FINANCIAL REPORTING AND

INTERNAL CONTROL MATTERS

Diane WasserAmper, Politziner & Mattia, LLP

Robert A. LavenbergBDO Seidman, LLP

Session Contents

FASB 157 Limited Scope Audits Risk Assessment Standards – Year 2 SAS 70

Valuation of Investments and FASB 157 Each plan will be impacted by FASB 157 for the 2008

plan year end, primarily in footnote disclosures. FASB 157:

Establishes a consistent definition of fair value and consistent method of determination under GAAP

Establishes a framework for measuring fair value under GAAP

Clarifies the definition of fair value within that framework

Expands disclosures on fair value measurements

Valuation of Investments and FASB 157 Fair Value definition:

“The price received to sell an asset or transfer a liability in an orderly transaction between market participants at the measurement date”.

The FASB discusses valuation techniques and inputs to those valuation techniques and includes a hierarchy for measurement at fair value.

The hierarchy is based on observable and unobservable inputs to valuation and the levels in the hierarchy are determined by where and how the pricing of investments is derived.

Level 1, 2 and 3 will be a discussion point with service providers and ultimately auditors.

Valuation of Investments and FASB 157

Market participants are:

Independent (not related parties)

Knowledgeable (due diligence)

Able to transact for the asset or liability

Willing to transact for the asset or liability (not forced)

Valuation of Investments and FASB 157

Measurement assumes an orderly transaction in the principal market

Principal market is the market in which the entity would sell the asset or transfer the liability with the greatest volume and level of activity OR

In the absence of a principal market the most advantageous market for the asset or liability

Valuation of Investments and FASB 157 Valuation techniques:

Market approach – prices and other relevant information from market transactions involving identical or comparable assets

Matrix pricing to value debt securities

Income approach – valuation techniques to convert future amounts to a single present amount

Cost approach – based o the amount that currently would be required to replace the service capacity of an asset

Valuation of Investments and FASB 157 Inputs refer broadly to the assumptions market

participants would use in pricing the asset or liability:

Observable inputs - reflect the assumptions market participants would use based on independent market sources (published stock prices, amortized cost methods, price matrix)

Unobservable inputs – reflect the reporting entity’s own assumptions market participants would use in pricing the asset or liability based on the best information available

Valuation of Investments and FASB 157

Level 1 inputsQuoted market prices (unadjusted) for

identical assets or liabilities in active markets

Most reliable source of fair value Input examples

Prices derived from NYSE, NASDAQ, Chicago Board of Trade, Pink Sheets

Valuation of Investments and FASB 157

Level 2 Inputs:

Observable inputs for

Similar assets or liabilities in active markets

Identical or similar assets in inactive markets

Inputs other than quoted prices that are directly observable

Inputs derived from observable market data by correlation or other means

Examples – Matrix pricing, market corroborated pricing, yield curves and indices

Significant adjustments may indicate Level 3

Valuation of Investments and FASB 157

Level 3 Inputs:

Unobservable inputs

Reporting entity’s own assumptions about the assumptions market participants would use

Other entity specific inputs (historical or projected financial information) that are not derived from market data

Unobservable inputs are developed based on the best information available in the circumstances

Examples – Investment manager pricing for private placements, private equities, hedge funds, etc.

Valuation of Investments and FASB 157

Disclosures Fair value measurements at the reporting date for each

major category of assets or liabilities

Level within the fair value hierarchy where each investment category falls

Valuation techniques used to measure fair value and a discussion of changes in valuation techniques

Readdress existing investment valuation language in summary of significant accounting principles footnote

Level 3 expanded disclosures to reconcile beginning and ending balances

FASB 157 Implementation Fair Value Measurements Present a table of the fair value hierarchy for

the balances of the assets and liabilities of the Plan measured at fair value as of December 31, 2008.

