Print this issue
Send us your comments

Why will your clients ask for a SAS70 report (if they have not already)?
Clients of Third Party Administrators (TPAs) need assurance that the internal controls environment of the TPA meets their needs. Increasingly, the standards imposed by the TPA’s clients are those associated with the Sarbanes-Oxley Act (SOA) of 2002. The SOA requires publicly traded companies (SEC registrants) to certify the design and operational effectiveness of their internal controls environment. Even for privately held companies, SOA is becoming a de facto standard associated with effective corporate governance. In fact, the NAIC/AICPA Working Group of the NAIC Financial Condition Committee has proposed adopting SOA Section 404 provisions. These developments are increasingly causing users of TPAs to require independent verification that the TPA’s controls environment meets SOA internal control standards.

A SAS70 report serves as an attestation from a CPA firm that the controls as asserted by the TPA are designed and operating effectively. External auditors of the TPA’s clients may choose to rely on this report when developing their audit programs so as to reduce substantive testing of the TPA activities.

What should a TPA do to prepare for and obtain a SAS70 certification?
The following graphic summarizes our approach to SAS70 Readiness and Compliance Reporting. Following this approach, there are three important milestones for the TPA seeking to achieve a SAS70 report that fulfills their clients’ needs.

MILESTONE – I. READINESS ACTIVITIES
The purpose of this phase is to ensure that the TPA has taken steps to maximize the probability of achieving a SAS70 attestation evaluation that is unqualified with respect to their control assertions and that those assertions are consistent with their client’s control requirements. Since their clients are often interested in ensuring SOA compliance, the TPA needs to ensure that that the control environment associated with the delivery of their services meets standards and guidelines associated with SOA. These include standards from the Public Company Accounting Oversight Board (PCAOB) and the SEC.

The existing standards from the PCAOB and the SEC represent guidelines that the TPA will need to interpret in the context of SOA requirements to determine what control activities are most appropriate for their business. The control model provided by the Committee of Sponsoring Organizations (COSO) is generally recognized as the de facto standard for designing effective controls. The “IT Controls for SOA” document published by the IT Governance Institute (www.itgi.org ) is the prevailing standard to define specific control activities over IT that fulfill COSO and PCAOB (SOA) standards. An important step in the development of controls is for the TPA to confirm their Controls Definition and Documentation with their clients. An Effectiveness Assessment can be useful for the TPA to test their control environment to confirm it operates as intended and that any material control weaknesses are identified. Remediation represents the activities of correcting control weaknesses and will vary for each company. Remediation includes, definition and documentation of controls, organizational issues, system improvements, operating procedures, etc.

MILESTONE – II. COMPLIANCE EVALUATION AND REPORTING (SAS70 / SOA 404)
The SAS70 evaluation starts with the TPA arranging for a CPA firm qualified to conduct the SAS70 attestation, and then providing that CPA firm with documentation to sufficiently describe their services, the supporting business processes and IT environment, and the control objectives and activities for these services and processes. As directed by the TPA, the auditor will conduct one of two types of SAS70 examinations:

• Type I - On the design of controls in place at a point in time.
• Type II - On the design and effectiveness of controls in place
  for a period of time (usually six months) with details of tests performed.

Typically, Type II SAS70 reports are provided to fulfill the TPA’s client’s SOA requirements. AICPA SAS70 standards indicate that the Type II Examination and Report provide a description of the controls related to the applications of the TPA that may be relevant to their client’s internal control as it relates to an audit of their clients financial statements, that the controls included in the description were suitably designed to achieve the control objectives specified in the description, and if those controls were complied with satisfactorily, such controls had been placed in operation as of the date of the start of the Examination. The auditor’s examination will involve assessing the design of the controls and performing substantive testing to determine whether the controls operate with sufficient effectiveness to provide reasonable (but not necessarily absolute) assurance that the control objectives are achieved through the design and deployment of the control activities. The SAS70 report will include supporting documentation describing the tests performed to evaluate the operating effectiveness of the controls, observations and results achieved.

Typical activities to complete the SAS70 Compliance Reporting include:

1. The auditor gains an understanding of the TPA’s services, business activities, control objectives and control activities.
• The TPA provides description of Controls Objectives and Control Activities (leverage Readiness activities) for which the audit firm will conduct attestation testing.
2. The auditor establishes an overall test plan:
• Leverage test plans that may exist from SAS70 Readiness Activities.
• Leverage test results for General Computer Controls that have not changed.
3. The Auditor conducts testing:
• Auditor executes testing to confirm adequacy of design and operational effectiveness of controls to meet stated control objectives.
• Leverage TPA’s Internal Audit staff for testing (if available)
• Auditor substantiates any testing completed by the TPA’s Internal Audit staff.
4. The Auditor compiles the SAS70 Type II Report that includes four sections:

1) "Independent Service Auditors Report
2)The TPA’s description of controls
3)The Auditor’s description of tests executed and summary of conclusions relative to the TPA’s Control Objectives
4)Other Relevant Information

MILESTONE – III. ONGOING MONITORING AND SUSTAINABILITY
Looking into 2005 and beyond, it is most probable that TPA firms will need to annually prepare some form of certification relative to their internal control environment, and most likely the standards will be those associated with SOA as put forth by the PCAOB, SEC, and the NAIC. Thus, we believe the TPA should immediately take steps to ensure that their control environment meets these standards and that the control environment is institutionalized.

Where can you get more information?
Please contact the Insurance Industry Group at Amper, Politziner, and Mattia with any questions including if you would like a more detailed assessment of how your business can cost-effectively fulfill requests for SAS70 certification reporting and how your business can take proactive steps to meeting the emerging internal control standards associated with the Sarbanes-Oxley Act of 2002.
Direct Questions to:

Tom Mulhare, 732-287-1000 x 281
Dan Schroeder, 732-281-1000 x 278