FINANCIAL REPORTING AND INTERNAL CONTROL MATTERS

1
FINANCIAL REPORTING AND INTERNAL CONTROL MATTERS

• Diane Wasser
• Amper, Politziner Mattia, LLP
• Robert A. Lavenberg
• BDO Seidman, LLP

2
Session Contents

• FASB 157
• Limited Scope Audits
• Risk Assessment Standards Year 2
• SAS 70

3
Valuation of Investments and FASB 157

• Each plan will be impacted by FASB 157 for the
  2008 plan year end, primarily in footnote
  disclosures.
• FASB 157
• Establishes a consistent definition of fair value
  and consistent method of determination under GAAP
• Establishes a framework for measuring fair value
  under GAAP
• Clarifies the definition of fair value within
  that framework
• Expands disclosures on fair value measurements

4
Valuation of Investments and FASB 157

• Fair Value definition
• The price received to sell an asset or transfer
  a liability in an orderly transaction between
  market participants at the measurement date.
• The FASB discusses valuation techniques and
  inputs to those valuation techniques and includes
  a hierarchy for measurement at fair value.
• The hierarchy is based on observable and
  unobservable inputs to valuation and the levels
  in the hierarchy are determined by where and how
  the pricing of investments is derived.
• Level 1, 2 and 3 will be a discussion point with
  service providers and ultimately auditors.

5
Valuation of Investments and FASB 157

• Market participants are
• Independent (not related parties)
• Knowledgeable (due diligence)
• Able to transact for the asset or liability
• Willing to transact for the asset or liability
  (not forced)

6
Valuation of Investments and FASB 157

• Measurement assumes an orderly transaction in the
  principal market
• Principal market is the market in which the
  entity would sell the asset or transfer the
  liability with the greatest volume and level of
  activity OR
• In the absence of a principal market the most
  advantageous market for the asset or liability

7
Valuation of Investments and FASB 157

• Valuation techniques
• Market approach prices and other relevant
  information from market transactions involving
  identical or comparable assets
• Matrix pricing to value debt securities
• Income approach valuation techniques to convert
  future amounts to a single present amount
• Cost approach based o the amount that currently
  would be required to replace the service capacity
  of an asset

8
Valuation of Investments and FASB 157

• Inputs refer broadly to the assumptions market
  participants would use in pricing the asset or
  liability
• Observable inputs - reflect the assumptions
  market participants would use based on
  independent market sources (published stock
  prices, amortized cost methods, price matrix)
• Unobservable inputs reflect the reporting
  entitys own assumptions market participants
  would use in pricing the asset or liability based
  on the best information available

9
Valuation of Investments and FASB 157

• Level 1 inputs
• Quoted market prices (unadjusted) for identical
  assets or liabilities in active markets
• Most reliable source of fair value
• Input examples
• Prices derived from NYSE, NASDAQ, Chicago Board
  of Trade, Pink Sheets

10
Valuation of Investments and FASB 157

• Level 2 Inputs
• Observable inputs for
• Similar assets or liabilities in active markets
• Identical or similar assets in inactive markets
• Inputs other than quoted prices that are directly
  observable
• Inputs derived from observable market data by
  correlation or other means
• Examples Matrix pricing, market corroborated
  pricing, yield curves and indices
• Significant adjustments may indicate Level 3

11
Valuation of Investments and FASB 157

• Level 3 Inputs
• Unobservable inputs
• Reporting entitys own assumptions about the
  assumptions market participants would use
• Other entity specific inputs (historical or
  projected financial information) that are not
  derived from market data
• Unobservable inputs are developed based on the
  best information available in the circumstances
• Examples Investment manager pricing for
  private placements, private equities, hedge
  funds, etc.

