SAS No. 70 Reports and Service Organizations 
 
Most employee benefit plans use service organizations (bank trustees, insurance companies or benefits administrators, for instance) to process transactions and maintain plan records. Often SAS No. 70 Type II reports are obtained and used by the auditor to reduce the amount of substantive testing required.

Auditors often do not perform or document their evaluations of the extent of the evidence provided by the report regarding the effectiveness of controls for particular financial statement assertions and of its effect on audit strategy, including determination of the nature, timing and extent of substantive tests for particular audit objectives. An evaluation of user organization controls that are contemplated in the design of the service organization's controls and recommended in the service organization's description of controls in the SAS No. 70 report should also be performed.

For service organizations that do not issue a current Type II SAS No. 70 report, the working papers should contain sufficient documentation of the auditor's understanding of the control environment at the organization and the results of the auditor's evaluation of the effectiveness of control policies and procedures sufficient to support the planned reliance approach.

See chapter 6 of the AICPA Audit and Accounting Guide Employee Benefit Plans for further discussion of internal controls.

Outsourcing of Certain Administrative Functions 
 
SAS No. 70, Service Organizations
Use of Another Service Organization to Perform Certain Functions
SAS No. 70 Resources

Employee benefit plan sponsors have typically used third-party service providers in some capacity to assist in administering their plans. With the trend toward company downsizing and increased reliance on technology, many plan sponsors are increasingly turning to outsourcing as a way to reduce costs and increase efficiencies of administering employee benefit plans. Examples include recordkeeping and/or benefit payments or claims processed by outside service organizations, such as bank trust departments, data processing service bureaus, insurance companies, and benefits administrators.

Many plan sponsors and their employees may not be familiar with their fiduciary responsibilities regarding employee benefit plans. Auditors should refer plan sponsors to their plan legal counsel for interpretations of specific actions and how these may or may not be in accord with their fiduciary responsibilities.

SAS No. 70, Service Organizations

SAS No. 70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324), as amended, provides guidance on the factors an independent auditor should consider when auditing the financial statements of a plan that uses a service organization to process certain transactions. Often, the plan does not maintain independent accounting records of transactions executed by the service provider. For example, many plan sponsors no longer maintain participant enrollment forms detailing the contribution percentage and the allocation by fund option. These amounts can be changed by telephone or over the Internet without any record. In such situations, the auditor may not be able to obtain a sufficient understanding of internal control, as executed by the service organization, to plan the audit and determine the nature, timing, and extent of testing to be performed without considering those components of internal control maintained by the service organization. This understanding can be efficiently achieved by obtaining and reviewing a report prepared in accordance with SAS No. 70. When an SAS No. 70 report is unavailable, see chapter 6 of the Employee Benefit Plans Audit and Accounting Guide for guidance.

The auditor should read the entire SAS No. 70 document to determine what was reviewed and tested and over what period and whether there are any instances of noncompliance with the service organization's controls identified in either (1) the service auditor's report or (2) the body of the document (where the results of testing are described).

If the service organization's SAS No. 70 report identifies instances of noncompliance with the service organization's controls, the plan auditor should consider the effect of the findings on the assessed level of control risk for the audit of the plan's financial statements and, as a result, the plan auditor may decide to perform additional tests at the service organization or, if possible, perform additional audit procedures at the plan. In certain situations, the SAS No. 70 report may identify instances of noncompliance with the service organization's controls but the plan auditor concludes that no additional tests or audit procedures are required because the noncompliance does not affect the assessment of control risk for the plan.

The plan auditor should also read the description of controls to determine whether complementary user organizations controls are required (for example, at the plan sponsor level) and whether they are relevant to the service provided to the plan. If they are relevant to the plan, the plan auditor should consider such information in planning the audit. The plan auditor should consider the need to document and test such user organization controls. While the plan sponsor may have outsourced administrative functions to a third party, the plan sponsor still has a fiduciary duty to monitor the activities of the third party. Examples of such monitoring controls, which should be considered in planning and performing the audit, may include:

Back to top

Use of Another Service Organization to Perform Certain Functions

A service organization may use another service organization to perform functions or processing that is part of the plan’s information system as it relates to an audit of the financial statements. The subservice organization can either be a separate entity or be related to the service organization. To plan the audit and assess control risk, the plan auditor may need to consider both the controls at the service organization and as well as those at the subservice organization, depending on the functions each performs. For further guidance on subservice organizations, see chapter 6 of the Employee Benefit Plan Audit and Accounting Guide and chapter 5 in the AICPA Audit Guide Service Organizations: Applying SAS No. 70, as Amended.

SAS No. 70 Resources

The AICPA has the following SAS 70 publications available:

• Service Organizations:  Applying SAS No. 70, as Amended – This Audit Guide, updated with conforming changes as of May 1, 2009, provides guidance to service auditors engaged to issue reports on a service organization's controls and to user auditors engaged to audit the financial statements of entities that use service organizations.

• SAS 70 Reports and Employee Benefit Plans - This publication provides guidance on the use of SAS 70 reports in employee benefit plan audits and specifically addresses issues relating to:

  • The circumstances under which a SAS 70 report should be obtained

  • How SAS 70 reports should be considered in a limited-scope audit

  • The implications of sub-service arrangements

  • Reading and understanding how a SAS 70 report affects your audit, including: 

    • The procedures you should perform to understand the scope of the service auditor's work and whether that scope is adequate for your purpose

    • The procedures you should perform to evaluate the results of tests of controls

  • How to develop an appropriate audit response for identified testing exceptions and control deficiencies developing an appropriate audit response for identified testing exceptions and control deficiencies.

Back to top