Decoding SOC Reports
A Fiduciary’s Guide to Vendor Oversight
In my 15 years of securing global financial infrastructure, I’ve seen countless fiduciaries treat System and Organization Controls (SOC) reports like a “get out of jail free” card. They believe that if their record keeper or TPA provides a SOC 2 report, the fiduciary responsibility for security has been successfully delegated.
This is a dangerous misconception.
Under ERISA, you can delegate tasks, but you can never delegate the responsibility for monitoring those tasks. The DOL’s audit samples explicitly ask for SOC 1 or SOC 2 reports for a reason: they want to see if you have the “Prudent Person” skills to spot the vulnerabilities hidden in your vendor’s own audit.
The Two Flavors of Trust: SOC 1 vs. SOC 2
To vet your vendors, you must first understand the two primary types of reports you will encounter in a plan audit.
1. SOC 1: The Financial Integrity Report
A SOC 1 report focuses on controls that impact financial reporting.
The Fiduciary Focus: This report tells you if the vendor can accurately process payroll, investments, contributions, and distributions without errors.
Why it Matters: If your recordkeeper’s SOC 1 has a “qualified opinion,” it means their financial math is unreliable—a massive red flag for any plan sponsor.
2. SOC 2: The Cybersecurity Report
A SOC 2 report focuses on the “Trust Services Criteria”: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The Fiduciary Focus: This is your “Cybersecurity SOC”. It tells you if the vendor’s walls are strong enough to keep hackers away from your participants’ PII and PHI.
The “Common Criteria”: Of the five categories, Security is the only one required for a SOC 2 report. If your vendor excludes “Privacy” or “Availability,” you need to ask why.
Type I vs. Type II: A “Snapshot” vs. a “Movie”
Both SOC 1 and SOC 2 reports come in two “Types.” Understanding the difference is critical for your Audit Readiness.
Type I (The Snapshot): This evaluates if the controls are designed correctly as of a specific date. It doesn’t tell you if they actually work over time.
Type II (The Movie): This is the gold standard. It tests the operating effectiveness of those controls over a period (usually 6–12 months).
My Strategy: Never accept a Type I report for an ongoing relationship. The DOL expects a Type II report to prove that the vendor’s security didn’t just work on the day the auditor showed up, but was effective all year long.
The “Fiduciary Cheat Sheet”: 4 Things to Look For
When you receive a 100-page SOC report, don’t get bogged down in the technical weeds. Go straight to these four sections to fulfill your duty to monitor.
1. The Auditor’s Opinion (The “Grade”)
Flip to the very beginning. You are looking for an “Unqualified Opinion”—this is a “clean” bill of health.
Red Flag: If the opinion is “Qualified,” “Adverse,” or a “Disclaimer,” the auditor found significant issues. You must document what those issues were and how the vendor is fixing them.
2. Complementary User Entity Controls (CUECs)
This is the most important section for your own liability. CUECs are the security tasks that the vendor doesn’t do for you.
The “Your Responsibility” List: For example, a recordkeeper’s SOC report might say: “We secure the portal, but it is the Plan Sponsor’s responsibility to terminate user access when an HR employee leaves the company”.
The Audit Gap: If you haven’t implemented your end of these CUECs, the vendor’s “clean” SOC report won’t protect you in a DOL audit.
3. Subservice Organizations (The “Carve-Out”)
Many recordkeepers outsource their own hosting to companies like AWS or Microsoft Azure.
The Risk: If the vendor “carves out” these subservices, their SOC report does not cover the security of the actual servers where your data lives. You may need to request the SOC reports for those subservice organizations as well.
4. The “Bridge Letter” (The Gap)
SOC reports are usually issued once a year and may not align with your plan’s fiscal year.
The Solution: If a report ends in September but your year ends in December, you must request a “Bridge Letter” (or Gap Letter). This is a signed statement from the vendor confirming that no significant changes occurred in their controls during that gap.
Conclusion: Trust, but Verify
The Department of Labor’s audit questions regarding SOC reports are designed to see if you are truly monitoring your service providers or just “passing the buck”. By performing a documented review of these reports, noting any deficiencies, and implementing your CUECs, you move from a state of “Blind Trust” to Fiduciary Sovereignty.
Don’t let a 100-page PDF intimidate you. Use it as the “Prudent Person” tool it was meant to be.
I’ve secured $1 quadrillion in assets. Let me secure your plan.
If your organization lacks the senior security leadership the DOL expects, I can help. I provide fractional CISO advisory to ensure your participants’ futures are protected and your program is audit-ready.
Fractional CISO: High-Stakes Security for Your Fiduciary Future
As a plan sponsor, you are legally responsible for the “prudent mitigation” of cybersecurity risks. But in a world of complex cloud systems, AI-driven fraud, and aggressive DOL audits, most fiduciaries feel they are flying blind.