6.13 Internal control of a benefit plan consists of the controls at the sponsor as well as the controls at applicable service organizations who perform signifi-cant plan functions including but not limited to processing of participant-level transactions such as contributions and distributions, investment custody and valuation, and execution of investment transaction. For a further discussion of internal control as it relates to investments, see the "Internal Control" sec-tion in chapter 7 of this guide. SAS No. 70, Service Organizasec-tions (AICPA, Professional Standards, vol. 1, AU sec. 324), as amended, provides guidance on the factors an independent auditor should consider when auditing the fi-nancial statements of an entity, such as an employee benefit plan that uses a service organization to process certain transactions that are part of the plan's information system. SAS No. 70, as amended, also provides guidance for inde-pendent auditors who issue reports on the processing of transactions by service organizations, such as bank trust departments, third-party administrators, or data processing service organizations, for use by other auditors. A report pre-pared in accordance with SAS No. 70, as amended, may be useful in providing user auditors with a sufficient understanding of controls at the service orga-nization to assess the risks of material misstatement in accordance with AU section 314 (SAS No. 109). See the AICPA Audit Guide Service Organizations:
Applying SAS No. 70, as Amended, for additional guidance for user auditors engaged to audit the financial statements of entities that use service organiza-tions and for service auditors engaged to issue reports on the controls of service organizations.
6.14 Under SAS No. 70, as amended, two types of reports may be issued by a service auditor:†
a. A Report on Controls Placed in Operation (type 1 report) is a report on a service organization's description of its controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements. It addresses whether the description presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specified date and whether such controls were suitably de-signed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily. Such reports may be useful in providing user audi-tors with an understanding of the service organization's controls sufficient to assess the risks of material misstatement and design the nature, timing, and extent of further audit procedures at the user organization. However, they are not intended to provide user auditors with a basis for reducing their assessment of control risk to low or moderate2for relevant financial statement assertions af-fected by the controls.
b. A Report on Controls Placed in Operation and Tests of Operating Ef-fectiveness (type 2 report) is a report on a service organization's de-scription of its controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements. It addresses whether the description presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specified date; whether such controls were suitably designed to provide reasonable assur-ance that the specified control objectives would be achieved if those controls were complied with satisfactorily; and whether the con-trols that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified. Such reports may be useful in providing user auditors with an under-standing of the service organization's controls that is sufficient to assess the risks of material misstatement and design the nature, timing, and extent of further audit procedures and may also provide user auditors with a basis for reducing their assessment of control risk to low or moderate for relevant financial statement assertions affected by the controls.
† It has come to the AICPA's attention that in some cases, service auditors' engagements are being performed and reported on by consulting organizations that are not licensed CPA firms. SAS No. 70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324), which is part of generally accepted auditing standards (GAAP), is intended for use by licensed CPAs. For a user auditor to use a service auditor's report, it must be issued by a licensed CPA. CPAs may not use a report provided by an unlicensed individual or entity. User auditors should be alert to the possibility that a service auditor's report may not have been prepared by a licensed CPA and should consider contacting a representative of an unfamiliar organization to verify that the organization is properly licensed, peer reviewed, and able to provide its peer review report and letter of comments and response. If the organization is unlicensed, CPAs are advised to convey that finding to the state board of accountancy in the state in which the engagement was performed or to their own state board.
2This assessment may be in terms of qualitative terms such as high, medium, low or in quanti-tative terms such as percentages.
6.15 The type of report (type 1 or type 2) provided by the service organi-zation may affect the nature, timing, and extent of the audit procedures per-formed by the auditor of an employee benefit plan. For example, a bank trust department may specify the control objective that security prices are received timely from an authorized source and properly used to price securities. If the bank provides a type 1 report, the report may be useful in providing the audi-tor with sufficient information to assess the risks of material misstatement, in other words, to assess whether there are any deficiencies in the design of the controls that could affect relevant financial statement assertions in the user organization's financial statements. However, the auditor would have no ba-sis to conclude that the controls were operating with sufficient effectiveness to achieve the control objective because they have not been tested. Therefore, the auditor may have to expand the testing of prices used at year-end. If, however, the bank provided a type 2 report, the auditor could have a basis to rely on the effective operation of controls and therefore reduce the extent of the price testing.
