Back to blog

SOC 1 Type II Reports: A Critical Tool for Fund Oversight and Assurance

Posted on Jun 11, 2025

As fund managers face growing scrutiny from investors and regulators, independent validation of operational processes has become a key element of financial oversight. One of the most widely recognized tools for assessing third-party service provider controls is the SOC 1 Type II report.

The SOC 1 Type II report plays a central role in the relationship between fund managers, their administrators and external auditors.

What is a SOC 1 Type II Report?

A SOC 1 (System and Organization Controls 1) report is issued under standards developed by the American Institute of Certified Public Accountants (AICPA). It evaluates the design and effectiveness of internal controls at service organizations that impact a client’s internal control over financial reporting (ICFR).

There are two types of reports:

  • A Type I report assesses whether controls are suitably designed at a specific point in time.
  • A Type II report assesses not only design but also the operating effectiveness of those controls over a defined review period—typically six to twelve months.

In fund administration, this includes controls around accounting processes, NAV calculations, cash processing, capital activity, and investor reporting.

What the Report Covers

A report from a fund administrator typically includes:

  • A description of the administrator’s systems and services
  • Management’s assertion regarding the design and operation of controls
  • The independent auditor’s opinion on the effectiveness of the controls
  • Specific control objectives relevant to financial reporting
  • Testing procedures and results over the review period
  • Disclosure of any exceptions or deficiencies identified during testing

The scope and level of detail are defined by the services provided and the administrator’s internal control environment.

Relevance to Fund Administration

In fund administration, a wide range of activities can affect the accuracy of financial reporting. These include:

  • Daily, monthly or quarterly net asset value (NAV) calculations
  • Capital activity processing
  • Investor allocations and fee calculations
  • Cash and position reconciliations
  • General ledger maintenance and reporting
  • Financial statement preparation
  • Investor communications

The SOC 1 Type II report evaluates the control environment surrounding these activities, providing an independent opinion on whether the controls operated effectively during the review period.

Reliance by Investors

Institutional investors increasingly request SOC 1 Type II reports during operational due diligence. These reports help them evaluate the robustness of a fund’s service provider oversight, particularly in areas that impact financial reporting, investor allocations, and controls over fund accounting.

However, SOC 1 Type II reports are classified as restricted-use reports under AICPA standards. They are formally intended for:

  • Management of the service organization (e.g., the administrator)
  • User entities (e.g., the fund or fund manager)
  • Auditors of user entities
  • Regulators or other parties who have a sufficient understanding of the control environment and a legitimate need to rely on the report

Because investors typically do not qualify as “user entities,” managers should not broadly distribute the full report to them. Fund managers must assess whether the investor’s role and purpose qualify them to access the report.

Reliance by External Auditors

External auditors use SOC 1 Type II reports when planning and performing audits of a fund’s financial statements. When a fund administrator has an active SOC 1 Type II report, the auditor can evaluate whether they can place reliance on the administrator’s controls as part of their audit risk assessment.

This may influence the extent of testing auditors perform on administrator-prepared data and records. If no such report is available, auditors often need to apply alternate procedures or request additional evidence which can cost fund managers additional fees.

Key Considerations When Reviewing a Report

When a fund manager or auditor reviews a SOC 1 Type II report, key considerations include:

  • Scope: What services and systems are covered?
  • Control Objectives: Are they relevant to financial reporting?
  • Testing Period: Does the coverage align with the fund’s reporting timeline?
  • Exceptions: Were any control failures or issues identified?
  • Frequency: Is the report performed annually and kept current?

Careful evaluation helps stakeholders understand the level of assurance provided and any limitations that may apply.

Conclusion

The SOC 1 Type II report provides independent, third-party assurance over the design and operating effectiveness of internal controls at a service organization. Fund managers and external auditors widely use it in fund administration to evaluate the reliability of processes that impact financial reporting.

As regulatory expectations increase and due diligence becomes more rigorous, the SOC 1 Type II report has become an established part of the governance and oversight framework within the funds industry.

If you have any questions about please contact David Smith at dsmith@pinnaclefundservices.com or 1-604-559-8921.