Find Your Industry

Fiduciary Responsibilities for Your ERISA Compliance Plan

Under ERISA, plan sponsors and plan administrators utilizing Third Party Administrators (TPA) and other outsourced providers have a fiduciary responsibility in properly monitoring services provided by these organizations. Thus, it’s paramount that your ERISA compliance plan for outsourcing consists of properly selecting, monitoring, communicating, and assessing your relationship with third party vendors providing support to your organization’s benefit plans. A good place to start is asking a TPA for their SAS 70 audit, which should highlight significant and relevant characteristics of their internal controls for ensuring an acceptable ERISA compliance plan for outsourcing is in place.

If your plan has not outsourced any services, but you plan to do so, plan sponsors and administrators should consider the following matters when selecting a TPA.

• TPA solvency; that is, the financial condition of the organization and their overall skill sets and experience.
• Information on the personnel experience of individuals who will be handling many of the daily duties for the plan
• Legal matters concerning the TPA, such as pending lawsuits and past litigation matters
• If the TPA will be managing plan investments, investigate and inquire of how plan assets will be invested, the proposed fee structure, and if the firm has proper insurance coverage.

The United States Department of Labor (DOL) provides a number of helpful tips that serve to assist plan sponsors in the search. Suggestions include giving all potential TPAs the same, relevant information for bidding purposes, allowing plan sponsors to compare the pricing structure amongst them. Additionally, gain a comfort level from all firms regarding their fiduciary responsibilities and adherence to these practices. Regardless of what firm you choose, all TPA’s should provide this comfort level to you.

After selectively choosing a firm, it’s time to begin a monitoring process for ensuring the activities undertaken by the TPA are in accordance with plan and the contractual agreements between both entities. Activities considered vital should include examining any significant reports the TPA provides, along with periodically reviewing their performance, inquiring about their characteristics of internal controls, validating fees charged, along with promptly following up on any participant complaints.

SAS 70 Audits and the TPA

From an auditor's perspective, a TPA is a service organization, that is, the entity providing services to another organization by means of an outsourced, third-party vendor agreement. Since it’s inception in 1992, SAS 70 audits have been used extensively for examining the control environment of a TPA, but the wave of recent regulatory compliance has pushed this trend even further. Technically, a SAS 70 audit is and audit conducted to report on the controls placed in operation and tests of operating effectiveness of those controls. There are two types of SAS 70 audits, a Type I and a Type II, and for plan sponsors, a Type II should be considered the only acceptable SAS 70. The reasons are plenty, but primarily it’s driven by the testing period of a Type II audit, which allows a service organization’s controls to be examined and tested over an agreed time frame, such as six months.

What to look for in the SAS 70 Audit

SAS 70 reports, if conducted properly, have tremendous value to plan sponsors in understanding many of the core, critical tasks undertaken on a daily basis by a TPA. Because of the looseness in the auditing standard itself, plan sponsors are wise to consult with their TPA in requiring certain controls to be included in the scope of the audit. Gone are the days of a “general controls” audit, which tested a baseline of controls, regardless of the industry. Listed below are a sample of processes and procedures a SAS 70 auditor should evaluate when examining the TPA.

Controls provide reasonable assurance that:

• Participant enrollment information, cash receipts, distribution of plan assets, and changes to non-financial account information are processed in a complete, accurate and timely manner.
• Dividends are recorded in a complete, accurate, and timely manner.
• All direct and related transactions for investment options are processed in a complete, accurate, and timely manner.
• Plan assets are safeguarded from any losses or misappropriation.
• Physical and environmental security safeguards are in place.
• Access to systems, databases, and any other devices is granted to authorized individuals only.
• New plan documentation is properly set-up and established in accordance with plan documentation.
• Participant documentation for new plans are accurately input and recorded.

TPA's that successfully complete a quality SAS 70 audit have gone through a rigorous examination of their internal control structure, resulting in a compliance audit they can share with the plan sponsor and any other intended users of the report. Additionally, a TPA’s requirement for additional audits by concerned entities will be greatly diminished or even eliminated, by gaining SAS 70 compliance. This equates into notable cost savings for the firm.

Likewise, plan sponsors now have reasons to breathe easier, as their primary outsourced, third-party vendor has shown a level of competence necessary for continuing to perform their duties. The collaborative effort that takes place many times when a TPA undergoes a SAS 70 audit for a plan sponsor can result in a closer working relationship with better channels of communication for both sides.