Present a table of the changes in assets and liabilities measured at fair value using Level 3 inputs for the year ending December 31, 2008 Realized Gains (Losses) Unrealized gains (losses) relating to instruments still held at December

31, 2008 Purchases, sales, issuances and settlements (net)

FASB 157 Implementation Full Scope:

Obtain an understanding of the plan’s process for determining fair values, as well as whether the fair value measurements and disclosures are in accordance with GAAP.

Consider to procedures and controls put in place by the plan sponsor and service provider to identify hard to value investments, validate the reliability of pricing, monitor the collectability of accrued income and modify reporting and disclosures in plan financial statements.

FASB 157 Implementation Full scope procedures requiring price

testingTest of year-end market valuesTest of purchases and salesTest of unrealized gains and lossesTest of realized gains and losses

FASB 157 Implementation Primary Vendors

Interactive Data Standard & Poor's GEMMA Consulting GMI IBOXX ISMA Markit

Research Sources Bloomberg Reuters

FASB 157 Implementation Limited Scope:

Trustee or Custodian certifies the COMPLETENESS AND ACCURACY of the plan’s investment assets and investment activity as contained in the institution’s ORDINARY BOOKS AND RECORDS, which MAY OR MAY NOT BE FAIR VALUE IN ACCORDANCE WITH GAAP.

Information certified may be BEST AVAILABLE and may not be as of the plan’s year end

FASB 157 Implementation

Whose job is it?Custodians – provide the dataClients – review the data and concludeAuditors – validate and opine

Valuation of Investments and FASB 157 While management may look to a valuation service

provider for the mechanics of the valuation, management should have sufficient information to evaluate and independently challenge the valuation. Therefore, it is important that plan management is familiar with the plan assets in which a plan invests and the methods and significant assumptions used to value them, especially for investments in securities or other assets for which readily determinable fair market values do not exist.

They can outsource mechanics but can NEVER outsource responsibility.

Valuation of Investments and FASB 157 A plan auditor may provide advice, research

materials and recommendations to assist in making decisions about the accuracy of investment valuations and the adequacy of the related disclosures, and in establishing internal controls surrounding plan management’s investment valuations and can also help with the financial statement preparation.

Independence.

***** Caution *****

Although presented together, limited scope audits and SAS 70 reports are two independent topics

Having a SAS 70 report does NOT constitute or provide the certification necessary to perform a limited scope audit

Session Objective – Limited Scope We will discuss the basics but it gets

complicated - quickly! Just what is the limited scope (“L/S”) audit

exemption? What is the legislative perspective behind its

application and how has it evolved? When can a plan sponsor legitimately invoke

the usage of the exemption? What practical audit steps can be employed

under a limited scope audit engagement?

Definition Summary of ERISA Reg. 2520.103

Where an audit is required, the financial statements accompanying the Form 5500 must be GAAP-compliant

Provides for an exclusion from the audit of investments (valuation and existence) and plan-level investment activity, if qualifying institution holding the assets certifies to the accuracy and completeness of the information

Qualifying Institutions: Bank or similar institution (e.g., a trust company) or insurance carrier

regulated and supervised and subject to periodic examination by a State or Federal agency

Could be asset trustee or custodian (does NOT need to be the trustee)

Definition Summary of ERISA Reg. 2520.103

Provides sample certification language to be used by the certifying institution

The XYZ Bank (Insurance Carrier) hereby certifies that the foregoing statement furnished pursuant to 29 CFR 2520.103-5(c) is complete and accurate.

Indicates that certification extends to “ordinary business records” of the certifying institution

The certification must be signed by a person authorized to represent the insurance carrier or bank

Definition The certification applies only to investments

All other areas of plan activity including; eligibility, contributions, distributions and expenses must be subjected to full audit procedures

No audit procedures are performed on investments and related activity covered by the certification (including no review of internal control over investments or analytical review of income)

Limited Scope - Auditor’s Responsibility - Investments

Compare the certified information to the form and content of the financial statements and footnote disclosures

Determine that the financial statements and disclosures are in compliance with GAAP and DOL requirements

