Frequently Asked Questions:

Third Party Administrators (TPA) and SAS 70 Audits

SAS 70 audits have long been performed on third party administrators (TPA) since the inception of the auditing standard in 1992. What's important to note is that there are a number of key issues that all relevant parties associated with a SAS 70 audit should know about. From plan sponsors to the TPA themselves, everyone can learn about specific requirements and best of breed audit practices for ultimately creating a more efficient, high quality SAS 70 audit process.

First and foremost, let's start with plan sponsors, who under The Employee Retirement Income Security Act (ERISA), have a fiduciary responsibility and requirement for properly monitoring services provided by a TPA. Plan sponsors need to make sure that a TPA is credible, both financially in terms of solvency, and credible from an operational and skill perspective-meaning, they can actually administer plans and process claims in a quality manner. Secondly, plan sponsors need to make sure they have done ample due diligence on the TPA, such as verifying that no criminal or civil legal lawsuits are pending against the actual TPA.

As for the TPA themselves, they should be accepting of the above conditions, but also must be maintaining a sound system of internal controls, least for SAS 70 audit compliance, but most importantly for the assurances that their core, daily operations are being run efficiently, with adequate checks, balances, controls and safeguards in place throughout the organization.

You can learn more about requirements for a TPA along with specific ERISA guidelines by visiting the official SAS 70 resource guide, where current and relevant information can be found on SAS 70 audits.