guidance on how to obtain the report.
Utilize LinkedIn: If you haven’t already, try using LinkedIn to connect with employees or former employees of the subservice provider. They may be more responsive to direct outreach and could potentially guide you to the right person to contact.
Check with Your Audit Peer Network: If you’re involved in a professional group or network, consider reaching out to peers to see if anyone has encountered a similar situation. They might have insights or contacts that could help.
Contact the Acquiring Company: If the subservice provider has been acquired, you might want to try reaching out directly to the larger corporation. They may have taken over the responsibilities of the previous entity and could provide you with the necessary SOC-1 report.
Explore Third-Party SOC Report Portals: Sometimes, organizations upload their SOC reports to third-party sites for easier access. Platforms like the AICPA or other Accounting services might have resources that could lead you to the report.
Consider Expanded Testing: If all else fails and you’re running out of time, you might have to resort to expanded testing as part of your Audit. Make sure to document your attempts to obtain the SOC-1, as this will provide context for your findings.
Hopefully, one of these strategies will lead you to the report you need. Good luck with your audit!