|
| Winter 2008 |
Employee Benefit Plans Advisor
|
 |
SAS 70 - A Valuable Tool for Companies That Outsource
In today's competitive market, it is common for companies to consider
outsourcing for much of the administration of their employee benefit plans
(EBPs). The advantages are obvious - using a capable, experienced third party
administrator (TPA) can greatly reduce the plan sponsor's daily duties and time
spent on EBPs, so they can concentrate on other areas of managing the business.
On the other hand, outsourcing to an ineffective TPA, without adequate oversight
by management, may expose the company to substantial risk. To be sure, if you
outsource, it is imperative that you not lose sight of the continued importance
of monitoring the plan activity and the plan's TPA.
This is where a SAS 70 report can help. Many TPAs subject their operations to
an independent examination of their internal control and procedures. This
review, when performed, would be documented in a comprehensive report titled,
"Report on Controls Placed in Operation and Tests of Operating Effectiveness,"
also known as the SAS 70.
Many business owners mistakenly assume this is a report to be used solely by
their plan auditors, but it can also serve as a real key to management's
monitoring process. Essentially, it provides a comprehensive narrative
describing the control framework and system procedures. Further, if you opt for
a Type II SAS 70 report, you will receive the results of the testing that is
performed.
One section of the SAS 70 that is especially beneficial outlines user control
considerations - key areas that are often not subject to controls at TPAs; in
other words, in which the TPA is not assuming responsibility. The company needs
to ensure that they have controls in place to address these areas. Some of these
areas relate to participant eligibility, vesting, timeliness and completeness of
contributions and loans in default status.
Another misconception is that all SAS 70 reports are the same. This isn't
true. Because the scope of the report is determined by the TPA, they can limit
the independent auditor's testing to only those areas where they maintain strong
controls, excluding testing that could identify weaknesses. By carefully reading
the SAS 70, a plan sponsor should be able to identify areas where they are
relying on their TPA, but the control descriptions are inadequate or missing.
That said, monitoring is not an easy task. It should be the responsibility of
knowledgeable individuals at the company who can ensure that your employee
benefit plans are being properly maintained.
The current environment finds the federal government actively enforcing
compliance with complex rules, regulations and penalties. As well, class action
litigation suits are becoming the norm. Careful planning and establishing strong
controls over the administration of your employee benefit plans will not only
safeguard your employees' retirement assets, but will help you and your legal
counsel mitigate your company's fiduciary exposure.
If you'd like more information about monitoring, the AICPA Employee Benefit
Plan Audit Quality Center, (our own James E. Merklin serves on their Executive
Committee) recently issued a plan advisory entitled, "Effective Monitoring of
Outsourced Plan Recordkeeping and Reporting Functions." This plan advisory can
be viewed on the BMFC website at:
Monitoring of
Outsourced Plan May 07.pdf
Benefits Plan Advisor is produced quarterly by Bober, Markey,
Fedorovich & Company's Employee Benefits Group. If you would
like more information about the topic discussed above or the
services we provide, please call or email our team leader,
James E. Merklin, CPA, CFE, M.Acc.,
at 330-762-9785 or
jimm@bobermarkey.com.
|
