Plan Administrators and SAS 70
Sheldon M. Geller
2006 - Many plan sponsors use third-party service providers
to help administer their participant-directed 401(k) plans
and other defined contribution plans, as well as to reduce
costs and increase efficiencies. These third-party plan
administrators provide recordkeeping, benefit payment, transaction
processing, and compliance services.
sponsors and their employees have a fiduciary duty to monitor
the activities of third parties and the delegation of authority
and responsibility in connection with the maintenance of
their qualified plans.
plan sponsors and their employees may not be familiar with
their fiduciary responsibilities regarding employee benefit
plans. These plan sponsors should seek legal counsel about
interpretations of specific actions and whether they are
in accordance with the fiduciary responsibilities.
that provide services are coming under substantial pressure
to better articulate, implement, and audit their own internal
controls. Since the passage of the Sarbanes-Oxley Act (SOA),
many plan sponsors have required that their third-party
plan administrators, custodians, and corporate trustees
demonstrate that they have adequate controls and safeguards.
An independent Statement on Auditing Standards (SAS) 70
audit report is one of the primary ways a service organization
can convey the validity of their internal controls, as well
as a way for plan sponsors to monitor the delegation of
authority and responsibility.
70, Service Organizations, provides an independent
audit of a third-party plan administrative company processing
plan transactions. The plan auditor describes controls and
procedures with respect to the outsourced administrative
functions to the third-party plan administrator. Employee
Retirement Income Security Act (ERISA) fiduciaries may monitor
the activities of their third-party plan administrator by
conducting on-site visits and reviewing the provider’s
SAS 70 report. Furthermore, plan sponsors should annually
reassess the effectiveness of their third-party service
provider’s relationship and the third party’s
delegated authority and responsibilities.
SAS 70 audit may be performed only by an independent CPA
or CPA firm. CPA firms that perform SAS 70 audits must adhere
to specific AICPA professional standards. They must follow
specific guidance related to the planning, execution, and
supervision of the audit procedures and must undergo a peer
review to ensure that the firm’s audits are conducted
in accordance with generally accepted auditing standards
third-party plan administrators do not maintain an SAS 70
report issued by an independent auditor, which makes it
more difficult for a plan sponsor and ERISA fiduciaries
to monitor an administrative delegation of authority and
fiduciaries may rely on a Type I SAS 70 report just to gain
an understanding of the plan’s control environment.
Only a Type II SAS 70 report may be relied upon by ERISA
fiduciaries to reduce the scope of their monitoring third-party
plan administrators. Furthermore, only an SAS 70 performed
by a licensed CPA firm may be relied upon by another CPA
firm that performs a financial audit of the plan. Certain
plans must attach a financial audit report to IRS Form 5500.
A Type II SAS 70 report should be the only type relied upon
by plan sponsors.
plan sponsors and ERISA fiduciaries should monitor any delegation
of authority or responsibility with respect to the investment
of plan assets. In other words, ERISA fiduciaries should,
at least annually, review the delegation for the selection
and maintenance of investment fund options to registered
investment advisors, as well as the delegation for the safekeeping
of plan assets to custodians or corporate trustees.
sponsors and ERISA fiduciaries should regularly review and
document the rigors of their plan processes and the integrity
of their systems, as well as those of the corporate trustees,
custodians, and mutual fund managers utilized by their plans.
Plan sponsors must remove any possible conflicts of interest
that would influence how they select and monitor the investments
they offer under their participant-directed plans. Plan
sponsors should select funds based upon merit and independent
in regulatory environment and a demand for full disclosure
have changed the way plan sponsors should approach their
defined contribution plans. Plan sponsors must have a strategy
to manage their fiduciary responsibility. Service providers
should provide transparency and disclosure to plan sponsors
for the services they provide and the fees and other remuneration
they receive as a result of plan asset investments.
sponsors should work with mutual fund managers, corporate
trustees, and custodians who have embraced “doing
the right thing for the plan” as a guiding principle.
M. Geller, Esq., is managing director of the Geller
Group Ltd., New York, N.Y.