Test income allocation to participants Make sure 5% of net asset disclosure is

made

Limited Scope - Auditor’s Responsibility - Investments

Make sure to include the certification footnote in the financial statements and references to the information that is certified If something unusual comes to your attention - investigate (e.g.,

cost = fair value for hard to value assets, fair value has not changed for several years, or asset is not included in certified statements)

If any material discrepancies are noted, the plan administrator should investigate and consider: Requesting trustee/custodian to correct and either recertify or

amend the certification If information is excluded, the plan administrator is responsible

for proper valuation and reporting Engage the auditor to perform a full-scope audit and/or full

scope procedures, as appropriate

Why the Limited Scope Audit Made Sense in 1974

What was the DOL looking for? Recall the pre-ERISA environment: do you know where your plan assets are? ERISA designed to ensure that the assets exist & that plan values are

accurate

Certifying institutions played a prominent, if not exclusive, role in the New World order ERISA required plan assets to be held in a trust or insurance contract Holding assets in a trustee’s vault (versus the plan administrator’s file cabinet)

provided vastly more comfort over the existence assertion Trustee/custodians provided a valuation independent of the plan sponsor’s

Fair Value of plan assets were more commonly part of trustee or custodian's “ordinary business records” Plan investments had readily determinable market values Plan & Trust Structures were less complex

Common Types of Plan Investments - 1974

Common stocks Mutual funds

Corporate Bonds US Government Securities

Common or collective trusts (“CCTs”)

Unallocated Insurance contracts

Pooled separate accounts (“PSAs”)

Master trusts – holding any or all of these investment

types

So, what changed? That was then. This is now.

Investments - Explosion of new investment vehicles found their way into the employee benefit world

Hedge funds Venture Capital

Private Equity Real Estate

Art Work Precious Metals

So, what changed? That was then. This is now.

Shadow Accounting - Emergence of specialized service providers resulting in more assets held outside the trust (Derivatives, Currency Hedging, etc.)

Heightened awareness of custodiansWhat are they really certifying to? Does an independent “market value” always

equate to “fair value”?

Custodial Asset Pricing Processes & Certifications

FAS 157 - Fair Value Measurements - shines a floodlight on custodial pricing processesRequires deeper dive into custodial pricing

vendors & their methodologies, to facilitate bucketing of assets into Level 1, 2, 3

Best available, versus Fair Value

Changing Audit Climate Sarbanes-Oxley Act of 2002 AICPA Employee Benefit Plan Audit Quality Center (“EBAQC”)

Plan audits no longer considered low risk audits More focused & disciplined approach to EB audits Audit Guides/Risk Alerts discuss HTVAs and LPs specifically

AICPA Practice Aid on Auditing Alternative Investments (July 06) Reiterates management’s responsibility for valuation oversight Questions the premise of plan sponsor’s sole reliance on the

custodian’s prices

Audit Standards (SAS 112/114) Formalized required communication to management Provides another reason to ensure that the audit is top-notch and that

the “T’s” are crossed and the “I’s” are dotted

Relevancy of the Limited Scope Audit in Today’s Environment

The environment has changed, but the regulations have not Is the extinction of the limited scope audit imminent? When is the limited scope audit applicable?

Investment types and valuations are key drivers to determining audit level

Marketable securities with readily determinable values Highly regulated Common or Collective Trusts (“CCTs”)/Pooled

Separate Accounts (“PSAs”) invested in marketable securities Eligibility of certifying institution

Clear designation of the entity that is holding the plan assets No 11-K filing is required

To Limit, or Not to Limit. That is the question!

Who owns the decision to invoke the L/S audit exemption? The Plan Sponsor!

Requires a Paradigm Shift on the part of the plan sponsor Do they view the L/S exemption as an automatic entitlement, or

as a privilege? Are they aware of what their certifying entity is actually

certifying to? Are they prepared to engage their auditors in a discussion

about the appropriate level of audit work, in advance of the audit?

Do they have a formal pricing policy and valuation oversight monitoring and signoff process, or are they relying exclusively on the custodial statements?

Investments – Full Scope AuditsWhat is different from a Limited Scope?

