Basics of How to Read and Evaluate SAS 70 Reports
advertisement
FINANCIAL REPORTING AND INTERNAL CONTROL MATTERS Diane Wasser Amper, Politziner & Mattia, LLP Robert A. Lavenberg BDO Seidman, LLP Session Contents FASB 157 Limited Scope Audits Risk Assessment Standards – Year 2 SAS 70 Valuation of Investments and FASB 157 Each plan will be impacted by FASB 157 for the 2008 plan year end, primarily in footnote disclosures. FASB 157: Establishes a consistent definition of fair value and consistent method of determination under GAAP Establishes a framework for measuring fair value under GAAP Clarifies the definition of fair value within that framework Expands disclosures on fair value measurements Valuation of Investments and FASB 157 Fair Value definition: “The price received to sell an asset or transfer a liability in an orderly transaction between market participants at the measurement date”. The FASB discusses valuation techniques and inputs to those valuation techniques and includes a hierarchy for measurement at fair value. The hierarchy is based on observable and unobservable inputs to valuation and the levels in the hierarchy are determined by where and how the pricing of investments is derived. Level 1, 2 and 3 will be a discussion point with service providers and ultimately auditors. Valuation of Investments and FASB 157 Market participants are: Independent (not related parties) Knowledgeable Able (due diligence) to transact for the asset or liability Willing to transact for the asset or liability (not forced) Valuation of Investments and FASB 157 Measurement assumes an orderly transaction in the principal market Principal market is the market in which the entity would sell the asset or transfer the liability with the greatest volume and level of activity OR In the absence of a principal market the most advantageous market for the asset or liability Valuation of Investments and FASB 157 Valuation techniques: approach – prices and other relevant information from market transactions involving identical or comparable assets Market Matrix pricing to value debt securities approach – valuation techniques to convert future amounts to a single present amount Income approach – based o the amount that currently would be required to replace the service capacity of an asset Cost Valuation of Investments and FASB 157 Inputs refer broadly to the assumptions market participants would use in pricing the asset or liability: Observable inputs - reflect the assumptions market participants would use based on independent market sources (published stock prices, amortized cost methods, price matrix) inputs – reflect the reporting entity’s own assumptions market participants would use in pricing the asset or liability based on the best information available Unobservable Valuation of Investments and FASB 157 Level 1 inputs Quoted market prices (unadjusted) for identical assets or liabilities in active markets Most reliable source of fair value Input examples Prices derived from NYSE, NASDAQ, Chicago Board of Trade, Pink Sheets Valuation of Investments and FASB 157 Level 2 Inputs: Observable inputs for Similar assets or liabilities in active markets Identical or similar assets in inactive markets Inputs other than quoted prices that are directly observable Inputs derived from observable market data by correlation or other means – Matrix pricing, market corroborated pricing, yield curves and indices Examples Significant adjustments may indicate Level 3 Valuation of Investments and FASB 157 Level 3 Inputs: Unobservable inputs Reporting entity’s own assumptions about the assumptions market participants would use Other entity specific inputs (historical or projected financial information) that are not derived from market data Unobservable inputs are developed based on the best information available in the circumstances – Investment manager pricing for private placements, private equities, hedge funds, etc. Examples Valuation of Investments and FASB 157 Disclosures Fair value measurements at the reporting date for each major category of assets or liabilities Level within the fair value hierarchy where each investment category falls Valuation techniques used to measure fair value and a discussion of changes in valuation techniques Readdress existing investment valuation language in summary of significant accounting principles footnote Level 3 expanded disclosures to reconcile beginning and ending balances FASB 157 Implementation Fair Value Measurements Present a table of the fair value hierarchy for the balances of the assets and liabilities of the Plan measured at fair value as of December 31, 2008. Present a table of the changes in assets and liabilities measured at fair value using Level 3 inputs for the year ending December 31, 2008 Realized Gains (Losses) Unrealized gains (losses) relating to instruments still held at December 31, 2008 Purchases, sales, issuances and settlements (net) FASB 157 Implementation Full Scope: Obtain an understanding of the plan’s process for determining fair values, as well as whether the fair value measurements and disclosures are in accordance with GAAP. Consider to procedures and controls put in place by the plan sponsor and service provider to identify hard to value investments, validate the reliability of pricing, monitor the collectability of accrued income and modify reporting and disclosures in plan financial statements. FASB 157 Implementation Full scope procedures requiring price testing Test of year-end market values Test of purchases and sales Test of unrealized gains and losses Test of realized gains and losses FASB 157 Implementation Primary Vendors Interactive Data Standard & Poor's GEMMA Consulting GMI IBOXX ISMA Markit Research Sources Bloomberg Reuters FASB 157 Implementation Limited Scope: Trustee or Custodian certifies the COMPLETENESS AND ACCURACY of the plan’s investment assets and investment activity as contained in the institution’s ORDINARY BOOKS AND RECORDS, which MAY OR MAY NOT BE FAIR VALUE IN ACCORDANCE WITH GAAP. Information certified may be BEST AVAILABLE and may not be as of the plan’s year end FASB 157 Implementation Whose job is it? – provide the data Clients – review the data and conclude Auditors – validate and opine Custodians Valuation of Investments and FASB 157 While management may look to a valuation service provider for the mechanics of the valuation, management should have sufficient information to evaluate and independently challenge the valuation. Therefore, it is important that plan management is familiar with the plan assets in which a plan invests and the methods and significant assumptions used to value them, especially for investments in securities or other assets for which readily determinable fair market values do not exist. They can outsource mechanics but can NEVER outsource responsibility. Valuation of Investments and FASB 157 A plan auditor may provide advice, research materials and recommendations to assist in making decisions about the accuracy of investment valuations and the adequacy of the related disclosures, and in establishing internal controls surrounding plan management’s investment valuations and can also help with the financial statement preparation. Independence. ***** Caution ***** Although presented together, limited scope audits and SAS 70 reports are two independent topics Having a SAS 70 report does NOT constitute or provide the certification necessary to perform a limited scope audit Session Objective – Limited Scope We will discuss the basics but it gets complicated - quickly! Just what is the limited scope (“L/S”) audit exemption? What is the legislative perspective behind its application and how has it evolved? When can a plan sponsor legitimately invoke the usage of the exemption? What practical audit steps can be employed under a limited scope audit engagement? Definition Summary of ERISA Reg. 2520.103 Where an audit is required, the financial statements accompanying the Form 5500 must be GAAP-compliant Provides for an exclusion from the audit of investments (valuation and existence) and plan-level investment activity, if qualifying institution holding the assets certifies to the accuracy and completeness of the information Qualifying Institutions: Bank or similar institution (e.g., a trust company) or insurance carrier regulated and supervised and subject to periodic examination by a State or Federal agency Could be asset trustee or custodian (does NOT need to be the trustee) Definition Summary of ERISA Reg. 2520.103 Provides sample certification language to be used by the certifying institution The XYZ Bank (Insurance Carrier) hereby certifies that the foregoing statement furnished pursuant to 29 CFR 2520.103-5(c) is complete and accurate. Indicates that certification extends to “ordinary business records” of the certifying institution The certification must be signed by a person authorized to represent the insurance carrier or bank Definition The certification applies only to investments All other areas of plan activity including; eligibility, contributions, distributions and expenses must be subjected to full audit procedures No audit procedures are performed on investments and related activity covered by the certification (including no review of internal control over investments or analytical review of income) Limited Scope - Auditor’s Responsibility - Investments Compare the certified information to the form and content of the financial statements and footnote disclosures Determine that the financial statements and disclosures are in compliance with GAAP and DOL requirements Test income allocation to participants Make sure 5% of net asset disclosure is made Limited Scope - Auditor’s Responsibility - Investments Make sure to include the certification footnote in the financial statements and references to the information