FINANCIAL REPORTING AND INTERNAL CONTROL MATTERS Diane Wasser Amper, Politziner & Mattia, LLP Robert...
-
Upload
kristian-dickerson -
Category
Documents
-
view
215 -
download
0
Transcript of FINANCIAL REPORTING AND INTERNAL CONTROL MATTERS Diane Wasser Amper, Politziner & Mattia, LLP Robert...
FINANCIAL REPORTING AND
INTERNAL CONTROL MATTERS
Diane WasserAmper, Politziner & Mattia, LLP
Robert A. LavenbergBDO Seidman, LLP
Session Contents
FASB 157 Limited Scope Audits Risk Assessment Standards – Year 2 SAS 70
Valuation of Investments and FASB 157 Each plan will be impacted by FASB 157 for the 2008
plan year end, primarily in footnote disclosures. FASB 157:
Establishes a consistent definition of fair value and consistent method of determination under GAAP
Establishes a framework for measuring fair value under GAAP
Clarifies the definition of fair value within that framework
Expands disclosures on fair value measurements
Valuation of Investments and FASB 157 Fair Value definition:
“The price received to sell an asset or transfer a liability in an orderly transaction between market participants at the measurement date”.
The FASB discusses valuation techniques and inputs to those valuation techniques and includes a hierarchy for measurement at fair value.
The hierarchy is based on observable and unobservable inputs to valuation and the levels in the hierarchy are determined by where and how the pricing of investments is derived.
Level 1, 2 and 3 will be a discussion point with service providers and ultimately auditors.
Valuation of Investments and FASB 157
Market participants are:
Independent (not related parties)
Knowledgeable (due diligence)
Able to transact for the asset or liability
Willing to transact for the asset or liability (not forced)
Valuation of Investments and FASB 157
Measurement assumes an orderly transaction in the principal market
Principal market is the market in which the entity would sell the asset or transfer the liability with the greatest volume and level of activity OR
In the absence of a principal market the most advantageous market for the asset or liability
Valuation of Investments and FASB 157 Valuation techniques:
Market approach – prices and other relevant information from market transactions involving identical or comparable assets
Matrix pricing to value debt securities
Income approach – valuation techniques to convert future amounts to a single present amount
Cost approach – based o the amount that currently would be required to replace the service capacity of an asset
Valuation of Investments and FASB 157 Inputs refer broadly to the assumptions market
participants would use in pricing the asset or liability:
Observable inputs - reflect the assumptions market participants would use based on independent market sources (published stock prices, amortized cost methods, price matrix)
Unobservable inputs – reflect the reporting entity’s own assumptions market participants would use in pricing the asset or liability based on the best information available
Valuation of Investments and FASB 157
Level 1 inputsQuoted market prices (unadjusted) for
identical assets or liabilities in active markets
Most reliable source of fair value Input examples
Prices derived from NYSE, NASDAQ, Chicago Board of Trade, Pink Sheets
Valuation of Investments and FASB 157
Level 2 Inputs:
Observable inputs for
Similar assets or liabilities in active markets
Identical or similar assets in inactive markets
Inputs other than quoted prices that are directly observable
Inputs derived from observable market data by correlation or other means
Examples – Matrix pricing, market corroborated pricing, yield curves and indices
Significant adjustments may indicate Level 3
Valuation of Investments and FASB 157
Level 3 Inputs:
Unobservable inputs
Reporting entity’s own assumptions about the assumptions market participants would use
Other entity specific inputs (historical or projected financial information) that are not derived from market data
Unobservable inputs are developed based on the best information available in the circumstances
Examples – Investment manager pricing for private placements, private equities, hedge funds, etc.
Valuation of Investments and FASB 157
Disclosures Fair value measurements at the reporting date for each
major category of assets or liabilities
Level within the fair value hierarchy where each investment category falls
Valuation techniques used to measure fair value and a discussion of changes in valuation techniques
Readdress existing investment valuation language in summary of significant accounting principles footnote
Level 3 expanded disclosures to reconcile beginning and ending balances
FASB 157 Implementation Fair Value Measurements Present a table of the fair value hierarchy for
the balances of the assets and liabilities of the Plan measured at fair value as of December 31, 2008.