Confirm directly with holder of assets (more than one custodian may hold assets)

Test of year-end market values Test of interest Test of dividends Test of purchases and sales Test of unrealized gains and losses Test of realized gains and losses

What the Plan Sponsor Needs to Consider Before Invoking the Limited Scope Audit Exemption

AICPA has added branches to the Limited Scope Audit Decision Tree in the EB Audit Guide What percentage of plan assets are invested in holdings

that do not have readily determinable market values? Can the plan sponsor rely exclusively on the certification

for the fair value, or does their valuation committee rely on other investment analysis to supplement the custody values before signing off on the fair value for any Hard To Value Assets (“HTVA”)? If the latter is the case, the less chance of relying on the limited scope exemption.

Practical Audit Steps in a Limited Scope Engagement

Determine eligibility of certifying entity in accordance with ERISA Reg 2520.103-5

Gain comfort with variations of the wording of the certification - examples of acceptable and non-acceptable wording “ … to the best of my knowledge and belief”

Narrow down the investment versus non-investment transaction activity that falls within the L/S exemption

Determine the relevancy of the SAS 70 and assess the service provider and related user controls under a L/S engagement

Gain comfort with the certification of plan balances when the assets of multiple plans are commingled and held within a master trust

Practical Audit Steps in a Limited Scope Engagement

How can you tell from the investment statement whether the certified values for LPs are current values or lagged values?

What do you do when you become aware that the values are lagged? Is amending and recertifying the year-end statement to reflect the updated values an acceptable alternative?

When can you carve out assets that require a full-scope audit, without changing the scope of your engagement, and how does that impact your opinion letter?

Will insurance carriers and banks be certifying to fair value in accordance with FAS 157?

Participant Allocation Testing

Required in limited scope as allocation not certified Consider using investment returns for month or

quarter Some firms testing allocations of interest and

dividends Cannot completely rely on a SAS 70 Service

Organization report – even a Type II A SAS 70 report is NOT a Certification and is not related

to the limited scope exemption

Certification of Participant Loans Does the certification truly cover loans?

Substance over form considerations Often times not covered by certification for unbundled plans

(record keeper and custodian are separate entities) Who keeps the records (e.g., amortization schedule, note, etc)?

When loans aren’t properly certified Do not indicate in report that all investments are covered

(only certain ones) Certification footnote should be clear that loans are not

certified

Even if properly certified, loan compliance testing is still required

Limited Scope & Master Trusts Master trust certification – doesn't allow you to

do a limited scope audit of the planCertification must be at plan level if doing a

limited scope audit The appendix to the AICPA guide defines a master

trust as, "a trust for which a regulated financial institution serves as trustee or custodian... and in which assets of more than one plan sponsored by a single employer or by a group of employers under common control are held."

Limited Scope Certifications - Agents Agents Certifying for Trustee/Custodian The plan administrator should determine whether the

party providing the certification (the agent) is in fact authorized to represent the insurance carrier, bank or similar institution holding the assets of the plan.

The plan administrator should take steps to ensure they understand the nature and scope of the certification the agent has provided before concluding that the certified information may be used to satisfy the limited scope exemption

Agent Certifications – Scope Language

“… any auditing procedures with respect to the information described in Note X, which was certified by ABC, Inc., the record keeper of the Plan as agent for XYZ Bank, the trustee of the Plan, …”

“The plan administrator has obtained a certification from the agent on behalf of the trustee …”

Agent Certifications – Opinion Language

“… other than that derived from the information certified by the agent on behalf of the trustee, have been audited …”

Best practice – plan administrator should obtain and review the agency agreement

Getting Plan Sponsors on Board Pre-Engagement Meeting Discussions: extend

invitations to Investment Committee contacts Sharing Copies of Relevant Materials:

DOL’s Internal Controls over Financial Records of the Plan

AICPA Audit Guides AICPA Practice Aid on Auditing Alternative

Investments AICPA EBPAQC Webcasts These slides

Risk Assessment Standards –Year 2

ASB issued the standards to improve the quality and effectiveness of audits by focusing on audit risk Auditors need to have a more in depth understanding

of our clients, their environment, including internal control in order to be able to identify and assess the risk of material misstatement

Designing and performing audit procedures in response to those risks at the financial statement level and at the relevant assertion level for account balances and transactions classes

Improved linkage between the assessed risks, audit procedures and conclusions

Risk Assessment Standards – Summary SAS 104 – 111 Year 2

Pre-Engagement Activities-Acceptance of the client, independence, Management integrity, etc, engagement letter.

