PAS!

Applicability of SAS 70

Putting the Pieces Together

Golden Premium Account Plans

Evaluate Funding Alternatives

Legislative Update

Upcoming Events

View Our Latest Webcasts

Subscription Information

RCG Magazine - 3rd Quarter 2004 | Table of Contents

Applicability of SAS 70 to Nonqualified Plan Administration Service Providers

By John E. Hapke
Senior Vice President
Retirement Capital Group, Inc.

By Bo Lee
Vice President Plan Administration
Retirement Capital Group, Inc.

What is a SAS 70 audit?

A SAS 70 audit predates Sarbanes-Oxley and was adopted to assist companies and their outside auditors determine the reliability of information provided by third-party administrators (service organizations). It is a highly specialized audit of the design and operational effectiveness of a service organization's internal controls over processing transactions. Two types of SAS 70 audits exist: Type I and Type II.

Type I is commonly known as a Report on Controls Placed in Operation or a Service Auditors Report . This report provides companies assurance regarding the controls and procedures a service provider has implemented. Type II provides assurance regarding the operational effectiveness of Type I controls over time .

SAS 70 is the definitive standard by which user organizations (companies that use outsourced service providers) and their auditors can gain comfort that controls at third-party service providers are adequate to prevent or to detect a related material error that could impact a user organization's financial statements.

Is a SAS 70 audit applicable to nonqualified benefit plan administration?

It depends on the company. Most companies that sponsor nonqualified benefit plans outsource plan administration functions to service organizations such as benefit consulting firms, third-party administrators, insurance brokers, or trust companies. While outsourcing can be efficient, it can also add a layer of internal control risk that must be evaluated.

A SAS 70 audit addresses this risk by evaluating the internal controls of the service organization. For a variety of reasons, the SAS 70 standard has often been misused, misapplied, or ignored. It is not applicable to every service provided by service organizations. It is only applicable if the service is part of a user organization's information system. A service organization's services are part of a company's information system if they materially affect (1) how the company's information system captures events and conditions that are significant to the financial statements, or (2) the financial reporting process used to prepare the company's financial statements.

For example, nonqualified plan information such as SFAS 87 expense calculations and deferred compensation plan liability and asset calculations could have material affects on a company's financial statements, therefore, it could be applicable. The outside auditor along with company management should determine the need for a SAS 70 audit on a company's nonqualified benefit plan administrator.

Is a SAS 70 audit required for nonqualified benefit plan administration?

Although it is not required by law, in the world of Sarbanes-Oxley many outside auditors of public companies are now mandating third-party administrators of nonqualified plans undergo annual SAS 70 audits. In general, this decision involves determining the significance to the financial statements of the information provided by service organizations. The custody of assets also plays an important role in the decision making process.

How is RCG responding?

RCG's Plan Administration Solutions ( PAS ) database contains several nonqualified plan administrators that undergo annual SAS 70 audits. RCG will continue to bring third-party administrator status updates to its clients.

Return to Table of Contents