SAS70 Audits & Third Party Administrators (TPA) | What You Need to Know

SAS70 audits have long been performed on third party administrators (TPA) since the inception of the auditing standard in 1992. What’s important to note is that there are a number of key issues that all relevant parties associated with a SAS70 audit should know about. From plan sponsors to the TPA themselves, everyone can learn about specific requirements and best of breed audit practices for ultimately creating a more efficient, high quality SAS70 audit process.

First and foremost, let’s start with plan sponsors, who under The Employee Retirement Income Security Act (ERISA), have a fiduciary responsibility and requirement for properly monitoring services provided by a TPA. Plan sponsors need to make sure that a TPA is credible, both financially in terms of solvency, and credible from an operational and skill perspective-meaning, they can actually administer plans and process claims in a quality manner. Secondly, plan sponsors need to make sure they have done ample due diligence on the TPA, such as verifying that no criminal or civil legal lawsuits are pending against the actual TPA.

As for the TPA themselves, they should be accepting of the above conditions, but also must be maintaining a sound system of internal controls, least for SAS70 audit compliance, but most importantly for the assurances that their core, daily operations are being run efficiently, with adequate checks, balances, controls and safeguards in place throughout the organization.

You can learn more about SAS70 requirements for a TPA along with specific ERISA guidelines by visiting the official SAS70 resource guide, where current and relevant information can be found on SAS70 audits.

Moreover, sample SAS70 reports can be obtained from the SAS70 resource guide.