that is certified If something unusual comes to your attention - investigate (e.g., cost = fair value for hard to value assets, fair value has not changed for several years, or asset is not included in certified statements) If any material discrepancies are noted, the plan administrator should investigate and consider: Requesting trustee/custodian to correct and either recertify or amend the certification If information is excluded, the plan administrator is responsible for proper valuation and reporting Engage the auditor to perform a full-scope audit and/or full scope procedures, as appropriate Why the Limited Scope Audit Made Sense in 1974 What was the DOL looking for? Recall the pre-ERISA environment: do you know where your plan assets are? ERISA designed to ensure that the assets exist & that plan values are accurate Certifying institutions played a prominent, if not exclusive, role in the New World order ERISA required plan assets to be held in a trust or insurance contract Holding assets in a trustee’s vault (versus the plan administrator’s file cabinet) provided vastly more comfort over the existence assertion Trustee/custodians provided a valuation independent of the plan sponsor’s Fair Value of plan assets were more commonly part of trustee or custodian's “ordinary business records” Plan investments had readily determinable market values Plan & Trust Structures were less complex Common Types of Plan Investments - 1974 Common stocks Corporate Bonds Common or collective trusts (“CCTs”) Pooled separate accounts (“PSAs”) US Government Securities Mutual funds Unallocated Insurance contracts Master trusts – holding any or all of these investment types So, what changed? That was then. This is now. Investments - Explosion of new investment vehicles found their way into the employee benefit world Hedge funds Venture Capital Private Equity Real Estate Art Work Precious Metals So, what changed? That was then. This is now. Shadow Accounting - Emergence of specialized service providers resulting in more assets held outside the trust (Derivatives, Currency Hedging, etc.) Heightened awareness of custodians What are they really certifying to? Does an independent “market value” always equate to “fair value”? Custodial Asset Pricing Processes & Certifications FAS 157 - Fair Value Measurements shines a floodlight on custodial pricing processes Requires deeper dive into custodial pricing vendors & their methodologies, to facilitate bucketing of assets into Level 1, 2, 3 Best available, versus Fair Value Changing Audit Climate Sarbanes-Oxley Act of 2002 AICPA Employee Benefit Plan Audit Quality Center (“EBAQC”) AICPA Practice Aid on Auditing Alternative Investments (July 06) Plan audits no longer considered low risk audits More focused & disciplined approach to EB audits Audit Guides/Risk Alerts discuss HTVAs and LPs specifically Reiterates management’s responsibility for valuation oversight Questions the premise of plan sponsor’s sole reliance on the custodian’s prices Audit Standards (SAS 112/114) Formalized required communication to management Provides another reason to ensure that the audit is top-notch and the “T’s” are crossed and the “I’s” are dotted that Relevancy of the Limited Scope Audit in Today’s Environment The environment has changed, but the regulations have not Is the extinction of the limited scope audit imminent? When is the limited scope audit applicable? Investment types and valuations are key drivers to determining audit level Eligibility of certifying institution Marketable securities with readily determinable values Highly regulated Common or Collective Trusts (“CCTs”)/Pooled Separate Accounts (“PSAs”) invested in marketable securities Clear designation of the entity that is holding the plan assets No 11-K filing is required To Limit, or Not to Limit. That is the question! Who owns the decision to invoke the L/S audit exemption? The Plan Sponsor! Requires a Paradigm Shift on the part of the plan sponsor Do they view the L/S exemption as an automatic entitlement, or as a privilege? Are they aware of what their certifying entity is actually certifying to? Are they prepared to engage their auditors in a discussion about the appropriate level of audit work, in advance of the audit? Do they have a formal pricing policy and valuation oversight monitoring and signoff process, or are they relying exclusively on the custodial statements? Investments – Full Scope Audits What is different from a Limited Scope? Confirm directly with holder of assets (more than one custodian may hold assets) Test of year-end market values Test of interest Test of dividends Test of purchases and sales Test of unrealized gains and losses Test of realized gains and losses What the Plan Sponsor Needs to Consider Before Invoking the Limited Scope Audit Exemption AICPA has added branches to the Limited Scope Audit Decision Tree in the EB Audit Guide What percentage of plan