12
Valuation of Investments and FASB 157

• Disclosures
• Fair value measurements at the reporting date for
  each major category of assets or liabilities
• Level within the fair value hierarchy where each
  investment category falls
• Valuation techniques used to measure fair value
  and a discussion of changes in valuation
  techniques
• Readdress existing investment valuation language
  in summary of significant accounting principles
  footnote
• Level 3 expanded disclosures to reconcile
  beginning and ending balances

13
FASB 157 Implementation

• Fair Value Measurements
• Present a table of the fair value hierarchy for
  the balances of the assets and liabilities of the
  Plan measured at fair value as of December 31,
  2008.
• Present a table of the changes in assets and
  liabilities measured at fair value using Level 3
  inputs for the year ending December 31, 2008
• Realized Gains (Losses)
• Unrealized gains (losses) relating to instruments
  still held at December 31, 2008
• Purchases, sales, issuances and settlements (net)

14
FASB 157 Implementation

• Full Scope
• Obtain an understanding of the plans process for
  determining fair values, as well as whether the
  fair value measurements and disclosures are in
  accordance with GAAP.
• Consider to procedures and controls put in place
  by the plan sponsor and service provider to
  identify hard to value investments, validate the
  reliability of pricing, monitor the
  collectability of accrued income and modify
  reporting and disclosures in plan financial
  statements.

15
FASB 157 Implementation

• Full scope procedures requiring price testing
• Test of year-end market values
• Test of purchases and sales
• Test of unrealized gains and losses
• Test of realized gains and losses

16
FASB 157 Implementation

• Primary Vendors
• Interactive Data
• Standard Poor's
• GEMMA Consulting
• GMI
• IBOXX
• ISMA
• Markit
• Research Sources
• Bloomberg
• Reuters

17
FASB 157 Implementation

• Limited Scope
• Trustee or Custodian certifies the COMPLETENESS
  AND ACCURACY of the plans investment assets and
  investment activity as contained in the
  institutions ORDINARY BOOKS AND RECORDS, which
  MAY OR MAY NOT BE FAIR VALUE IN ACCORDANCE WITH
  GAAP.
• Information certified may be BEST AVAILABLE and
  may not be as of the plans year end

18
FASB 157 Implementation

• Whose job is it?
• Custodians provide the data
• Clients review the data and conclude
• Auditors validate and opine

19
Valuation of Investments and FASB 157

• While management may look to a valuation service
  provider for the mechanics of the valuation,
  management should have sufficient information to
  evaluate and independently challenge the
  valuation. Therefore, it is important that plan
  management is familiar with the plan assets in
  which a plan invests and the methods and
  significant assumptions used to value them,
  especially for investments in securities or other
  assets for which readily determinable fair market
  values do not exist.
• They can outsource mechanics but can NEVER
  outsource responsibility.

20
Valuation of Investments and FASB 157

• A plan auditor may provide advice, research
  materials and recommendations to assist in making
  decisions about the accuracy of investment
  valuations and the adequacy of the related
  disclosures, and in establishing internal
  controls surrounding plan managements investment
  valuations and can also help with the financial
  statement preparation.
• Independence.

21
Caution

• Although presented together, limited scope audits
  and SAS 70 reports are two independent topics
• Having a SAS 70 report does NOT constitute or
  provide the certification necessary to perform a
  limited scope audit

22
Session Objective Limited Scope

• We will discuss the basics but it gets
  complicated - quickly!
• Just what is the limited scope (L/S) audit
  exemption?
• What is the legislative perspective behind its
  application and how has it evolved?
• When can a plan sponsor legitimately invoke the
  usage of the exemption?
• What practical audit steps can be employed under
  a limited scope audit engagement?