Present a table of the changes in assets and liabilities measured at fair value using Level 3 inputs for the year ending December 31, 2008 Realized Gains (Losses) Unrealized gains (losses) relating to instruments still held at December
31, 2008 Purchases, sales, issuances and settlements (net)
FASB 157 Implementation Full Scope:
Obtain an understanding of the plan’s process for determining fair values, as well as whether the fair value measurements and disclosures are in accordance with GAAP.
Consider to procedures and controls put in place by the plan sponsor and service provider to identify hard to value investments, validate the reliability of pricing, monitor the collectability of accrued income and modify reporting and disclosures in plan financial statements.
FASB 157 Implementation Full scope procedures requiring price
testingTest of year-end market valuesTest of purchases and salesTest of unrealized gains and lossesTest of realized gains and losses
FASB 157 Implementation Primary Vendors
Interactive Data Standard & Poor's GEMMA Consulting GMI IBOXX ISMA Markit
Research Sources Bloomberg Reuters
FASB 157 Implementation Limited Scope:
Trustee or Custodian certifies the COMPLETENESS AND ACCURACY of the plan’s investment assets and investment activity as contained in the institution’s ORDINARY BOOKS AND RECORDS, which MAY OR MAY NOT BE FAIR VALUE IN ACCORDANCE WITH GAAP.
Information certified may be BEST AVAILABLE and may not be as of the plan’s year end
FASB 157 Implementation
Whose job is it?Custodians – provide the dataClients – review the data and concludeAuditors – validate and opine
Valuation of Investments and FASB 157 While management may look to a valuation service
provider for the mechanics of the valuation, management should have sufficient information to evaluate and independently challenge the valuation. Therefore, it is important that plan management is familiar with the plan assets in which a plan invests and the methods and significant assumptions used to value them, especially for investments in securities or other assets for which readily determinable fair market values do not exist.
They can outsource mechanics but can NEVER outsource responsibility.
Valuation of Investments and FASB 157 A plan auditor may provide advice, research
materials and recommendations to assist in making decisions about the accuracy of investment valuations and the adequacy of the related disclosures, and in establishing internal controls surrounding plan management’s investment valuations and can also help with the financial statement preparation.
Independence.
***** Caution *****
Although presented together, limited scope audits and SAS 70 reports are two independent topics
Having a SAS 70 report does NOT constitute or provide the certification necessary to perform a limited scope audit
Session Objective – Limited Scope We will discuss the basics but it gets
complicated - quickly! Just what is the limited scope (“L/S”) audit
exemption? What is the legislative perspective behind its
application and how has it evolved? When can a plan sponsor legitimately invoke
the usage of the exemption? What practical audit steps can be employed
under a limited scope audit engagement?
Definition Summary of ERISA Reg. 2520.103
Where an audit is required, the financial statements accompanying the Form 5500 must be GAAP-compliant
Provides for an exclusion from the audit of investments (valuation and existence) and plan-level investment activity, if qualifying institution holding the assets certifies to the accuracy and completeness of the information
Qualifying Institutions: Bank or similar institution (e.g., a trust company) or insurance carrier
regulated and supervised and subject to periodic examination by a State or Federal agency
Could be asset trustee or custodian (does NOT need to be the trustee)
Definition Summary of ERISA Reg. 2520.103
Provides sample certification language to be used by the certifying institution
The XYZ Bank (Insurance Carrier) hereby certifies that the foregoing statement furnished pursuant to 29 CFR 2520.103-5(c) is complete and accurate.
