When one receives a third party administrator’s SAS 70 report, there are a few things he or she should know about the information that is being provided to them in order to gain the maximum benefit from reviewing the report.
There are two types of service auditor’s reports. The two types of reports provided in a SAS 70 audit are the Type I and Type II reports. A Type I report will give a description of controls in place at the service organization at a particular point in time. A Type II report not only gives the description of the controls, but also includes testing of these controls over a certain amount of time which will not be less than six months (normally, a year is included in the report). The Type II report offers the user of the report to review not only the controls in place at the service organization, but also how each of these controls is operating. If a certain control is not working properly, the user can mitigate the risk at the Plan level by implementing controls needed to adequately protect the Plan participants. Additionally, the Plan trustee might determine that the service organizations services are not adequate that they should be replaced.
To review the controls in place at a service organization, find the section of the report that details the control objectives and related controls. Just so you can see how important the controls are at a service organization, I will provide a few examples of the control objectives being reviewed.
- Controls provide reasonable assurance that telephone calls from participants are authenticated and resulting transactions are processed by Customer Support Services in an accurate and timely manner.
- Controls provide reasonable assurance that monetary transactions are authorized and processed accurately, completely and timely in accordance with instructions received.
- Controls provide reasonable assurance that investment purchases and sales are processed accurately and timely.
- Controls provide reasonable assurance that participant account balances are valued based on market prices obtained from authorized pricing sources and investment income is accurately and timely allocated and recorded.
As you can see by reading the control objectives above, how controls are operating at a service organization is incredibly important to ensuring a Plan participant’s 401k account including his or her investments are being managed and accounted for. As a user organization with fiduciary responsibilities, it is your responsibility to make sure that adequate controls in the above areas are in place.
The SAS 70 has a great benefit to the user as he or she is able to gain valuable knowledge of how the third party administrator is operating and how well they are implementing the controls they have in place. The user also gains trust in the third party administrator knowing that someone independent of the organization has reviewed and tested the effectiveness of their controls. Another great benefit to having a SAS 70 available is that the report is able to assist the user’s auditor in reducing the audit procedures to be performed during the audit of the Plan’s financial statements.