Part 1A: Service Organizations
Fiduciary responsibility standards have applied to employee benefit plans since ERISA came into law 47 years ago. However, in light of the new standard SAS 136, greater responsibility is required of management than ever before.
In response, auditors of benefit plans will be focusing on management’s practices and increasing communication with management and governance on any errors or deficiencies found, regardless of materiality.
In the posts over the next few weeks, we will dive into management responsibility addressed in SAS 136 and specific ways to ensure management is fulfilling their fiduciary responsibility.
SAS 136 clarifies it is management’s responsibility to maintain the current Plan instrument, including Plan amendments. This includes, but is not limited to:
- Selecting and monitoring service organizations
- Maintaining and protecting records
- Establishing and following internal controls over financial reporting and safeguarding Plan assets
This post will focus specifically on selecting and monitoring service organizations.
It is management’s fiduciary responsibility to maintain records of the Plan, file Form 5500, and obtain a Plan financial statement audit. Many Plan sponsors will outsource these functions to reduce costs and increase efficiencies in administering the Plan.
When selecting a service organization, management should consider:
- Information about the firm itself (experience with retirement plans of similar size and complexity)
- Quality of the firm’s services (qualifications, any recent litigations against the firm and firm experience)
- A description of business practices (how will Plan assets be invested? How will participant investment directions be handled? What is the fee structure? Does the firm has fiduciary liability insurance?)
The Department of Labor (DOL) also provides the following tips when hiring service organizations:
- Look at several organizations to compare information provided and fees
- Document the hiring process
- Ensure the service organization is clear about its fiduciary responsibilities
- Obtain a fidelity bond
- Monitor the Plan’s service organization
While outsourcing responsibilities to service organizations (benefit administrators, insurance companies, bank trust departments) is extremely beneficial, management is still responsible to ensure all services are appropriately following the Plan instrument. Management must periodically monitor all service organizations. When monitoring service organizations, management should:
- Read any reports provided
- Review the service organization’s performance
- Ask about policies and procedures
- Follow up on any participant complaints
- Establish and follow a review process throughout the year.
One of the most valuable reports management should review is the service organization’s System and Organization Controls (SOC) report. The SOC report utilizes an independent auditor to examine the security, processing integrity, privacy and cybersecurity controls of the service organization.
This report informs management of any weaknesses in the service organization’s process. If the auditor’s report is anything but a qualified (clean) opinion or any of the service organization’s controls are not operating effectively, management must evaluate the impact this has on their benefit Plan. If any deviations threaten to negatively impact the Plan, management must mitigate or compensate for them.
The report also contains Complementary User Entity Controls (CUEC); controls that management must follow to ensure the service organization can perform as expected. The CUEC is usually located in the SOC report after the description of the system’s controls or following each control tested. It is important for management to establish and follow controls in response to the CUEC.
There can be severe ramifications when management is not familiar with their service organization’s SOC reports. When the service organization’s controls are not operating effectively and management is not aware, nor has addressed it, there is an increased risk of errors and misstatements within the Plan. There is also an increased risk of errors and misstatements if management does not have controls in place to address the CUEC.
Management should expect auditors to request detailed descriptions of steps taken to select and monitor service organizations. Auditors will also request SOC reports from all service organizations involved in the Plan, as well as descriptions of what controls management established to address the CUECs.
Selecting and monitoring service organizations is a single aspect to fulfilling management’s responsibility to maintaining the current Plan instrument, including Plan amendments. In the coming weeks, we will dive into other aspects including maintaining and protecting records and establishing and following internal controls over financial reporting and safeguarding Plan assets.
About the Author
Cami L. Grimm, CPA, is a Manager at Brown Schultz Sheridan & Fritz (BSSF) with over five years of public accounting experience. Cami specializes in providing accounting and auditing services to for-profit and nonprofit entities and has worked within a variety of industries.