Indicates that certification extends to “ordinary business records” of the certifying institution
The certification must be signed by a person authorized to represent the insurance carrier or bank
Definition The certification applies only to investments
All other areas of plan activity including; eligibility, contributions, distributions and expenses must be subjected to full audit procedures
No audit procedures are performed on investments and related activity covered by the certification (including no review of internal control over investments or analytical review of income)
Limited Scope - Auditor’s Responsibility - Investments
Compare the certified information to the form and content of the financial statements and footnote disclosures
Determine that the financial statements and disclosures are in compliance with GAAP and DOL requirements
Test income allocation to participants Make sure 5% of net asset disclosure is
made
Limited Scope - Auditor’s Responsibility - Investments
Make sure to include the certification footnote in the financial statements and references to the information that is certified If something unusual comes to your attention - investigate (e.g.,
cost = fair value for hard to value assets, fair value has not changed for several years, or asset is not included in certified statements)
If any material discrepancies are noted, the plan administrator should investigate and consider: Requesting trustee/custodian to correct and either recertify or
amend the certification If information is excluded, the plan administrator is responsible
for proper valuation and reporting Engage the auditor to perform a full-scope audit and/or full
scope procedures, as appropriate
Why the Limited Scope Audit Made Sense in 1974
What was the DOL looking for? Recall the pre-ERISA environment: do you know where your plan assets are? ERISA designed to ensure that the assets exist & that plan values are
accurate
Certifying institutions played a prominent, if not exclusive, role in the New World order ERISA required plan assets to be held in a trust or insurance contract Holding assets in a trustee’s vault (versus the plan administrator’s file cabinet)
provided vastly more comfort over the existence assertion Trustee/custodians provided a valuation independent of the plan sponsor’s
Fair Value of plan assets were more commonly part of trustee or custodian's “ordinary business records” Plan investments had readily determinable market values Plan & Trust Structures were less complex
Common Types of Plan Investments - 1974
Common stocks Mutual funds
Corporate Bonds US Government Securities
Common or collective trusts (“CCTs”)
Unallocated Insurance contracts
Pooled separate accounts (“PSAs”)
Master trusts – holding any or all of these investment
types
So, what changed? That was then. This is now.
Investments - Explosion of new investment vehicles found their way into the employee benefit world
Hedge funds Venture Capital
Private Equity Real Estate
Art Work Precious Metals
So, what changed? That was then. This is now.
Shadow Accounting - Emergence of specialized service providers resulting in more assets held outside the trust (Derivatives, Currency Hedging, etc.)
Heightened awareness of custodiansWhat are they really certifying to? Does an independent “market value” always
equate to “fair value”?
Custodial Asset Pricing Processes & Certifications
FAS 157 - Fair Value Measurements - shines a floodlight on custodial pricing processesRequires deeper dive into custodial pricing
vendors & their methodologies, to facilitate bucketing of assets into Level 1, 2, 3
Best available, versus Fair Value
Changing Audit Climate Sarbanes-Oxley Act of 2002 AICPA Employee Benefit Plan Audit Quality Center (“EBAQC”)
Plan audits no longer considered low risk audits More focused & disciplined approach to EB audits Audit Guides/Risk Alerts discuss HTVAs and LPs specifically
AICPA Practice Aid on Auditing Alternative Investments (July 06) Reiterates management’s responsibility for valuation oversight Questions the premise of plan sponsor’s sole reliance on the
custodian’s prices
Audit Standards (SAS 112/114) Formalized required communication to management Provides another reason to ensure that the audit is top-notch and that
the “T’s” are crossed and the “I’s” are dotted
Relevancy of the Limited Scope Audit in Today’s Environment
The environment has changed, but the regulations have not Is the extinction of the limited scope audit imminent? When is the limited scope audit applicable?
Investment types and valuations are key drivers to determining audit level
Marketable securities with readily determinable values Highly regulated Common or Collective Trusts (“CCTs”)/Pooled
Separate Accounts (“PSAs”) invested in marketable securities Eligibility of certifying institution
Clear designation of the entity that is holding the plan assets No 11-K filing is required
To Limit, or Not to Limit. That is the question!
Who owns the decision to invoke the L/S audit exemption? The Plan Sponsor!
Requires a Paradigm Shift on the part of the plan sponsor Do they view the L/S exemption as an automatic entitlement, or
as a privilege? Are they aware of what their certifying entity is actually
certifying to? Are they prepared to engage their auditors in a discussion
about the appropriate level of audit work, in advance of the audit?