23
Definition

• Summary of ERISA Reg. 2520.103
• Where an audit is required, the financial
  statements accompanying the Form 5500 must be
  GAAP-compliant
• Provides for an exclusion from the audit of
  investments (valuation and existence) and
  plan-level investment activity, if qualifying
  institution holding the assets certifies to the
  accuracy and completeness of the information
• Qualifying Institutions
• Bank or similar institution (e.g., a trust
  company) or insurance carrier
• regulated and supervised and subject to periodic
  examination by a State or Federal agency
• Could be asset trustee or custodian (does NOT
  need to be the trustee)

24
Definition

• Summary of ERISA Reg. 2520.103
• Provides sample certification language to be used
  by the certifying institution
• The XYZ Bank (Insurance Carrier) hereby certifies
  that the foregoing statement furnished pursuant
  to 29 CFR 2520.103-5(c) is complete and accurate.
• Indicates that certification extends to
  ordinary business records of the certifying
  institution
• The certification must be signed by a person
  authorized to represent the insurance carrier or
  bank

25
Definition

• The certification applies only to investments
• All other areas of plan activity including
  eligibility, contributions, distributions and
  expenses must be subjected to full audit
  procedures
• No audit procedures are performed on investments
  and related activity covered by the
  certification (including no review of internal
  control over investments or analytical review of
  income)

26
Limited Scope - Auditors Responsibility -
Investments

• Compare the certified information to the form and
  content of the financial statements and footnote
  disclosures
• Determine that the financial statements and
  disclosures are in compliance with GAAP and DOL
  requirements
• Test income allocation to participants
• Make sure 5 of net asset disclosure is made

27
Limited Scope - Auditors Responsibility -
Investments

• Make sure to include the certification footnote
  in the financial statements and references to the
  information that is certified
• If something unusual comes to your attention -
  investigate (e.g., cost fair value for hard to
  value assets, fair value has not changed for
  several years, or asset is not included in
  certified statements)
• If any material discrepancies are noted, the plan
  administrator should investigate and consider
• Requesting trustee/custodian to correct and
  either recertify or amend the certification
• If information is excluded, the plan
  administrator is responsible for proper valuation
  and reporting
• Engage the auditor to perform a full-scope audit
  and/or full scope procedures, as appropriate

28
Why the Limited Scope Audit Made Sense in 1974

• What was the DOL looking for?
• Recall the pre-ERISA environment do you know
  where your plan assets are?
• ERISA designed to ensure that the assets exist
  that plan values are accurate
• Certifying institutions played a prominent, if
  not exclusive, role in the New World order
• ERISA required plan assets to be held in a trust
  or insurance contract
• Holding assets in a trustees vault (versus the
  plan administrators file cabinet) provided
  vastly more comfort over the existence assertion
• Trustee/custodians provided a valuation
  independent of the plan sponsors
• Fair Value of plan assets were more commonly part
  of trustee or custodian's ordinary business
  records
• Plan investments had readily determinable market
  values
• Plan Trust Structures were less complex

29
Common Types of Plan Investments - 1974
30
So, what changed? That was then. This is now.

• Investments - Explosion of new investment
  vehicles found their way into the employee
  benefit world

31
So, what changed? That was then. This is now.

• Shadow Accounting - Emergence of specialized
  service providers resulting in more assets held
  outside the trust (Derivatives, Currency Hedging,
  etc.)
• Heightened awareness of custodians
• What are they really certifying to?
• Does an independent market value always equate
  to fair value?

32
Custodial Asset Pricing Processes Certifications

• FAS 157 - Fair Value Measurements - shines a
  floodlight on custodial pricing processes
• Requires deeper dive into custodial pricing
  vendors their methodologies, to facilitate
  bucketing of assets into Level 1, 2, 3
• Best available, versus Fair Value

33
Changing Audit Climate

• Sarbanes-Oxley Act of 2002
• AICPA Employee Benefit Plan Audit Quality Center
  (EBAQC)
• Plan audits no longer considered low risk audits
• More focused disciplined approach to EB audits
• Audit Guides/Risk Alerts discuss HTVAs and LPs
  specifically
• AICPA Practice Aid on Auditing Alternative
  Investments (July 06)
• Reiterates managements responsibility for
  valuation oversight
• Questions the premise of plan sponsors sole
  reliance on the custodians prices
• Audit Standards (SAS 112/114)
• Formalized required communication to management
• Provides another reason to ensure that the audit
  is top-notch and that the Ts are crossed
  and the Is are dotted