6.16 A SAS No. 70 report may provide the most efficient means to obtain an understanding of relevant controls at the service organization. Reading the entire SAS No. 70 document could help the auditor to determine if there are any instances of noncompliance with the service organization's controls iden-tified in (a) the service auditor's report, (b) the attached service organizations description of controls, and (c) the information provided by the service auditor, which may include a description of tests of operating effectiveness and other information. If the service organization's SAS No. 70 report identifies instances of noncompliance with the service organization's controls, the plan auditor may consider the effect of the findings on the assessed level of control risk for the audit of the plan's financial statements, and as a result the plan auditor may decide to perform additional tests at the service organization or, if possible, perform additional audit procedures at the plan. In certain situations the SAS No. 70 report may identify instances of noncompliance with the service orga-nization's controls but the plan auditor concludes that no additional tests or audit procedures are required because the noncompliance does not affect the assessment of control risk for the plan. It is important for the user auditor to read and consider both the report and the evidence provided by the tests of operating effectiveness and relate them to the relevant assertions in the user organization's financial statements. Although a type 2 report may be used to reduce substantive procedures, neither a type 1 nor a type 2 report is designed to provide a basis for assessing control risk sufficiently low to eliminate the need for performing any substantive tests for all of the assertions relevant to significant account balances or transaction classes. Paragraph .51 of AU section 318 (SAS No. 110), Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (AICPA, Professional Standards, vol. 1), states that regardless of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure.
6.17 It may be necessary for the plan auditor to inquire of the plan's man-agement whether the service organization has reported any uncorrected errors to the user organization and evaluate whether such errors will affect the na-ture, timing, and extent of his or her audit procedures. In certain instances, the plan auditor may need to obtain additional information to make this evaluation
by contacting the service organization and the service auditor to obtain the nec-essary information.
6.18 For a limited-scope audit, the auditor has no responsibility to obtain an understanding of the controls maintained by the certifying institution over assets held and investment transactions executed by the institution. Therefore in a limited-scope audit, to the extent that the service organization is only providing investment transaction services, no SAS No. 70 report is required.
However, if the provider is also providing services such as the processing of participant level transactions, a SAS No. 70 report may be obtained, if it is available and covers these activities.
6.19 When the administrator elects a full scope audit, even though a lim-ited scope audit could be performed (see paragraphs 5.13 and 13.26–.32 for a discussion of limited scope audits), or where the trustee or custodian does not qualify for the limited scope audit exemption, the auditor may need to obtain an understanding of controls at the trustee or custodian. A similar understanding may also be obtained for information processed by the trustee or custodian re-lated to financial statement components not subject to the limited scope audit exemption, for example, benefit claims or payments. As previously noted, this understanding can be efficiently achieved by obtaining and reading the entire SAS No. 70 document for the service organization. In determining whether a SAS No. 70 report would be useful, the degree of interaction and the nature and materiality of the transactions processed by the service organization for the user organization are the most important factors to consider. Reading the description of controls may help the auditor to determine whether complemen-tary user organization controls are required and whether they are relevant to the service provided to the plan. If they are relevant to the plan, the plan auditor should consider such information in assessing the risks of material misstate-ment. See exhibit B-2, Examples of User Controls When a Service Organization is Utilized, in appendix B of this guide for examples of user controls.
6.20 Service providers are not required to furnish SAS No. 70 reports. If a SAS No. 70 report is not available, information about the nature of the services provided by the service organization that are part of the user organization's information system and the service organization's controls over those services may be available from a wide variety of sources, such as user manuals, system overviews, technical manuals, the contract between the user organization and the service organization, and reports by internal auditors, or regulatory au-thorities on the service organization's controls. If the services and the service organization's controls over those services are highly standardized, information obtained through the user auditor's prior experience with the service organi-zation may be helpful in assessing the risks of material misstatement. The user auditor may consider utilizing the specific control objectives and selected controls provided in exhibit B-1 of Appendix B of this guide in obtaining this understanding. If the user auditor concludes that the available information is not adequate to obtain a sufficient understanding of the service organization's controls to assess the risks of material misstatement and design the nature, timing, and extent of further audit procedures, the user auditor may consider contacting the service organization through the user organization, to obtain specific information or request that a service auditor be engaged to perform procedures at the service organization. If the user auditor is unable to obtain sufficient evidence to achieve the audit objectives, the user auditor should qual-ify the audit opinion or disclaim an opinion on the financial statements because
of a scope limitation. (Historically, the DOL has rejected Form 5500 filings that contain either qualified opinions, adverse opinions or disclaimers of opinion on plan financial statements other than those issued in connection with a limited scope audit pursuant to 29 CFR 2520.103-8 or 12.)
6.21 A report prepared in accordance with SAS No. 70, as amended, for the service organization, for use by auditors of financial statements of employee benefit plans, will typically address in that report the control objectives that are relevant to the specific objectives of employee benefit plans as set forth in exhibit B-1.