Do they have a formal pricing policy and valuation oversight monitoring and signoff process, or are they relying exclusively on the custodial statements?
Investments – Full Scope AuditsWhat is different from a Limited Scope?
Confirm directly with holder of assets (more than one custodian may hold assets)
Test of year-end market values Test of interest Test of dividends Test of purchases and sales Test of unrealized gains and losses Test of realized gains and losses
What the Plan Sponsor Needs to Consider Before Invoking the Limited Scope Audit Exemption
AICPA has added branches to the Limited Scope Audit Decision Tree in the EB Audit Guide What percentage of plan assets are invested in holdings
that do not have readily determinable market values? Can the plan sponsor rely exclusively on the certification
for the fair value, or does their valuation committee rely on other investment analysis to supplement the custody values before signing off on the fair value for any Hard To Value Assets (“HTVA”)? If the latter is the case, the less chance of relying on the limited scope exemption.
Practical Audit Steps in a Limited Scope Engagement
Determine eligibility of certifying entity in accordance with ERISA Reg 2520.103-5
Gain comfort with variations of the wording of the certification - examples of acceptable and non-acceptable wording “ … to the best of my knowledge and belief”
Narrow down the investment versus non-investment transaction activity that falls within the L/S exemption
Determine the relevancy of the SAS 70 and assess the service provider and related user controls under a L/S engagement
Gain comfort with the certification of plan balances when the assets of multiple plans are commingled and held within a master trust
Practical Audit Steps in a Limited Scope Engagement
How can you tell from the investment statement whether the certified values for LPs are current values or lagged values?
What do you do when you become aware that the values are lagged? Is amending and recertifying the year-end statement to reflect the updated values an acceptable alternative?
When can you carve out assets that require a full-scope audit, without changing the scope of your engagement, and how does that impact your opinion letter?
Will insurance carriers and banks be certifying to fair value in accordance with FAS 157?
Participant Allocation Testing
Required in limited scope as allocation not certified Consider using investment returns for month or
quarter Some firms testing allocations of interest and
dividends Cannot completely rely on a SAS 70 Service
Organization report – even a Type II A SAS 70 report is NOT a Certification and is not related
to the limited scope exemption
Certification of Participant Loans Does the certification truly cover loans?
Substance over form considerations Often times not covered by certification for unbundled plans
(record keeper and custodian are separate entities) Who keeps the records (e.g., amortization schedule, note, etc)?
When loans aren’t properly certified Do not indicate in report that all investments are covered
(only certain ones) Certification footnote should be clear that loans are not
certified
Even if properly certified, loan compliance testing is still required
Limited Scope & Master Trusts Master trust certification – doesn't allow you to
do a limited scope audit of the planCertification must be at plan level if doing a
limited scope audit The appendix to the AICPA guide defines a master
trust as, "a trust for which a regulated financial institution serves as trustee or custodian... and in which assets of more than one plan sponsored by a single employer or by a group of employers under common control are held."
Limited Scope Certifications - Agents Agents Certifying for Trustee/Custodian The plan administrator should determine whether the
party providing the certification (the agent) is in fact authorized to represent the insurance carrier, bank or similar institution holding the assets of the plan.
The plan administrator should take steps to ensure they understand the nature and scope of the certification the agent has provided before concluding that the certified information may be used to satisfy the limited scope exemption
Agent Certifications – Scope Language
“… any auditing procedures with respect to the information described in Note X, which was certified by ABC, Inc., the record keeper of the Plan as agent for XYZ Bank, the trustee of the Plan, …”
“The plan administrator has obtained a certification from the agent on behalf of the trustee …”
Agent Certifications – Opinion Language
“… other than that derived from the information certified by the agent on behalf of the trustee, have been audited …”
Best practice – plan administrator should obtain and review the agency agreement
Getting Plan Sponsors on Board Pre-Engagement Meeting Discussions: extend
invitations to Investment Committee contacts Sharing Copies of Relevant Materials:
DOL’s Internal Controls over Financial Records of the Plan
AICPA Audit Guides AICPA Practice Aid on Auditing Alternative
Investments AICPA EBPAQC Webcasts These slides
Risk Assessment Standards –Year 2
ASB issued the standards to improve the quality and effectiveness of audits by focusing on audit risk Auditors need to have a more in depth understanding
of our clients, their environment, including internal control in order to be able to identify and assess the risk of material misstatement
Designing and performing audit procedures in response to those risks at the financial statement level and at the relevant assertion level for account balances and transactions classes
Improved linkage between the assessed risks, audit procedures and conclusions
Risk Assessment Standards – Summary SAS 104 – 111 Year 2
Pre-Engagement Activities-Acceptance of the client, independence, Management integrity, etc, engagement letter.