34
Relevancy of the Limited Scope Audit in Todays
Environment

• The environment has changed, but the regulations
  have not
• Is the extinction of the limited scope audit
  imminent?
• When is the limited scope audit applicable?
• Investment types and valuations are key drivers
  to determining audit level
• Marketable securities with readily determinable
  values
• Highly regulated Common or Collective Trusts
  (CCTs)/Pooled Separate Accounts (PSAs)
  invested in marketable securities
• Eligibility of certifying institution
• Clear designation of the entity that is holding
  the plan assets
• No 11-K filing is required

35
To Limit, or Not to Limit. That is the question!

• Who owns the decision to invoke the L/S audit
  exemption?
• The Plan Sponsor!
• Requires a Paradigm Shift on the part of the plan
  sponsor
• Do they view the L/S exemption as an automatic
  entitlement, or as a privilege?
• Are they aware of what their certifying entity is
  actually certifying to?
• Are they prepared to engage their auditors in a
  discussion about the appropriate level of audit
  work, in advance of the audit?
• Do they have a formal pricing policy and
  valuation oversight monitoring and signoff
  process, or are they relying exclusively on the
  custodial statements?

36
Investments Full Scope AuditsWhat is different
from a Limited Scope?

• Confirm directly with holder of assets (more than
  one custodian may hold assets)
• Test of year-end market values
• Test of interest
• Test of dividends
• Test of purchases and sales
• Test of unrealized gains and losses
• Test of realized gains and losses

37
What the Plan Sponsor Needs to Consider Before
Invoking the Limited Scope Audit Exemption

• AICPA has added branches to the Limited Scope
  Audit Decision Tree in the EB Audit Guide
• What percentage of plan assets are invested in
  holdings that do not have readily determinable
  market values?
• Can the plan sponsor rely exclusively on the
  certification for the fair value, or does their
  valuation committee rely on other investment
  analysis to supplement the custody values before
  signing off on the fair value for any Hard To
  Value Assets (HTVA)? If the latter is the
  case, the less chance of relying on the limited
  scope exemption.

38
Practical Audit Steps in a Limited Scope
Engagement

• Determine eligibility of certifying entity in
  accordance with ERISA Reg 2520.103-5
• Gain comfort with variations of the wording of
  the certification - examples of acceptable and
  non-acceptable wording
• to the best of my knowledge and belief
• Narrow down the investment versus non-investment
  transaction activity that falls within the L/S
  exemption
• Determine the relevancy of the SAS 70 and assess
  the service provider and related user controls
  under a L/S engagement
• Gain comfort with the certification of plan
  balances when the assets of multiple plans are
  commingled and held within a master trust

39
Practical Audit Steps in a Limited Scope
Engagement

• How can you tell from the investment statement
  whether the certified values for LPs are current
  values or lagged values?
• What do you do when you become aware that the
  values are lagged? Is amending and recertifying
  the year-end statement to reflect the updated
  values an acceptable alternative?
• When can you carve out assets that require a
  full-scope audit, without changing the scope of
  your engagement, and how does that impact your
  opinion letter?
• Will insurance carriers and banks be certifying
  to fair value in accordance with FAS 157?

40
Participant Allocation Testing

• Required in limited scope as allocation not
  certified
• Consider using investment returns for month or
  quarter
• Some firms testing allocations of interest and
  dividends
• Cannot completely rely on a SAS 70 Service
  Organization report even a Type II
• A SAS 70 report is NOT a Certification and is not
  related to the limited scope exemption

41
Certification of Participant Loans

• Does the certification truly cover loans?
• Substance over form considerations
• Often times not covered by certification for
  unbundled plans (record keeper and custodian are
  separate entities)
• Who keeps the records (e.g., amortization
  schedule, note, etc)?
• When loans arent properly certified
• Do not indicate in report that all investments
  are covered (only certain ones)
• Certification footnote should be clear that loans
  are not certified
• Even if properly certified, loan compliance
  testing is still required

42
Limited Scope Master Trusts

• Master trust certification doesn't allow you to
  do a limited scope audit of the plan
• Certification must be at plan level if doing a
  limited scope audit
• The appendix to the AICPA guide defines a master
  trust as, "a trust for which a regulated
  financial institution serves as trustee or
  custodian... and in which assets of more than one
  plan sponsored by a single employer or by a group
  of employers under common control are held."

