Employee Benefit Plans News

Employee benefit plan sponsors often outsource some portion of their plan’s processing to outside service providers. These third party administrators (TPAs) include bank trust departments, insurance companies, data processing service bureaus or benefits administrators. Some of the more commonly outsourced activities include payroll and participant activity recordkeeping.

The reasons are straightforward: Outsourcing these administrative functions can reduce costs and increase efficiencies.

Unfortunately, some plan sponsors mistakenly attempt to outsource their fiduciary duties to the outside service provider, as well.

Here’s how it happens:

The stretched-thin HR department of a large local employer is drowning in a sea of administrative duties required by the company’s popular 401(k) plan. Acting on the recommendation of a colleague, the HR director sends a request for proposals to several outside service providers. After extensive interviews and due diligence, management makes its choice and a portion of administrative duties are transferred to an out-of-state TPA. Everyone marvels at how “seamless” the conversion was and goes about their business. Unfortunately, this confidence in their TPA causes plan sponsors to lose sight of the continued importance of monitoring plan activity — as well as monitoring the performance of the outside service provider. No one really knows there’s a problem until notice of a compliance audit arrives from the Department of Labor.

The bottom line is this: While plan sponsors can outsource administrative functions, they cannot outsource their fiduciary responsibility to monitor the activities of third parties in connection with the maintenance of their qualified plans.

For example, plan sponsors have a fiduciary responsibility to ensure that:

• The TPA has established proper controls and procedures to ensure timely and accurate processing of plan transactions.
•  Safeguards are in place to ensure that hosted data is secure.
•  Data that the TPA processes is accurate and complete.

SAS-70: The Gold Standard

So, how do you know if a third-party service provider has adequate controls and safeguards in place?

Here, the gold standard is a SAS 70 Report.

In essence this report is a detailed description of the TPA’s internal controls and an independent assessment of whether the controls were suitably designed and are operating effectively.

A SAS 70 Report is issued following an audit performed by an independent CPA or CPA firm that adheres to specific professional standards outlined in Statement on Auditing Standards (SAS) No. 70, Service Organizations.  These standards were developed by the American Institute of Certified Public Accountants (AICPA).

Specifically, a “clean” SAS 70 report — meaning one with no reported internal control deficiencies — indicates that the provider has effective internal controls in place.

It is important to note, however, that there are two types of SAS 70 reports:

Type I: This basic overview contains the auditor’s report on whether the TPA’s description of its controls is accurate and whether the controls achieve specified objectives. In a Type I report, auditors haven’t yet tested controls to see if they’re operating as designed. Thus, plan sponsors should rely on a Type I SAS 70 report only  to gain an understanding of the plan’s control environment.

Type II: Much more in-depth, a Type II report outlines not only the control objectives and related controls, but also the results of testing performed by auditors. The report will indicate any known weaknesses that may exist in the provider’s internal operating structure. Plan sponsors should insist on a Type II SAS 70 report for a comprehensive outline of the effectiveness of the TPA’s control framework and system procedures.

Why a SAS 70 Report Is Important

Contrary to popular belief, a SAS 70 report is not just “for the auditors.”

It outlines responsibilities. A SAS 70 report provides plan sponsors with a list of responsibilities (user controls) that the TPA is not assuming responsibility for. This outlines the controls plan sponsors need to have in place in order for the outside service organization’s controls to be effective. Common areas identified as the plan sponsors’ responsibility are areas relating to participant eligibility, vesting, timeliness and completeness of contributions, and loans in default status.

It prompts informed decisions. With this listing of user controls, plan sponsors can make informed decisions on their own controls. For example, if the company bookkeeper lacks controls over loan processing, internal controls may need to be implemented to ensure that loans are reported correctly.

It streamlines the audit process. During an audit of financial statements (for Form 5500 filings), auditors will ask to see a SAS 70 report for any outside service providers being used. Plan sponsors must verify that they have reviewed the report and have implemented the user controls listed in the report. Without this report, plan sponsors are likely to incur additional costs required to send auditors to the service organization to review its internal controls.

When to Ask for a SAS 70 Report

As part of due diligence. Of course, plan sponsors should request a SAS 70 report as part of the due diligence process when evaluating outside service organizations to perform services such as payroll processing, record keeping or trustee or custodian

services. Here, it is critical to note that the TPA actually determines the scope of its SAS 70 Report. For example, it can limit the independent auditor’s testing to areas it knows have proper controls (and exclude testing areas it knows would show weaknesses).

When changing service providers. Increasingly, plan sponsors are making more frequent changes to service providers — often in response to what they view as unsatisfactory investment performance. Of course, not all service providers are created or operate equally. Thus, a current SAS 70 report can prove helpful in evaluating potential providers. But keep in mind that favorable reported returns do not guarantee strong internal controls within the service organization. The assurance that an independent auditor has tested the TPA’s internal controls greatly reduces the risk of investment mismanagement and noncompliance with the terms of the plan agreement and with the regulations.

As part of an annual review. Annually, plan sponsors should examine the effectiveness of their outside service providers and re-assess the authority and responsibilities that have been delegated to these third parties. A current SAS 70 report should provide needed detail about these areas.

Outsourcing Is NOT an Easy Out

Hiring an experienced TPA can make both economic and practical sense. However, it does not mean you’ve outsourced your fiduciary duties. Establishing strong controls and carefully monitoring plan administration will safeguard your employee’s retirement assets while ensuring proper execution of your fiduciary duties.

A SAS 70 Report can be a complex document. The HTB accounting professionals can walk you through this important report, as well as provide assistance in developing appropriate user controls for your plan.