What Does One Look for When Reviewing A SAS 70 Report?Posted on January 19 2010 by admin
When one receives a third party administrator’s SAS 70 report, there are a few things he or she should know about the information that is being provided to them in order to gain the maximum benefit from reviewing the report.
There are two types of service auditor’s reports. The two types of reports provided in a SAS 70 audit are the Type I and Type II reports. A Type I report will give a description of controls in place at the service organization at a particular point in time. A Type II report not only gives the description of the controls, but also includes testing of these controls over a certain amount of time which will not be less than six months (normally, a year is included in the report). The Type II report offers the user of the report to review not only the controls in place at the service organization, but also how each of these controls is operating. If a certain control is not working properly, the user can mitigate the risk at the Plan level by implementing controls needed to adequately protect the Plan participants. Additionally, the Plan trustee might determine that the service organizations services are not adequate that they should be replaced.
To review the controls in place at a service organization, find the section of the report that details the control objectives and related controls. Just so you can see how important the controls are at a service organization, I will provide a few examples of the control objectives being reviewed.
- Controls provide reasonable assurance that telephone calls from participants are authenticated and resulting transactions are processed by Customer Support Services in an accurate and timely manner.
- Controls provide reasonable assurance that monetary transactions are authorized and processed accurately, completely and timely in accordance with instructions received.
- Controls provide reasonable assurance that investment purchases and sales are processed accurately and timely.
- Controls provide reasonable assurance that participant account balances are valued based on market prices obtained from authorized pricing sources and investment income is accurately and timely allocated and recorded.
As you can see by reading the control objectives above, how controls are operating at a service organization is incredibly important to ensuring a Plan participant’s 401k account including his or her investments are being managed and accounted for. As a user organization with fiduciary responsibilities, it is your responsibility to make sure that adequate controls in the above areas are in place.
The SAS 70 has a great benefit to the user as he or she is able to gain valuable knowledge of how the third party administrator is operating and how well they are implementing the controls they have in place. The user also gains trust in the third party administrator knowing that someone independent of the organization has reviewed and tested the effectiveness of their controls. Another great benefit to having a SAS 70 available is that the report is able to assist the user’s auditor in reducing the audit procedures to be performed during the audit of the Plan’s financial statements.
Finding information on employee benefit plans can be difficult and time consuming. As a service to our clients, and other interested parties who are involved in or in need of employee benefit services, we'll gather all of the information for you. We'll keep you up-to-date on the latest laws and regulations and we will even add our own personal insight into what else is occurring in the employee benefits world. We will provide these posts weekly and hope to get your input and feedback on the various topics. We will also share that feedback with others, as we find appropriate.
Before posting a comment on a blog post please be aware that we do not give free advice to non-clients by email, comment response, or phone. Thank you!
- The Importance of Knowing Your Plan’s Definition of Compensation
- Dear Plan Sponsors: Reviewing a SSAE 16 Report
- How to Handle a Blackout Period
- The Importance of Obtaining a Quality Audit
- Participant Loans – IRS Requirements
- Investment Policy – Why and What to Include?
- 2016 Retirement Plan Limits
- Compliance for Small Company Employee Benefit Plans
- 401K Pre-Approved Plans 2016 Deadline
- FASB’s Employee Benefit Plan Reporting Simplification