Planning the audit Gain an understanding of the plan and its environment
ERISA and DOL regulations, new accounting pronouncements, changes in economic environment, plan type and provisions, tone at the top, plan oversight, measurement and review of plan’s performance, actuarial reports, controls at plan and controls at outside service providers (SAS 70’s)
Perform preliminary Analytical procedures Current year to prior year, actuarial assumptions, investment
returns, etc Discussion among engagement team Identify fraud risk factors
nature of plan investments, plan operations, party in interest Determine materiality at F/S level
Risk Assessment Standards -Summary
Assess risk of material misstatement at the overall financial statement level and complete overall audit strategy and overall responses at the financial statement level
Assess risk of material misstatement in relation to relevant assertions for major transaction classes (participant account activity), account balances (investments, receivables, payables) and disclosures
Identify major audit areas = audit areas with material transaction classes, account balances, disclosures
Areas with potential significant risk could be investments without readily determinable market value, new investments, SAS 70 errors, operational defects or non routine transactions, etc.
Areas where substantive procedures alone are not sufficient
Risk Assessment Standards -Summary
Develop a detailed audit plan for the nature, timing and extent of further audit procedures which include tests of controls, substantive procedures (tests of details and analytical procedures) and evaluate disclosures
Evaluate results of audit procedures to determine if they are sufficient and document linkage of procedures with the assessed risks at the relevant assertion level
***** Caution *****
Although presented together, limited scope audits and SAS 70 reports are two independent topics
Having a SAS 70 report does NOT constitute or provide the certification necessary to perform a limited scope audit
SAS 70s - Session Objectives
For this part of the session we will discuss the basics of SAS 70 reports including:History and purpose of SAS 70 reportsDifference between types of SAS 70 reportsSections of SAS 70 reportsBasics of how to read and evaluate SAS 70
reports
History and Purpose of SAS 70s Auditors are required to gain an understanding of internal controls to
plan the audit New Risk Assessment Standards, specifically SAS 109, which
superseded SAS 55, now require auditors to evaluate the design and implementation of controls at a client
Plan sponsors generally outsource a significant portion of the plan’s operations to third party providers (e.g., record keepers, custodians) and controls covering these operations also need to be considered SAS 70 reports tend to be the most efficient way to meet these requirements
Daily valuation of plans highlighted the need for more use of SAS 70 reports in the Employee Benefit Plan (“EBP”) industry
Auditors must consider both the service organizations’ AND plan sponsor controls
History and Purpose of SAS 70s SAS 70 reports address both the evaluation of
design and implementation of controls Evaluation of Design
Service auditors who prepare SAS 70 reports evaluate the design of the controls by the service organization and will report on any noted design deficiencies in the independent service auditors’ report.
Controls need to be designed to support the control objective (e.g., contributions are recorded to the plan and participants’ accounts on an accurate and timely basis)
EBP Auditor should consider user organization (i.e. Plan sponsor) controls as well as service provider controls (e.g., contribution and payroll information remitted to service organization are accurate)
History and Purpose of SAS 70s Implementation of Controls
Service auditor will design their tests of controls, depending on type of SAS 70 report to be issued, to determine implementation and operating effectiveness of controls at the service organization
Testing includes inquiry, observations, inspection and re-performance
Note: The type of testing performed by the service auditor makes a difference!!