assets are invested in holdings that do not have readily determinable market values? Can the plan sponsor rely exclusively on the certification for the fair value, or does their valuation committee rely on other investment analysis to supplement the custody values before signing off on the fair value for any Hard To Value Assets (“HTVA”)? If the latter is the case, the less chance of relying on the limited scope exemption. Practical Audit Steps in a Limited Scope Engagement Determine eligibility of certifying entity in accordance with ERISA Reg 2520.103-5 Gain comfort with variations of the wording of the certification examples of acceptable and non-acceptable wording “ … to the best of my knowledge and belief” Narrow down the investment versus non-investment transaction activity that falls within the L/S exemption Determine the relevancy of the SAS 70 and assess the service provider and related user controls under a L/S engagement Gain comfort with the certification of plan balances when the assets of multiple plans are commingled and held within a master trust Practical Audit Steps in a Limited Scope Engagement How can you tell from the investment statement whether the certified values for LPs are current values or lagged values? What do you do when you become aware that the values are lagged? Is amending and recertifying the year-end statement to reflect the updated values an acceptable alternative? When can you carve out assets that require a full-scope audit, without changing the scope of your engagement, and how does that impact your opinion letter? Will insurance carriers and banks be certifying to fair value in accordance with FAS 157? Participant Allocation Testing Required in limited scope as allocation not certified Consider using investment returns for month or quarter Some firms testing allocations of interest and dividends Cannot completely rely on a SAS 70 Service Organization report – even a Type II A SAS 70 report is NOT a Certification and is not related to the limited scope exemption Certification of Participant Loans Does the certification truly cover loans? Substance Often times not covered by certification for unbundled plans (record keeper and custodian are separate entities) Who keeps the records (e.g., amortization schedule, note, etc)? When over form considerations loans aren’t properly certified Do not indicate in report that all investments are covered (only certain ones) Certification footnote should be clear that loans are not certified Even if properly certified, loan compliance testing is still required Limited Scope & Master Trusts Master trust certification – doesn't allow you to do a limited scope audit of the plan Certification must be at plan level if doing a limited scope audit The appendix to the AICPA guide defines a master trust as, "a trust for which a regulated financial institution serves as trustee or custodian... and in which assets of more than one plan sponsored by a single employer or by a group of employers under common control are held." Limited Scope Certifications - Agents Agents Certifying for Trustee/Custodian The plan administrator should determine whether the party providing the certification (the agent) is in fact authorized to represent the insurance carrier, bank or similar institution holding the assets of the plan. The plan administrator should take steps to ensure they understand the nature and scope of the certification the agent has provided before concluding that the certified information may be used to satisfy the limited scope exemption Agent Certifications – Scope Language “… any auditing procedures with respect to the information described in Note X, which was certified by ABC, Inc., the record keeper of the Plan as agent for XYZ Bank, the trustee of the Plan, …” “The plan administrator has obtained a certification from the agent on behalf of the trustee …” Agent Certifications – Opinion Language “… other than that derived from the information certified by the agent on behalf of the trustee, have been audited …” Best practice – plan administrator should obtain and review the agency agreement Getting Plan Sponsors on Board Pre-Engagement Meeting Discussions: extend invitations to Investment Committee contacts Sharing Copies of Relevant Materials: DOL’s Internal Controls over Financial Records of the Plan AICPA Audit Guides AICPA Practice Aid on Auditing Alternative Investments AICPA EBPAQC Webcasts These slides Risk Assessment Standards –Year 2 ASB issued the standards to improve the quality and effectiveness of audits by focusing on audit risk Auditors need to have a more in depth understanding of our clients, their environment, including internal control in order to be able to identify and assess the risk of material misstatement Designing and performing audit procedures in response to those risks at the financial statement level and at the relevant assertion level for account balances