Why Does My City Need a SOC Audit Report?

E-mail for GASB questions: Pension Accounting at TMRS
 

The System and Organization Controls (SOC) Audit Report is available on the TMRS City Portal. In this explanation, the “plan” is TMRS and “participants,” “employers,” and “users/user entities” are TMRS cities.

GASB 68

As a participant in TMRS, GASB Statement No. 68, “Accounting and Financial Reporting for Pensions – an Amendment of GASB Statement No. 27” requires your city to recognize a liability equal to the net pension liability (NPL) and record the related pension expense and deferred inflows and outflows of resources. GASB 68 also requires certain disclosures in your financial report as a participant in an agent multiple-employer plan.

The NPL is the result of the plan’s total pension liability subtracted from its fiduciary net position. Many of the records and calculations necessary for your city auditor to issue an opinion on the NPL and related disclosures are maintained only by TMRS. Therefore, your financial audit requires a coordinated approach in which TMRS’ external auditor performs certain procedures and your city auditor performs others. Your city’s external auditor has the ultimate responsibility for expressing an opinion on the NPL for your city.

The American Institute of Certified Public Accountants (AICPA) State and Local Government Audit and Accounting Guide (referenced here as AICPA guidance) provides governmental employers with best practice solutions for their audit and reporting requirements.

Total Pension Liability

The city and its auditor must obtain sufficient appropriate evidence regarding the city’s specific total pension liability, deferred outflows of resources, deferred inflows of resources, and pension expense. AICPA guidance includes a best practice solution to meet this requirement, which includes:

1. TMRS’ plan actuary (GRS) calculates the total pension liability and issues a separate actuarial valuation report specific to each employer, which includes an actuarial certification letter addressed to employer/city management; and
2. TMRS’ plan auditor (CliftonLarsonAllen or CLA) issues a System and Organization Controls (SOC 1 Type 2 or SOC) report on controls over census data maintained by the plan that is used by GRS in their actuarial valuation.

The actuarial valuation report and certification letter specific to each employer are included in the GASB Employer Reporting Package.

Fiduciary Net Position

Additionally, the city and its auditor must become comfortable with the city’s fiduciary net position (FNP), the city’s “asset-side” of the net pension liability calculation. To meet this requirement, the AICPA guidance includes a best practice solution:

1. TMRS prepares a schedule of changes in fiduciary net position, by employer (the Schedule);
2. TMRS’ auditor (CLA) issues an opinion on the Schedule as a whole; and
3. TMRS’ auditor (CLA) issues a SOC 1 Type 2 report on controls over the calculation and allocation of additions and deductions to employer accounts.

The Schedule of Changes in Fiduciary Net Position (by Participating City) is available on the TMRS website under Financial Reports.

The SOC 1 Type 2 Audit

SOC audits examine a service organization’s controls (TMRS’ controls) relevant to a user organization’s (TMRS city) internal controls over financial reporting. A SOC 1 Type 2 audit covers the suitability of control design, as well as the effectiveness of those controls, over a period of months.

Each year, TMRS has a SOC 1 Type 2 audit completed. TMRS and CLA work together to identify the control objectives that are critical for the proper administration of a public pension plan, including participant (city) census data, contributions, distributions, and the computer controls relevant to those processes (system maintenance, applications maintenance, logical access, backups, and physical access). Since the report contains detailed control processes, the SOC report cannot be published or provided on the general TMRS website. This and previous year's reports (pdf) are accessible to cities via the TMRS City Portal.

SOC reports generally contain four required sections, completed by TMRS, CLA, or a combination of both parties:

• Section 1, completed by CLA, is the Independent Service Auditor’s Report or audit opinion, which is the conclusion reached after all test work has been completed.
• Section 2, Management’s Assertion, completed by TMRS, contains TMRS’ assurance that controls have been monitored by management during the reporting period.
• Section 3, completed by TMRS, includes general information about the System/TMRS, organization structure/departments and detailed narratives of the controls and procedures in place during the audit period.
• Section 4, completed jointly by TMRS and CLA, contains a listing of the control objectives and their related controls. CLA then provides the results of their testing, noting the operating effectiveness of those controls.

Many accounting functions at TMRS (the service organization) rely on the processes that occur at each employer/city (referred to in the SOC audit report as “user entity”). These Complementary User Entity controls are listed in Section 3 of the SOC audit report. TMRS believes that these controls, at a minimum, should be in place at your city. For TMRS to be able to generate complete and accurate information, we need to receive complete and accurate information from your city (i.e., good data in = good data out). You and your city auditor must evaluate your own controls and determine if the User Entity Controls listed in the report are in place at your city and are operating effectively.

You and your city auditor should review the SOC Audit Report on the TMRS City Portal and become familiar with its contents.

As noted in the AICPA guidance, the SOC audit is one element of the procedures that you and your city auditor should follow to understand and become comfortable with the NPL recorded in your financial statements.

“The employer auditor is solely responsible for the audit of the employer’s financial statements, and therefore, is responsible for determining the sufficiency and appropriateness of audit evidence necessary to reduce audit risk to an appropriately low level.” Your city’s finance officer and your external auditor should review the pension chapter of the AICPA State and Local Government Audit and Accounting Guide.