43
Limited Scope Certifications - Agents

• Agents Certifying for Trustee/Custodian
• The plan administrator should determine whether
  the party providing the certification (the agent)
  is in fact authorized to represent the insurance
  carrier, bank or similar institution holding the
  assets of the plan.
• The plan administrator should take steps to
  ensure they understand the nature and scope of
  the certification the agent has provided before
  concluding that the certified information may be
  used to satisfy the limited scope exemption

44
Agent Certifications Scope Language

• any auditing procedures with respect to the
  information described in Note X, which was
  certified by ABC, Inc., the record keeper of the
  Plan as agent for XYZ Bank, the trustee of the
  Plan,
• The plan administrator has obtained a
  certification from the agent on behalf of the
  trustee

45
Agent Certifications Opinion Language

• other than that derived from the information
  certified by the agent on behalf of the trustee,
  have been audited
• Best practice plan administrator should obtain
  and review the agency agreement

46
Getting Plan Sponsors on Board

• Pre-Engagement Meeting Discussions extend
  invitations to Investment Committee contacts
• Sharing Copies of Relevant Materials
• DOLs Internal Controls over Financial Records of
  the Plan
• AICPA Audit Guides
• AICPA Practice Aid on Auditing Alternative
  Investments
• AICPA EBPAQC Webcasts
• These slides

47
Risk Assessment Standards Year 2

• ASB issued the standards to improve the quality
  and effectiveness of audits by focusing on audit
  risk
• Auditors need to have a more in depth
  understanding of our clients, their environment,
  including internal control in order to be able to
  identify and assess the risk of material
  misstatement
• Designing and performing audit procedures in
  response to those risks at the financial
  statement level and at the relevant assertion
  level for account balances and transactions
  classes
• Improved linkage between the assessed risks,
  audit procedures and conclusions

48
Risk Assessment Standards Summary SAS 104 111
Year 2

• Pre-Engagement Activities-Acceptance of the
  client, independence, Management integrity, etc,
  engagement letter.
• Planning the audit
• Gain an understanding of the plan and its
  environment
• ERISA and DOL regulations, new accounting
  pronouncements, changes in economic environment,
  plan type and provisions, tone at the top, plan
  oversight, measurement and review of plans
  performance, actuarial reports, controls at plan
  and controls at outside service providers (SAS
  70s)
• Perform preliminary Analytical procedures
• Current year to prior year, actuarial
  assumptions, investment returns, etc
• Discussion among engagement team
• Identify fraud risk factors
• nature of plan investments, plan operations,
  party in interest
• Determine materiality at F/S level

49
Risk Assessment Standards -Summary

• Assess risk of material misstatement at the
  overall financial statement level and complete
  overall audit strategy and overall responses at
  the financial statement level
• Assess risk of material misstatement in relation
  to relevant assertions for major transaction
  classes (participant account activity), account
  balances (investments, receivables, payables) and
  disclosures
• Identify major audit areas audit areas with
  material transaction classes, account balances,
  disclosures
• Areas with potential significant risk could be
  investments without readily determinable market
  value, new investments, SAS 70 errors,
  operational defects or non routine transactions,
  etc.
• Areas where substantive procedures alone are not
  sufficient

50
Risk Assessment Standards -Summary

• Develop a detailed audit plan for the nature,
  timing and extent of further audit procedures
  which include tests of controls, substantive
  procedures (tests of details and analytical
  procedures) and evaluate disclosures
• Evaluate results of audit procedures to determine
  if they are sufficient and document linkage of
  procedures with the assessed risks at the
  relevant assertion level