Auditors must consider the effect of exceptions or qualifications noted in the SAS 70 report related to either design deficiencies or operating effectiveness as part of auditor’s overall risk assessment
Remember – SAS 70 reports are only one part of the risk assessment process associated with controls. Plan sponsor user controls must be addressed as well.
Differences – Types of SAS 70s Two Types of SAS 70 Reports:
Type I SAS 70 Report Service auditor will evaluate design of controls and confirm
implementation of controls as of a point in time (e.g., as of December 31, 200X)
Addresses risk assessment requirements to a point Does not include testing of operating effectiveness over a
period of time (e.g., Period ended December 31, 200X)
Type II SAS 70 Report Same as a Type I report but includes testing of operating
effectiveness over a period of time Much more useful report for the auditor’s risk assessment
procedures and could potentially be used to reduce substantial audit procedures
Differences – Types of SAS 70s In the EBP industry, there are several organizations that
may provide a SAS 70 report that the auditor might utilize depending on scope and type of audit: Trust Company or Custodian Record keeper Combined Trust/Custodian and Record keeper Payroll/Human Resource Company Actuary Investment Advisors and Transfer Agents
Critical to obtain the correct SAS 70 report (i.e. some organizations have multiple SAS 70 reports) relevant to each specific plan
Sections of SAS 70 Reports Independent Service Auditor’s Report
Reports on auditor’s opinion about design of controls and their implementation.
Type II SAS 70 report will also report on the operating effectiveness of controls
Report will define what exactly is covered in SAS 70 report (e.g., transactions performed related to defined contribution plans)
Report will define period covered (generally six months or longer)
May include carve-outs (e.g., participant statements printed by another entity). Note: might require additional procedures, including additional SAS 70 reports if carve-outs are significant and relevant)
Sections of SAS 70 Reports Company Overview
Includes general discussion of company structure and operations and entity level controls (e.g., human resource practices, segregation of duties, ethics policies)
Generally includes a discussion of computerized information systems
Auditor should review and consider as part of risk assessment process of entity level controls
May also include other valuable information so should not be ignored
Sections of SAS 70 Reports Control Objectives
Developed to address user auditor’s (i.e. Plan auditor) expected financial statement assertions
Are the responsibility of the service organization to determine and are based on anticipated user organization’s needs (e.g., EBP auditor will need sections such as contributions and distribution processing)
Should include IT general controls, such as physical and logical access, change management, back-up, etc.
***These are important and must be addressed*** Generally read as follows: “ Controls provide reasonable
assurance that distributions are properly approved, calculated accurately, and recorded to participant and plan accounts on a timely basis”
Sections of SAS 70 Reports Description of Controls
Generally in narrative form to describe process overall and highlight individual controls and procedures that support the control objective
Example: Distribution processing most likely will include controls to:
Ensure proper approvals (e.g., review of distribution request form or electronic approvals in paperless format)
Review proper calculation of distributions – vesting, taxes Ensure proper recording to participant account Ensure proper communication to entity (trustee or custodian)
remitting payment to participant or their beneficiary
Sections of SAS 70 Reports Description of Controls (Continued)
User controls are an important consideration in understanding total control structure
Vesting might be calculated or reviewed by plan sponsor in addition to or in lieu of service organization’s review
Approval of distributions by plan sponsor, especially in paperless environment, might be based on providing termination dates of participants (usually detailed in service agreement between plan sponsor and service organization)
Sections of SAS 70 Reports Tests of Operating Effectiveness
Included in Type II SAS 70 reportsUsually in form of matrix in SAS 70 report,
sometimes in a narrative formatOutlines which controls service auditor
tested and what tests were applied to determine operating effectiveness of those controls.
