Governance Over Third Party Vendors

AASCIF Super ConferenceAudit and Statistics

October 3, 2012

Presenter

2

Marc Smith, CPA, CPCU is a partner in Johnson Lambert’s RedBank, New Jersey office where he is responsible for managing the New Yorkmetropolitan area audit practice. In that role, Marc is responsible for thestrategic growth of that practice; including client development, engagementmanagement and personnel recruiting. Johnson Lambert & Co. LLP provides,audit, advisory and tax services to over 400 insurance entities and is nationallyrecognized in this industry. He has 17 years of public accounting experiencewhere he has provided audit and SOC services to insurance and relatedindustries such as third party administrators and program benefit managers.Marc is a speaker on accounting and audit topics for insurance companies. Heserves on the Board of Directors for Delaware Captive Insurance Associationand is also active in the Insurance Accounting and Systems Association.

Agenda

• Request for Proposals• Service Level Agreements• Service Organization Controls Reports• Other Monitoring Control Considerations

3

Request for Proposal

• Establish a process owner• Form and empower a selection committee• Clarify roles and responsibilities • Formalize the RFP process

– Who will write the RFP– Establish deadlines for submission – Plan site visits– Timing of vendor selection

• Develop decision criteria for firm selection

4

RFP Considerations• Description of the organization

– Company background– Key products or services– Organizational structure

• Clearly defined statement of work – Description of desired services – Business objectives– Key deliverables and reports– Deadlines – Project milestones and completion dates– Be specific

5

RFP Considerations• Qualifications of the Service Provider

– Experience of the service team– Request resumes of proposed team members – Role of specialists– Use of subcontractors– Reliance on third parties

• Client satisfaction or quality review process– Customer service responsiveness and availability – How satisfaction deficiencies are addressed and

resolved

6

RFP Considerations

• Conflict of interests• External auditor independence • Forms of insurance

– Professional liability – Workers’ Compensation– Cyber liability

• Vendor to describe needed client roles and responsibilities

7

RFP Considerations• References

– Three is common– Strengths and limitations of service provider

• Background checks– Screening personnel

• Vendor’s financial status – Dun & Brad Street– Credit agencies

8

RFP Considerations

• Business continuity and disaster recovery plans

• Transitioning to outsourcing or to a new service provider

• Fees and expenses• Transition from proposal to contract

– Confirm key elements of proposal are incorporated into contract

9

Service Level Agreements• Enhances the level of vendor accountability• Economic climate

– Vendors are more willing to make concessions to accommodate customer service level needs

• Understand the technical and business requirements

• Use language such as vendor “shall” or “will” do X

• Use language that commits the vendor to using a specified level of effort – “best efforts” or “commercially reasonable efforts”

10

SLA Considerations• Performance measurement methods and processes

– Availability and access to system and reports– Timely delivery of reports and data– Will performance analysis reports need to be created– Data format and data transmission security– Document escalation procedures

• Penalties charged in the event of nonperformance or SLA violations

11

SLA Considerations• Confidentiality and privacy

• Data retention

• Independent or internal audit access to records

• Need for documented business continuity plan

• Termination provisions

12

Monitoring Vendor Performance

• Service Organization Control Reports (SOC)– Formerly SAS 70 Report now SOC 1– Authoritative guidance developed by the AICPA – Service organization discloses their processes and

control activities in a uniform format – SOC reports signify a service organization has had its

processes and control activities examined by an independent CPA

– New guidance introduced SOC 2 and SOC 3– SOC 2 and SOC 3 are focused more on IT related

controls and processes

13

Types of SOC 1 & 2 Reports• Type I Report

– Includes the auditors opinion, management’s description of controls and summary of testing that ensures controls are effectively designed

– Type I reports are as of a specific date in time (i.e. as of December 31, 2010)

• Type II Report – Includes the auditors opinion, management’s description of controls and

highlights testing that ensures controls are effectively designed and operating effectively

– Type II reports are for a specified period of time (i.e. January1, 2012 through September 30, 2012)

– Cannot cover less than six months

14

SOC Reports

• SOC 1 Report– Internal controls over financial reporting– Common service organizations

• Third Party Administrators• Payroll Providers• Trustees of Retirement Savings Accounts

– Intender users• Service organization• User organizations• User organizations independent auditors• Restricted use report

15

SOC Reports• SOC 2 and SOC 3 Reports

– Operational and compliance related controls – Common service organizations

• Cloud Computing• Enterprise IT outsourcing services • Customer support centers

– SOC 2 reports• Similar to SOC 1• Not financial reporting and required by auditor

– SOC 3 report• General use – no restrictions

– Trust Services Principles and Criteria

16

Trust Services Principles and Criteria

17

Domain Principle

Security The system is protected against unauthorized access (both physical and logical).

Availability The system is available for operation and use as committed or agreed.

Confidentiality Information designated as confidential is protected as committed or agreed.

Processing Integrity System processing is complete, accurate, timely, and authorized.

Privacy Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA

Reviewing SOC Reports

• Determine if Type I or Type II (SOC 1 and SOC2)– For classes of transactions that are material to financial

statements – Type I will not be sufficient for the independent auditors

• Determine if audit opinion is unqualified “clean opinion”– Fair presentation language

• Review report for exceptions• Assess impact of exceptions on your operating

environment

18

Other Monitoring Considerations

• Use of internal control questionnaires

• Management site visits

• “Right to audit clause” in SLA

• Access to vendor operations by Internal Audit or Management

• Review and test controls at vendor

19

20

Contact Information

21

Marc Smith, CPAEngagement Partner

Direct Phone: (732) 236-9930Email: msmith@johnsonlambert.com