51
Caution

• Although presented together, limited scope audits
  and SAS 70 reports are two independent topics
• Having a SAS 70 report does NOT constitute or
  provide the certification necessary to perform a
  limited scope audit

52
SAS 70s - Session Objectives

• For this part of the session we will discuss the
  basics of SAS 70 reports including
• History and purpose of SAS 70 reports
• Difference between types of SAS 70 reports
• Sections of SAS 70 reports
• Basics of how to read and evaluate SAS 70 reports

53
History and Purpose of SAS 70s

• Auditors are required to gain an understanding of
  internal controls to plan the audit
• New Risk Assessment Standards, specifically SAS
  109, which superseded SAS 55, now require
  auditors to evaluate the design and
  implementation of controls at a client
• Plan sponsors generally outsource a significant
  portion of the plans operations to third party
  providers (e.g., record keepers, custodians) and
  controls covering these operations also need to
  be considered
• SAS 70 reports tend to be the most efficient way
  to meet these requirements
• Daily valuation of plans highlighted the need for
  more use of SAS 70 reports in the Employee
  Benefit Plan (EBP) industry
• Auditors must consider both the service
  organizations AND plan sponsor controls

54
History and Purpose of SAS 70s

• SAS 70 reports address both the evaluation of
  design and implementation of controls
• Evaluation of Design
• Service auditors who prepare SAS 70 reports
  evaluate the design of the controls by the
  service organization and will report on any noted
  design deficiencies in the independent service
  auditors report.
• Controls need to be designed to support the
  control objective (e.g., contributions are
  recorded to the plan and participants accounts
  on an accurate and timely basis)
• EBP Auditor should consider user organization
  (i.e. Plan sponsor) controls as well as service
  provider controls (e.g., contribution and payroll
  information remitted to service organization are
  accurate)

55
History and Purpose of SAS 70s

• Implementation of Controls
• Service auditor will design their tests of
  controls, depending on type of SAS 70 report to
  be issued, to determine implementation and
  operating effectiveness of controls at the
  service organization
• Testing includes inquiry, observations,
  inspection and re-performance
• Note The type of testing performed by the
  service auditor makes a difference!!
• Auditors must consider the effect of exceptions
  or qualifications noted in the SAS 70 report
  related to either design deficiencies or
  operating effectiveness as part of auditors
  overall risk assessment
• Remember SAS 70 reports are only one part of
  the risk assessment process associated with
  controls. Plan sponsor user controls must be
  addressed as well.

56
Differences Types of SAS 70s

• Two Types of SAS 70 Reports
• Type I SAS 70 Report
• Service auditor will evaluate design of controls
  and confirm implementation of controls as of a
  point in time (e.g., as of December 31, 200X)
• Addresses risk assessment requirements to a point
• Does not include testing of operating
  effectiveness over a period of time (e.g., Period
  ended December 31, 200X)
• Type II SAS 70 Report
• Same as a Type I report but includes testing of
  operating effectiveness over a period of time
• Much more useful report for the auditors risk
  assessment procedures and could potentially be
  used to reduce substantial audit procedures

57
Differences Types of SAS 70s

• In the EBP industry, there are several
  organizations that may provide a SAS 70 report
  that the auditor might utilize depending on scope
  and type of audit
• Trust Company or Custodian
• Record keeper
• Combined Trust/Custodian and Record keeper
• Payroll/Human Resource Company
• Actuary
• Investment Advisors and Transfer Agents
• Critical to obtain the correct SAS 70 report
  (i.e. some organizations have multiple SAS 70
  reports) relevant to each specific plan

58
Sections of SAS 70 Reports

• Independent Service Auditors Report
• Reports on auditors opinion about design of
  controls and their implementation.
• Type II SAS 70 report will also report on the
  operating effectiveness of controls
• Report will define what exactly is covered in SAS
  70 report (e.g., transactions performed related
  to defined contribution plans)
• Report will define period covered (generally six
  months or longer)
• May include carve-outs (e.g., participant
  statements printed by another entity). Note
  might require additional procedures, including
  additional SAS 70 reports if carve-outs are
  significant and relevant)