Planning the audit Gain an understanding of the plan and its environment

ERISA and DOL regulations, new accounting pronouncements, changes in economic environment, plan type and provisions, tone at the top, plan oversight, measurement and review of plan’s performance, actuarial reports, controls at plan and controls at outside service providers (SAS 70’s)

Perform preliminary Analytical procedures Current year to prior year, actuarial assumptions, investment

returns, etc Discussion among engagement team Identify fraud risk factors

nature of plan investments, plan operations, party in interest Determine materiality at F/S level

Risk Assessment Standards -Summary

Assess risk of material misstatement at the overall financial statement level and complete overall audit strategy and overall responses at the financial statement level

Assess risk of material misstatement in relation to relevant assertions for major transaction classes (participant account activity), account balances (investments, receivables, payables) and disclosures

Identify major audit areas = audit areas with material transaction classes, account balances, disclosures

Areas with potential significant risk could be investments without readily determinable market value, new investments, SAS 70 errors, operational defects or non routine transactions, etc.

Areas where substantive procedures alone are not sufficient

Risk Assessment Standards -Summary

Develop a detailed audit plan for the nature, timing and extent of further audit procedures which include tests of controls, substantive procedures (tests of details and analytical procedures) and evaluate disclosures

Evaluate results of audit procedures to determine if they are sufficient and document linkage of procedures with the assessed risks at the relevant assertion level

***** Caution *****

Although presented together, limited scope audits and SAS 70 reports are two independent topics

Having a SAS 70 report does NOT constitute or provide the certification necessary to perform a limited scope audit

SAS 70s - Session Objectives

For this part of the session we will discuss the basics of SAS 70 reports including:History and purpose of SAS 70 reportsDifference between types of SAS 70 reportsSections of SAS 70 reportsBasics of how to read and evaluate SAS 70

reports

History and Purpose of SAS 70s Auditors are required to gain an understanding of internal controls to

plan the audit New Risk Assessment Standards, specifically SAS 109, which

superseded SAS 55, now require auditors to evaluate the design and implementation of controls at a client

Plan sponsors generally outsource a significant portion of the plan’s operations to third party providers (e.g., record keepers, custodians) and controls covering these operations also need to be considered SAS 70 reports tend to be the most efficient way to meet these requirements

Daily valuation of plans highlighted the need for more use of SAS 70 reports in the Employee Benefit Plan (“EBP”) industry

Auditors must consider both the service organizations’ AND plan sponsor controls

History and Purpose of SAS 70s SAS 70 reports address both the evaluation of

design and implementation of controls Evaluation of Design

Service auditors who prepare SAS 70 reports evaluate the design of the controls by the service organization and will report on any noted design deficiencies in the independent service auditors’ report.

Controls need to be designed to support the control objective (e.g., contributions are recorded to the plan and participants’ accounts on an accurate and timely basis)

EBP Auditor should consider user organization (i.e. Plan sponsor) controls as well as service provider controls (e.g., contribution and payroll information remitted to service organization are accurate)

History and Purpose of SAS 70s Implementation of Controls

Service auditor will design their tests of controls, depending on type of SAS 70 report to be issued, to determine implementation and operating effectiveness of controls at the service organization

Testing includes inquiry, observations, inspection and re-performance

Note: The type of testing performed by the service auditor makes a difference!!

Auditors must consider the effect of exceptions or qualifications noted in the SAS 70 report related to either design deficiencies or operating effectiveness as part of auditor’s overall risk assessment

Remember – SAS 70 reports are only one part of the risk assessment process associated with controls. Plan sponsor user controls must be addressed as well.