Sections of SAS 70 Reports Tests of Operating Effectiveness (Continued)
Tests can include: Inquiries to personnel responsible for performing
controls Observations of personnel actually performing controls Inspection of documentation that provides evidence of
performance of controls (e.g., completed checklist, signature of individual who reviewed form for approvals)
Re-performance of controls (e.g., test transactions run through the recordkeeping system to review proper postings)
Sections of SAS 70 Reports Test Results
If no exceptions, generally reads “ No relevant exceptions noted” or “Control objective operating effectively”
If exceptions are found, the finding will be detailed as to how many exceptions within the sample size were noted, and nature of exceptions
Sometimes other findings may be noted (e.g., No activity noted for year or that control was in place for portion of period covered by SAS 70 report)
Note: Exceptions noted may not always result in a qualification of opinion
May also include management responses to exception findings – these responses are not audited by the service auditor but may include relevant information and should be reviewed
Sections of SAS 70 Reports Additional information provided by service
organization Generally not audited by service auditor and is so
referenced in Independent Service Auditors’ report Includes items such as disaster recovery procedures May include items related to subsequent events such
as a merger of entities or termination/change in services
Is a part of the SAS 70 report and should be reviewed to ensure no relevant information that may effect auditor’s evaluation is missed
Basics of How to Read and Evaluate SAS 70 Reports
A basic road map for auditors in how to effectively and properly review SAS 70 reports Can be a difficult process as SAS 70 reports are not consistent among
service providers nor is format consistent in how they are prepared by service auditor.
Start with Independent Service Auditors’ Report and Company Overview as these sections contain a lot of valuable information and can confirm correct SAS 70 report has been obtained. Note any qualifications and determine effect – generally specific areas such as enrollments may only affect one control objective. IT related qualifications may affect more than one area depending on nature and extent of qualification.
Auditors should keep in mind additional procedures may apply for missing key control objectives and should have prepared a list of expected areas to be covered in the SAS 70 report according to risk assessment procedures tailored to a particular client and engagement.
Basics of How to Read and Evaluate SAS 70 Reports
Control Objectives What is there and what is missing? Auditors of EBP plans generally look for
the same control objectives including:
Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor!!
Plan set-up Contributions
Enrollments Investment Election Changes and Transfers
IT General Controls (access, changes to programs, back-up)
Investments, including purchases/sales, income and valuation
Distributions, including loans Reconciliation and reporting
Basics of How to Read and Evaluate SAS 70 Reports
Description of ControlsAuditors should generally read through the detail
of the procedures related to a specific control objective to understand overall process and identify controls in place
Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance
Basics of How to Read and Evaluate SAS 70 Reports
Tests of Operating Effectiveness Auditors need to determine which controls were
tested as included in the description of controls – usually listed with testing procedures performed
Auditors have to consider level of testing performed for reliance purposes – inquiries alone will not be sufficient evidence for confirming implementation and observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures
Basics of How to Read and Evaluate SAS 70 Reports
ExceptionsAuditors have to evaluate each exception,
including nature of exception, extent of exception and any mitigating controls in place related to that exception.
Nature of exception: Error in processing transaction? Missing evidence? (e.g., cannot locate checklist)
Also consider – is the exception relevant to your specific client situation
Basics of How to Read and Evaluate SAS 70 Reports
Exceptions (Continued):Extent of Exception
Isolated error? Exception one of many included under control
objective? Did exception lead to qualification of Independent
Service Auditors’ report? Special consideration – IT general controls –
exceptions and qualifications could affect more than one area and may be a significant problem in reliance and use of SAS 70 report
Basics of How to Read and Evaluate SAS 70 Reports
Exceptions (Continued): Mitigating controls in place related to exception
Are there other controls in place at service provider to mitigate risk of error?
Other levels of review such as quality control reviews Different access levels that may prevent issues (physical vs.
logical access on systems) Does the plan sponsor actually perform that control? (e.g.,
calculate vesting) Are there mitigating controls in place at the plan sponsor?
(e.g., review and approve calculation of vesting) Note – evaluation will be different among engagements
depending on controls in place and who does what
Basics of How to Read and Evaluate SAS 70 Reports
Evaluation of SAS 70 report and conclusions reached by Plan auditors should be documented clearly and adequately in audit workpapers as required by SAS 103. Documentation can include:
Copy of relevant SAS 70 reports obtained and evaluated Checklist or Form used to evaluate SAS 70 report Memo or checklist/form used above to document conclusions
reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures)
Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions)
Questions?