59
Sections of SAS 70 Reports

• Company Overview
• Includes general discussion of company structure
  and operations and entity level controls (e.g.,
  human resource practices, segregation of duties,
  ethics policies)
• Generally includes a discussion of computerized
  information systems
• Auditor should review and consider as part of
  risk assessment process of entity level controls
• May also include other valuable information so
  should not be ignored

60
Sections of SAS 70 Reports

• Control Objectives
• Developed to address user auditors (i.e. Plan
  auditor) expected financial statement assertions
• Are the responsibility of the service
  organization to determine and are based on
  anticipated user organizations needs (e.g., EBP
  auditor will need sections such as contributions
  and distribution processing)
• Should include IT general controls, such as
  physical and logical access, change management,
  back-up, etc.
• These are important and must be addressed
• Generally read as follows Controls provide
  reasonable assurance that distributions are
  properly approved, calculated accurately, and
  recorded to participant and plan accounts on a
  timely basis

61
Sections of SAS 70 Reports

• Description of Controls
• Generally in narrative form to describe process
  overall and highlight individual controls and
  procedures that support the control objective
• Example Distribution processing most likely will
  include controls to
• Ensure proper approvals (e.g., review of
  distribution request form or electronic approvals
  in paperless format)
• Review proper calculation of distributions
  vesting, taxes
• Ensure proper recording to participant account
• Ensure proper communication to entity (trustee or
  custodian) remitting payment to participant or
  their beneficiary

62
Sections of SAS 70 Reports

• Description of Controls (Continued)
• User controls are an important consideration in
  understanding total control structure
• Vesting might be calculated or reviewed by plan
  sponsor in addition to or in lieu of service
  organizations review
• Approval of distributions by plan sponsor,
  especially in paperless environment, might be
  based on providing termination dates of
  participants (usually detailed in service
  agreement between plan sponsor and service
  organization)

63
Sections of SAS 70 Reports

• Tests of Operating Effectiveness
• Included in Type II SAS 70 reports
• Usually in form of matrix in SAS 70 report,
  sometimes in a narrative format
• Outlines which controls service auditor tested
  and what tests were applied to determine
  operating effectiveness of those controls.

64
Sections of SAS 70 Reports

• Tests of Operating Effectiveness (Continued)
• Tests can include
• Inquiries to personnel responsible for performing
  controls
• Observations of personnel actually performing
  controls
• Inspection of documentation that provides
  evidence of performance of controls (e.g.,
  completed checklist, signature of individual who
  reviewed form for approvals)
• Re-performance of controls (e.g., test
  transactions run through the recordkeeping system
  to review proper postings)

65
Sections of SAS 70 Reports

• Test Results
• If no exceptions, generally reads No relevant
  exceptions noted or Control objective operating
  effectively
• If exceptions are found, the finding will be
  detailed as to how many exceptions within the
  sample size were noted, and nature of exceptions
• Sometimes other findings may be noted (e.g., No
  activity noted for year or that control was in
  place for portion of period covered by SAS 70
  report)
• Note Exceptions noted may not always result in a
  qualification of opinion
• May also include management responses to
  exception findings these responses are not
  audited by the service auditor but may include
  relevant information and should be reviewed

66
Sections of SAS 70 Reports

• Additional information provided by service
  organization
• Generally not audited by service auditor and is
  so referenced in Independent Service Auditors
  report
• Includes items such as disaster recovery
  procedures
• May include items related to subsequent events
  such as a merger of entities or
  termination/change in services
• Is a part of the SAS 70 report and should be
  reviewed to ensure no relevant information that
  may effect auditors evaluation is missed