Differences – Types of SAS 70s Two Types of SAS 70 Reports:

Type I SAS 70 Report Service auditor will evaluate design of controls and confirm

implementation of controls as of a point in time (e.g., as of December 31, 200X)

Addresses risk assessment requirements to a point Does not include testing of operating effectiveness over a

period of time (e.g., Period ended December 31, 200X)

Type II SAS 70 Report Same as a Type I report but includes testing of operating

effectiveness over a period of time Much more useful report for the auditor’s risk assessment

procedures and could potentially be used to reduce substantial audit procedures

Differences – Types of SAS 70s In the EBP industry, there are several organizations that

may provide a SAS 70 report that the auditor might utilize depending on scope and type of audit: Trust Company or Custodian Record keeper Combined Trust/Custodian and Record keeper Payroll/Human Resource Company Actuary Investment Advisors and Transfer Agents

Critical to obtain the correct SAS 70 report (i.e. some organizations have multiple SAS 70 reports) relevant to each specific plan

Sections of SAS 70 Reports Independent Service Auditor’s Report

Reports on auditor’s opinion about design of controls and their implementation.

Type II SAS 70 report will also report on the operating effectiveness of controls

Report will define what exactly is covered in SAS 70 report (e.g., transactions performed related to defined contribution plans)

Report will define period covered (generally six months or longer)

May include carve-outs (e.g., participant statements printed by another entity). Note: might require additional procedures, including additional SAS 70 reports if carve-outs are significant and relevant)

Sections of SAS 70 Reports Company Overview

Includes general discussion of company structure and operations and entity level controls (e.g., human resource practices, segregation of duties, ethics policies)

Generally includes a discussion of computerized information systems

Auditor should review and consider as part of risk assessment process of entity level controls

May also include other valuable information so should not be ignored

Sections of SAS 70 Reports Control Objectives

Developed to address user auditor’s (i.e. Plan auditor) expected financial statement assertions

Are the responsibility of the service organization to determine and are based on anticipated user organization’s needs (e.g., EBP auditor will need sections such as contributions and distribution processing)

Should include IT general controls, such as physical and logical access, change management, back-up, etc.

***These are important and must be addressed*** Generally read as follows: “ Controls provide reasonable

assurance that distributions are properly approved, calculated accurately, and recorded to participant and plan accounts on a timely basis”

Sections of SAS 70 Reports Description of Controls

Generally in narrative form to describe process overall and highlight individual controls and procedures that support the control objective

Example: Distribution processing most likely will include controls to:

Ensure proper approvals (e.g., review of distribution request form or electronic approvals in paperless format)

Review proper calculation of distributions – vesting, taxes Ensure proper recording to participant account Ensure proper communication to entity (trustee or custodian)

remitting payment to participant or their beneficiary

Sections of SAS 70 Reports Description of Controls (Continued)

User controls are an important consideration in understanding total control structure

Vesting might be calculated or reviewed by plan sponsor in addition to or in lieu of service organization’s review

Approval of distributions by plan sponsor, especially in paperless environment, might be based on providing termination dates of participants (usually detailed in service agreement between plan sponsor and service organization)

Sections of SAS 70 Reports Tests of Operating Effectiveness

Included in Type II SAS 70 reportsUsually in form of matrix in SAS 70 report,

sometimes in a narrative formatOutlines which controls service auditor

tested and what tests were applied to determine operating effectiveness of those controls.

