Why Does My City Need a SOC Audit Report?
E-mail for GASB questions: Pension Accounting at TMRS
The System and Organization Controls (SOC) Audit Report is available on the TMRS City Portal. In this explanation, the “plan” is TMRS and “participants,” “employers,” and “users/user entities” are TMRS cities.
For all fiscal years ending after June 15, 2015, GASB 68 requires your city to record a net pension liability (NPL) or net pension asset (NPA); and being in TMRS requires that you include disclosures in your financial report as a participant in an agent multiple-employer plan. Many of the records and calculations necessary for your city auditor to issue an opinion on the NPL and related disclosures are maintained only by TMRS. Therefore, your financial audit requires a coordinated approach in which TMRS’ external auditor performs certain procedures and your city auditor performs others. Your city’s external auditor has the ultimate responsibility for expressing an opinion on the NPL for your city.
The American Institute of Certified Public Accountants (AICPA) State and Local Government Audit and Accounting Guide (referenced here as AICPA guidance) provides governmental employers with best practice solutions for their audit and reporting requirements.
The city and its auditor must obtain sufficient appropriate evidence regarding the city’s specific total pension liability, deferred outflows of resources, deferred inflows of resources, and pension expense. AICPA guidance includes a best practice solution to meet this requirement, which includes:
- The plan actuary (for TMRS, this is GRS) issues a separate actuarial valuation report specific to each employer, which includes an actuarial certification letter addressed to employer/city management; and
- The plan (TMRS) engages its auditor (CliftonLarsonAllen or CLA) to issue a System and Organization Controls (SOC 1 Type 2 or SOC) report on controls over census data maintained by the plan.
The actuarial valuation report and certification letter specific to each employer are included in the GASB Employer Reporting Package.
Additionally, the city and its auditor must become comfortable with the city’s fiduciary net position (FNP), the city’s “asset-side” of the net pension liability. To meet this requirement, the AICPA guidance includes a best practice solution:
- The plan (TMRS) prepares a schedule of changes in fiduciary net position, by employer; and
- The plan (TMRS) engages its auditor (CLA) to issue an opinion on the schedule, as a whole, combined with a SOC 1 Type 2 report, on the controls over the calculation and allocation of additions and deductions to employer accounts.
TMRS has prepared the Schedule of Changes in Fiduciary Net Position (by Participating City). It is available on the TMRS website under Financial Reports.
The SOC 1 Type 2 Audit
SOC audits examine a service organization’s controls (TMRS’ controls) relevant to a user organization’s (TMRS city) internal controls over financial reporting. A SOC 1 Type 2 audit covers the suitability of control design, as well as the effectiveness of those controls, over a period of months.
Each year, TMRS has a SOC 1 Type 2 audit completed. TMRS and CLA work together to identify the control objectives that are critical for the proper administration of a public pension plan, including participant (city) census data, contributions, distributions, and the computer controls relevant to those processes (system maintenance, applications maintenance, logical access, backups, and physical access). Since the report contains detailed control processes, the SOC report cannot be published or provided on the general TMRS website. This and previous year's reports (pdf) are accessible to cities via the TMRS City Portal.
SOC reports generally contain four required sections, completed by TMRS, CLA, or a combination of both parties:
- Section 1, completed by CLA, is the Independent Service Auditor’s report or audit opinion which is the conclusion reached after all test work has been completed.
- Section 2, Management’s Assertion, completed by TMRS, contains TMRS’ assurance that controls have been monitored by management during the reporting period.
- Section 3, completed by TMRS, includes general information about the System/TMRS, organization structure/departments and detailed narratives of the controls and procedures in place during the audit period.
- Section 4, completed jointly by TMRS and CLA, contains a listing of the control objectives and their related controls. CLA then provides the results of their testing, noting the operating effectiveness of those controls.
Many accounting functions at TMRS (the service organization) rely on the processes that occur at each employer/city (referred to in the SOC audit report as “user entity”).These Complementary User Entity controls are listed in Section 3 of the SOC audit report. TMRS believes that these controls, at a minimum, should be in place at your city. For TMRS to be able to generate complete and accurate information, we need to receive complete and accurate information from your city (i.e., good data in = good data out). You and your city auditor must evaluate your own controls and determine if the User Entity Controls listed in the report are in place at your city and are operating effectively.
You and your city auditor should review the SOC Audit Report on the TMRS City Portal and become familiar with its contents.
As noted in the AICPA guidance, the SOC audit is one element of the procedures that you and your city auditor should follow to understand and become comfortable with the NPL recorded in your financial statements.
“The employer auditor is solely responsible for the audit of the employer’s financial statements, and therefore, is responsible for determining the sufficiency and appropriateness of audit evidence necessary to reduce audit risk to an appropriately low level.” Your city’s finance officer and your external auditor should review the pension chapter of the AICPA State and Local Government Audit and Accounting Guide.
SOC Audit Measurement Date and Coverage
In accordance with GASB Statements No. 67 and 68, TMRS’ consulting actuary, GRS, completed the actuarial reporting valuation as of December 31. To correspond with the actuarial reporting valuation, TMRS assumes that participating employers (cities) will also be using a measurement date of December 31, which determines the net pension liability (NPL), for their financial reporting.
CLA has now completed the seventh SOC audit of the TMRS' processes covering the period of May 1, 2020 to April 30, 2021. The SOC report covers the calendar year activities which generated inputs for the actuarial reporting valuation (as of December 31). It also covers the year-end processes used to determine the interest credit and allocation of funds for the Schedule of Changes in Fiduciary Net Position (by Participating City).