6.22 Benefit plans are increasingly using service providers to initiate, ex-ecute and perform the accounting processing of transactions on behalf of the plan administrator. Often the plan does not maintain independent accounting records of such transactions. For example, for 401(k) plans, many plan spon-sors no longer maintain participant enrollment forms detailing the contribution percentage and the investment fund allocation option. For health and welfare plans, often claims are submitted electronically from the health care provider directly to a claims administrator for adjudication and payment. In these sit-uations, the auditor may not be able to obtain a sufficient understanding of internal control relevant to such transactions to assess the risks of material misstatement and design the nature, timing, and extent of further audit pro-cedures without considering those components of internal control maintained by the service organization. This understanding can be efficiently achieved by obtaining and reading the entire document prepared in accordance with SAS No. 70 for the service organization. SAS No. 70 reports generally cover the rel-evant operations of a service organization; however, certain operations of the service organization may not be addressed in the SAS No. 70 report, and those operations may be significant to the plan audit. In these instances, the engage-ment team will need to obtain an understanding of the controls in the relevant areas excluded from the scope of the SAS No. 70 report.
6.23 In some cases, a provider may choose to engage an auditor to prepare a SAS No. 70 report on a rotating basis instead of annually. A report on controls placed in operation that is as of a date outside the plan's reporting period may be useful in providing the plan auditor with a preliminary understanding of the controls placed in operation at the service organization if the report is sup-plemented by additional current information. If this occurs, it is important for the service organization to be contacted to discuss any system changes, major changes in controls, or mergers or acquisitions that occurred during the year. If these changes have occurred, it is important for the engagement team to obtain an understanding of the changes and consider the effect of the changes on the audit. If the SAS No. 70 report is unavailable, the auditor should consider other appropriate procedures to obtain sufficient appropriate evidence to achieve the audit objectives. For example, if participant information is unavailable from the plan sponsor, the auditor may wish to confirm the information directly with the participants. Alternatively, the auditor may consider requesting information from the service provider or visiting the service provider to perform the neces-sary testing. For defined contribution plans, the service provider may be able to provide detailed transaction reports at the plan or participant level, such as telephone or electronic means transaction reports, trade batch reports, dis-tribution summaries, loan ledgers or details of purchases, sales and dividends posted to individual accounts.
6.24 If the independent auditor determines that the service organization had effective controls in place for processing plan transactions during the re-porting period, the auditor generally would conclude that it is not necessary to visit or perform additional procedures at the service organization. If, however, the auditor believes that the service auditor's report may not be sufficient to meet his or her objectives, the auditor may supplement his or her understand-ing of the service auditor's procedures and conclusions by discussunderstand-ing with the service auditor the scope and results of the service auditor's work. Also, if the auditor believes it is necessary, he or she may contact the service organiza-tion, through the user organizaorganiza-tion, to request that the service auditor perform agreed-upon procedures at the service organization or the auditor may perform such procedures. Following are some examples of those situations:
a. The service organization issued a SAS No. 70 report describing the controls placed in operation ("type 1" report) and the auditor wishes to determine whether to reduce the assessed level of control risk at the service organization—Determine whether it is more efficient to attempt to reduce the assessed level of control risk for the relevant assertions affected by the services performed at the service organi-zation that are part of the plan's information system, or to perform additional audit procedures on the plan's financial statements. If the plan auditor decides it is more efficient to assess the operating effectiveness of the service organization's controls placed in opera-tion, perform tests of the service organization's controls, most likely at the service organization.
b. The service organization's SAS No. 70 report covers a different re-porting period than the plan's fiscal year—Inquiry of the service or-ganization or its auditor to determine whether there were changes in the service organization's controls during the period not covered by the SAS No. 70 report. If the period not covered is significant, or there have been changes in the controls, gain an understanding of the service organization's controls relating to the plan's transac-tions during the period not covered by the SAS No. 70 report.
c. The service organization's SAS No. 70 report covers only some of the services used by the plan (for example, the report might cover custo-dial services but not allocation services) or the report does not cover activities performed by subservice organizations—Gain an under-standing of the controls related to the services not covered in the SAS No. 70 report as they relate to the plan's transactions processed by the service organization that are part of the plan's information system. If the user auditor does not have sufficient information to assess control risk as low or moderate, the plan auditor may decide to perform additional tests of the service organization's controls or perform additional audit procedures on the plan's financial state-ments. Obtain a copy of the subservice organization's SAS No. 70 report, if one was issued. Additionally, a service organization may use another service organization to perform functions or processing
c. The service organization's SAS No. 70 report covers only some of the services used by the plan (for example, the report might cover custo-dial services but not allocation services) or the report does not cover activities performed by subservice organizations—Gain an under-standing of the controls related to the services not covered in the SAS No. 70 report as they relate to the plan's transactions processed by the service organization that are part of the plan's information system. If the user auditor does not have sufficient information to assess control risk as low or moderate, the plan auditor may decide to perform additional tests of the service organization's controls or perform additional audit procedures on the plan's financial state-ments. Obtain a copy of the subservice organization's SAS No. 70 report, if one was issued. Additionally, a service organization may use another service organization to perform functions or processing