and transactions classes Improved linkage between the assessed risks, audit procedures and conclusions Risk Assessment Standards – Summary SAS 104 – 111 Year 2 Pre-Engagement Activities-Acceptance of the client, independence, Management integrity, etc, engagement letter. Planning the audit Gain an understanding of the plan and its environment ERISA and DOL regulations, new accounting pronouncements, changes in economic environment, plan type and provisions, tone at the top, plan oversight, measurement and review of plan’s performance, actuarial reports, controls at plan and controls at outside service providers (SAS 70’s) Perform preliminary Analytical procedures Current year to prior year, actuarial assumptions, investment returns, etc Discussion among engagement team Identify fraud risk factors nature of plan investments, plan operations, party in interest Determine materiality at F/S level Risk Assessment Standards Summary Assess risk of material misstatement at the overall financial statement level and complete overall audit strategy and overall responses at the financial statement level Assess risk of material misstatement in relation to relevant assertions for major transaction classes (participant account activity), account balances (investments, receivables, payables) and disclosures Identify major audit areas = audit areas with material transaction classes, account balances, disclosures Areas with potential significant risk could be investments without readily determinable market value, new investments, SAS 70 errors, operational defects or non routine transactions, etc. Areas where substantive procedures alone are not sufficient Risk Assessment Standards Summary Develop a detailed audit plan for the nature, timing and extent of further audit procedures which include tests of controls, substantive procedures (tests of details and analytical procedures) and evaluate disclosures Evaluate results of audit procedures to determine if they are sufficient and document linkage of procedures with the assessed risks at the relevant assertion level ***** Caution ***** Although presented together, limited scope audits and SAS 70 reports are two independent topics Having a SAS 70 report does NOT constitute or provide the certification necessary to perform a limited scope audit SAS 70s - Session Objectives For this part of the session we will discuss the basics of SAS 70 reports including: History and purpose of SAS 70 reports Difference between types of SAS 70 reports Sections of SAS 70 reports Basics of how to read and evaluate SAS 70 reports History and Purpose of SAS 70s Auditors are required to gain an understanding of internal controls to plan the audit New Risk Assessment Standards, specifically SAS 109, which superseded SAS 55, now require auditors to evaluate the design and implementation of controls at a client Plan sponsors generally outsource a significant portion of the plan’s operations to third party providers (e.g., record keepers, custodians) and controls covering these operations also need to be considered SAS 70 reports tend to be the most efficient way to meet these requirements Daily valuation of plans highlighted the need for more use of SAS 70 reports in the Employee Benefit Plan (“EBP”) industry Auditors must consider both the service organizations’ AND plan sponsor controls History and Purpose of SAS 70s SAS 70 reports address both the evaluation of design and implementation of controls Evaluation of Design Service auditors who prepare SAS 70 reports evaluate the design of the controls by the service organization and will report on any noted design deficiencies in the independent service auditors’ report. Controls need to be designed to support the control objective (e.g., contributions are recorded to the plan and participants’ accounts on an accurate and timely basis) EBP Auditor should consider user organization (i.e. Plan sponsor) controls as well as service provider controls (e.g., contribution and payroll information remitted to service organization are accurate) History and Purpose of SAS 70s Implementation of Controls Service auditor will design their tests of controls, depending on type of SAS 70 report to be issued, to determine implementation and operating effectiveness of controls at the service organization Testing includes inquiry, observations, inspection and re-performance Note: The type of testing performed by the service auditor makes a difference!! Auditors must consider the effect of exceptions or qualifications noted in the SAS 70 report related to either design deficiencies or operating effectiveness as part of auditor’s overall risk assessment Remember – SAS 70 reports are only one part of the risk assessment process associated with controls. Plan sponsor user controls must be addressed as well. Differences – Types of SAS 70s Two Types of SAS 70 Reports: Type I SAS 70 Report Service auditor will evaluate design of