Third-Party Plan Administrators and SAS 70

By Sheldon M. Geller

E-mail Story Print Story

Plan sponsors and their employees have a fiduciary duty to monitor the activities of third parties and the delegation of authority and responsibility in connection with the maintenance of their qualified plans.

Many plan sponsors and their employees may not be familiar with their fiduciary responsibilities regarding employee benefit plans. These plan sponsors should seek legal counsel about interpretations of specific actions and whether they are in accordance with the fiduciary responsibilities.

Organizations that provide services are coming under substantial pressure to better articulate, implement, and audit their own internal controls. Since the passage of the Sarbanes-Oxley Act (SOA), many plan sponsors have required that their third-party plan administrators, custodians, and corporate trustees demonstrate that they have adequate controls and safeguards. An independent Statement on Auditing Standards (SAS) 70 audit report is one of the primary ways a service organization can convey the validity of their internal controls, as well as a way for plan sponsors to monitor the delegation of authority and responsibility.

SAS 70 Audits

SAS 70, Service Organizations, provides an independent audit of a third-party plan administrative company processing plan transactions. The plan auditor describes controls and procedures with respect to the outsourced administrative functions to the third-party plan administrator. Employee Retirement Income Security Act (ERISA) fiduciaries may monitor the activities of their third-party plan administrator by conducting on-site visits and reviewing the provider’s SAS 70 report. Furthermore, plan sponsors should annually reassess the effectiveness of their third-party service provider’s relationship and the third party’s delegated authority and responsibilities.

An SAS 70 audit may be performed only by an independent CPA or CPA firm. CPA firms that perform SAS 70 audits must adhere to specific AICPA professional standards. They must follow specific guidance related to the planning, execution, and supervision of the audit procedures and must undergo a peer review to ensure that the firm’s audits are conducted in accordance with generally accepted auditing standards (GAAS).

Many third-party plan administrators do not maintain an SAS 70 report issued by an independent auditor, which makes it more difficult for a plan sponsor and ERISA fiduciaries to monitor an administrative delegation of authority and responsibility.

ERISA fiduciaries may rely on a Type I SAS 70 report just to gain an understanding of the plan’s control environment. Only a Type II SAS 70 report may be relied upon by ERISA fiduciaries to reduce the scope of their monitoring third-party plan administrators. Furthermore, only an SAS 70 performed by a licensed CPA firm may be relied upon by another CPA firm that performs a financial audit of the plan. Certain plans must attach a financial audit report to IRS Form 5500. A Type II SAS 70 report should be the only type relied upon by plan sponsors.

Similarly, plan sponsors and ERISA fiduciaries should monitor any delegation of authority or responsibility with respect to the investment of plan assets. In other words, ERISA fiduciaries should, at least annually, review the delegation for the selection and maintenance of investment fund options to registered investment advisors, as well as the delegation for the safekeeping of plan assets to custodians or corporate trustees.

Plan Sponsors’ Responsibilities

Plan sponsors and ERISA fiduciaries should regularly review and document the rigors of their plan processes and the integrity of their systems, as well as those of the corporate trustees, custodians, and mutual fund managers utilized by their plans. Plan sponsors must remove any possible conflicts of interest that would influence how they select and monitor the investments they offer under their participant-directed plans. Plan sponsors should select funds based upon merit and independent due-diligence criteria.

A change in regulatory environment and a demand for full disclosure have changed the way plan sponsors should approach their defined contribution plans. Plan sponsors must have a strategy to manage their fiduciary responsibility. Service providers should provide transparency and disclosure to plan sponsors for the services they provide and the fees and other remuneration they receive as a result of plan asset investments.

Plan sponsors should work with mutual fund managers, corporate trustees, and custodians who have embraced “doing the right thing for the plan” as a guiding principle.