Sections of SAS 70 Reports Tests of Operating Effectiveness (Continued)

Tests can include: Inquiries to personnel responsible for performing

controls Observations of personnel actually performing controls Inspection of documentation that provides evidence of

performance of controls (e.g., completed checklist, signature of individual who reviewed form for approvals)

Re-performance of controls (e.g., test transactions run through the recordkeeping system to review proper postings)

Sections of SAS 70 Reports Test Results

If no exceptions, generally reads “ No relevant exceptions noted” or “Control objective operating effectively”

If exceptions are found, the finding will be detailed as to how many exceptions within the sample size were noted, and nature of exceptions

Sometimes other findings may be noted (e.g., No activity noted for year or that control was in place for portion of period covered by SAS 70 report)

Note: Exceptions noted may not always result in a qualification of opinion

May also include management responses to exception findings – these responses are not audited by the service auditor but may include relevant information and should be reviewed

Sections of SAS 70 Reports Additional information provided by service

organization Generally not audited by service auditor and is so

referenced in Independent Service Auditors’ report Includes items such as disaster recovery procedures May include items related to subsequent events such

as a merger of entities or termination/change in services

Is a part of the SAS 70 report and should be reviewed to ensure no relevant information that may effect auditor’s evaluation is missed

Basics of How to Read and Evaluate SAS 70 Reports

A basic road map for auditors in how to effectively and properly review SAS 70 reports Can be a difficult process as SAS 70 reports are not consistent among

service providers nor is format consistent in how they are prepared by service auditor.

Start with Independent Service Auditors’ Report and Company Overview as these sections contain a lot of valuable information and can confirm correct SAS 70 report has been obtained. Note any qualifications and determine effect – generally specific areas such as enrollments may only affect one control objective. IT related qualifications may affect more than one area depending on nature and extent of qualification.

Auditors should keep in mind additional procedures may apply for missing key control objectives and should have prepared a list of expected areas to be covered in the SAS 70 report according to risk assessment procedures tailored to a particular client and engagement.

Basics of How to Read and Evaluate SAS 70 Reports

Control Objectives What is there and what is missing? Auditors of EBP plans generally look for

the same control objectives including:

Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor!!

Plan set-up Contributions

Enrollments Investment Election Changes and Transfers

IT General Controls (access, changes to programs, back-up)

Investments, including purchases/sales, income and valuation

Distributions, including loans Reconciliation and reporting

Basics of How to Read and Evaluate SAS 70 Reports

Description of ControlsAuditors should generally read through the detail

of the procedures related to a specific control objective to understand overall process and identify controls in place

Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance

Basics of How to Read and Evaluate SAS 70 Reports

Tests of Operating Effectiveness Auditors need to determine which controls were

tested as included in the description of controls – usually listed with testing procedures performed

Auditors have to consider level of testing performed for reliance purposes – inquiries alone will not be sufficient evidence for confirming implementation and observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures

Basics of How to Read and Evaluate SAS 70 Reports

ExceptionsAuditors have to evaluate each exception,

including nature of exception, extent of exception and any mitigating controls in place related to that exception.

Nature of exception: Error in processing transaction? Missing evidence? (e.g., cannot locate checklist)

Also consider – is the exception relevant to your specific client situation

Basics of How to Read and Evaluate SAS 70 Reports

Exceptions (Continued):Extent of Exception

Isolated error? Exception one of many included under control

objective? Did exception lead to qualification of Independent

Service Auditors’ report? Special consideration – IT general controls –

exceptions and qualifications could affect more than one area and may be a significant problem in reliance and use of SAS 70 report

Basics of How to Read and Evaluate SAS 70 Reports

Exceptions (Continued): Mitigating controls in place related to exception

Are there other controls in place at service provider to mitigate risk of error?

Other levels of review such as quality control reviews Different access levels that may prevent issues (physical vs.

logical access on systems) Does the plan sponsor actually perform that control? (e.g.,

calculate vesting) Are there mitigating controls in place at the plan sponsor?

(e.g., review and approve calculation of vesting) Note – evaluation will be different among engagements

depending on controls in place and who does what

Basics of How to Read and Evaluate SAS 70 Reports

Evaluation of SAS 70 report and conclusions reached by Plan auditors should be documented clearly and adequately in audit workpapers as required by SAS 103. Documentation can include:

Copy of relevant SAS 70 reports obtained and evaluated Checklist or Form used to evaluate SAS 70 report Memo or checklist/form used above to document conclusions

reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures)

Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions)

Questions?