controls and confirm implementation of controls as of a point in time (e.g., as of December 31, 200X) Addresses risk assessment requirements to a point Does not include testing of operating effectiveness over a period of time (e.g., Period ended December 31, 200X) Type II SAS 70 Report Same as a Type I report but includes testing of operating effectiveness over a period of time Much more useful report for the auditor’s risk assessment procedures and could potentially be used to reduce substantial audit procedures Differences – Types of SAS 70s In the EBP industry, there are several organizations that may provide a SAS 70 report that the auditor might utilize depending on scope and type of audit: Trust Company or Custodian Record keeper Combined Trust/Custodian and Record keeper Payroll/Human Resource Company Actuary Investment Advisors and Transfer Agents Critical to obtain the correct SAS 70 report (i.e. some organizations have multiple SAS 70 reports) relevant to each specific plan Sections of SAS 70 Reports Independent Service Auditor’s Report Reports on auditor’s opinion about design of controls and their implementation. Type II SAS 70 report will also report on the operating effectiveness of controls Report will define what exactly is covered in SAS 70 report (e.g., transactions performed related to defined contribution plans) Report will define period covered (generally six months or longer) May include carve-outs (e.g., participant statements printed by another entity). Note: might require additional procedures, including additional SAS 70 reports if carveouts are significant and relevant) Sections of SAS 70 Reports Company Overview Includes general discussion of company structure and operations and entity level controls (e.g., human resource practices, segregation of duties, ethics policies) Generally includes a discussion of computerized information systems Auditor should review and consider as part of risk assessment process of entity level controls May also include other valuable information so should not be ignored Sections of SAS 70 Reports Control Objectives Developed to address user auditor’s (i.e. Plan auditor) expected financial statement assertions Are the responsibility of the service organization to determine and are based on anticipated user organization’s needs (e.g., EBP auditor will need sections such as contributions and distribution processing) Should include IT general controls, such as physical and logical access, change management, back-up, etc. ***These are important and must be addressed*** Generally read as follows: “ Controls provide reasonable assurance that distributions are properly approved, calculated accurately, and recorded to participant and plan accounts on a timely basis” Sections of SAS 70 Reports Description of Controls Generally in narrative form to describe process overall and highlight individual controls and procedures that support the control objective Example: Distribution processing most likely will include controls to: Ensure proper approvals (e.g., review of distribution request form or electronic approvals in paperless format) Review proper calculation of distributions – vesting, taxes Ensure proper recording to participant account Ensure proper communication to entity (trustee or custodian) remitting payment to participant or their beneficiary Sections of SAS 70 Reports Description of Controls (Continued) User controls are an important consideration in understanding total control structure Vesting might be calculated or reviewed by plan sponsor in addition to or in lieu of service organization’s review Approval of distributions by plan sponsor, especially in paperless environment, might be based on providing termination dates of participants (usually detailed in service agreement between plan sponsor and service organization) Sections of SAS 70 Reports Tests of Operating Effectiveness Included in Type II SAS 70 reports Usually in form of matrix in SAS 70 report, sometimes in a narrative format Outlines which controls service auditor tested and what tests were applied to determine operating effectiveness of those controls. Sections of SAS 70 Reports Tests of Operating Effectiveness (Continued) Tests can include: Inquiries to personnel responsible for performing controls Observations of personnel actually performing controls Inspection of documentation that provides evidence of performance of controls (e.g., completed checklist, signature of individual who reviewed form for approvals) Re-performance of controls (e.g., test transactions run through the recordkeeping system to review proper postings) Sections of SAS 70 Reports Test Results If no exceptions, generally reads “ No relevant exceptions noted” or “Control objective operating effectively” If exceptions are found, the finding will be detailed as to how many exceptions within the sample size were noted, and nature of exceptions Sometimes other