67
Basics of How to Read and Evaluate SAS 70 Reports

• A basic road map for auditors in how to
  effectively and properly review SAS 70 reports
• Can be a difficult process as SAS 70 reports are
  not consistent among service providers nor is
  format consistent in how they are prepared by
  service auditor.
• Start with Independent Service Auditors Report
  and Company Overview as these sections contain a
  lot of valuable information and can confirm
  correct SAS 70 report has been obtained. Note
  any qualifications and determine effect
  generally specific areas such as enrollments may
  only affect one control objective. IT related
  qualifications may affect more than one area
  depending on nature and extent of qualification.
• Auditors should keep in mind additional
  procedures may apply for missing key control
  objectives and should have prepared a list of
  expected areas to be covered in the SAS 70 report
  according to risk assessment procedures tailored
  to a particular client and engagement.

68
Basics of How to Read and Evaluate SAS 70 Reports

• Control Objectives
• What is there and what is missing? Auditors of
  EBP plans generally look for the same control
  objectives including
• Note For missing key control objectives or if no
  SAS 70 report is available, procedures to
  determine controls in place, the evaluation of
  their design and implementation must still be
  adequately addressed by the auditor!!

69
Basics of How to Read and Evaluate SAS 70 Reports

• Description of Controls
• Auditors should generally read through the detail
  of the procedures related to a specific control
  objective to understand overall process and
  identify controls in place
• Warning Controls included in this description
  may not always be included in testing so be aware
  that this may affect reliance

70
Basics of How to Read and Evaluate SAS 70 Reports

• Tests of Operating Effectiveness
• Auditors need to determine which controls were
  tested as included in the description of controls
  usually listed with testing procedures
  performed
• Auditors have to consider level of testing
  performed for reliance purposes inquiries alone
  will not be sufficient evidence for confirming
  implementation and observations may not be
  considered sufficient for reliance on controls
  for purposes of reducing control risk below
  maximum to reduce substantive audit procedures

71
Basics of How to Read and Evaluate SAS 70 Reports

• Exceptions
• Auditors have to evaluate each exception,
  including nature of exception, extent of
  exception and any mitigating controls in place
  related to that exception.
• Nature of exception
• Error in processing transaction?
• Missing evidence? (e.g., cannot locate checklist)
• Also consider is the exception relevant to your
  specific client situation

72
Basics of How to Read and Evaluate SAS 70 Reports

• Exceptions (Continued)
• Extent of Exception
• Isolated error?
• Exception one of many included under control
  objective?
• Did exception lead to qualification of
  Independent Service Auditors report?
• Special consideration IT general controls
  exceptions and qualifications could affect more
  than one area and may be a significant problem in
  reliance and use of SAS 70 report

73
Basics of How to Read and Evaluate SAS 70 Reports

• Exceptions (Continued)
• Mitigating controls in place related to exception
• Are there other controls in place at service
  provider to mitigate risk of error?
• Other levels of review such as quality control
  reviews
• Different access levels that may prevent issues
  (physical vs. logical access on systems)
• Does the plan sponsor actually perform that
  control? (e.g., calculate vesting)
• Are there mitigating controls in place at the
  plan sponsor? (e.g., review and approve
  calculation of vesting)
• Note evaluation will be different among
  engagements depending on controls in place and
  who does what

74
Basics of How to Read and Evaluate SAS 70 Reports

• Evaluation of SAS 70 report and conclusions
  reached by Plan auditors should be documented
  clearly and adequately in audit workpapers as
  required by SAS 103.
• Documentation can include
• Copy of relevant SAS 70 reports obtained and
  evaluated
• Checklist or Form used to evaluate SAS 70 report
• Memo or checklist/form used above to document
  conclusions reached regarding each area as to
  reliance on SAS 70, and the extent of that
  reliance (e.g., reliance related only to design
  and implementation or further reliance to reduce
  control risk and substantive audit procedures)
• Note Reliance may vary from area to area (e.g.,
  reliance placed to reduce substantive audit
  procedures in contributions, but not in
  distributions)

75

• Questions?