findings may be noted (e.g., No activity noted for year or that control was in place for portion of period covered by SAS 70 report) Note: Exceptions noted may not always result in a qualification of opinion May also include management responses to exception findings – these responses are not audited by the service auditor but may include relevant information and should be reviewed Sections of SAS 70 Reports Additional information provided by service organization Generally not audited by service auditor and is so referenced in Independent Service Auditors’ report Includes items such as disaster recovery procedures May include items related to subsequent events such as a merger of entities or termination/change in services Is a part of the SAS 70 report and should be reviewed to ensure no relevant information that may effect auditor’s evaluation is missed Basics of How to Read and Evaluate SAS 70 Reports A basic road map for auditors in how to effectively and properly review SAS 70 reports Can be a difficult process as SAS 70 reports are not consistent among service providers nor is format consistent in how they are prepared by service auditor. Start with Independent Service Auditors’ Report and Company Overview as these sections contain a lot of valuable information and can confirm correct SAS 70 report has been obtained. Note any qualifications and determine effect – generally specific areas such as enrollments may only affect one control objective. IT related qualifications may affect more than one area depending on nature and extent of qualification. Auditors should keep in mind additional procedures may apply for missing key control objectives and should have prepared a list of expected areas to be covered in the SAS 70 report according to risk assessment procedures tailored to a particular client and engagement. Basics of How to Read and Evaluate SAS 70 Reports Control Objectives What is there and what is missing? Auditors of EBP plans generally look for the same control objectives including: Plan set-up Contributions Enrollments Investment Election Changes and Transfers IT General Controls (access, changes to programs, back-up) Investments, including purchases/sales, income and valuation Distributions, including loans Reconciliation and reporting Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor!! Basics of How to Read and Evaluate SAS 70 Reports Description of Controls Auditors should generally read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance Basics of How to Read and Evaluate SAS 70 Reports Tests of Operating Effectiveness Auditors need to determine which controls were tested as included in the description of controls – usually listed with testing procedures performed Auditors have to consider level of testing performed for reliance purposes – inquiries alone will not be sufficient evidence for confirming implementation and observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures Basics of How to Read and Evaluate SAS 70 Reports Exceptions Auditors have to evaluate each exception, including nature of exception, extent of exception and any mitigating controls in place related to that exception. Nature of exception: Error in processing transaction? Missing evidence? (e.g., cannot locate checklist) consider – is the exception relevant to your specific client situation Also Basics of How to Read and Evaluate SAS 70 Reports Exceptions (Continued): Extent of Exception Isolated error? Exception one of many included under control objective? Did exception lead to qualification of Independent Service Auditors’ report? Special consideration – IT general controls – exceptions and qualifications could affect more than one area and may be a significant problem in reliance and use of SAS 70 report Basics of How to Read and Evaluate SAS 70 Reports Exceptions (Continued): Mitigating controls in place related to exception Are there other controls in place at service provider to mitigate risk of error? Other levels of review such as quality control reviews Different access levels that may prevent issues (physical vs. logical access on systems) Does the plan sponsor actually perform that control? (e.g., calculate vesting) Are there mitigating controls in place at the plan sponsor? (e.g., review and approve calculation of vesting) Note – evaluation will be different among engagements depending on controls in place and who does what Basics of How to Read and Evaluate SAS 70 Reports Evaluation of SAS 70 report and conclusions reached by Plan auditors should be documented clearly and adequately in audit workpapers as required by SAS 103. Documentation can include: Copy of relevant SAS 70 reports obtained and evaluated Checklist or Form used to evaluate SAS 70 report Memo or checklist/form used above to document conclusions reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures) Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions) Questions?
