Limited Scope or Full Scope Audit

[Alex Daisy]

We are a TPA firm working on a large Plan were an Audit is required. We do not have a SAS 70.

The auditor is telling me what since we do not have a SAS 70, they will have to do a full scope audit, as opposed to a limited scope audit.

The custodian and recordkeeper of the Plan has a SAS 70. The TPA does not.

Is a full scope audit required if the TPA does not have a SAS 70?

[rcline46]

Although the auditor can do whatever they want, a limited vs full scope audit has to do with certification of the assets by an independent trustee. A SAS 70 is NOT required for the TPA.

That being said, the auditor does have the option of reviewing the TPA procedures and practices which would cost more in lieu of SAS 70.

[JanetM]

Ask the auditor to show you where in the AICPA audit guide does it say that the TPA must have SAS70.

[Guest Dell]

Sounds like a case of poor terminology. "Limited Scope" is definately the wrong term and if the auditor really is referring to a limited scope audit and a TPA's SAS 70 as being related, they are confused.

What they probably really mean is that if the TPA does not have a SAS 70 (and TPA's are not required to), the auditor still needs to gain an understanding of the TPA's internal control procedures related to the services provided to the audit client. Without a SAS 70 this could be expensive and require procedures to be performed at the TPA. This is not a limited scope audit situation, just a case where audit procedures might be reduced if a SAS 70 were available.

[sbutler]

Ask the auditor to show you where in the AICPA audit guide does it say that the TPA must have SAS70.

"AICPA Audit & Accounting Guide - Employee Benefit Plans

6.22

Benefit plans are increasingly using service providers to initiate, execute and perform the accounting processing of transactions on behalf of the plan administrator. Often the plan does not maintain independent accounting records of such transactions. For example, for 401(k) plans, many plan sponsors no longer maintain participant enrollment forms detailing the contribution percentage and the investment fund allocation option. For health and welfare plans, often claims are submitted electronically from the health care provider directly to a claims administrator for adjudication and payment. In these situations, the auditor may not be able to obtain a sufficient understanding of internal control relevant to such transactions to assess the risks of material misstatement and design the nature, timing, and extent of further audit procedures without considering those components of internal control maintained by the service organization. This understanding can be efficiently achieved by obtaining and reading the entire document prepared in accordance with SAS No. 70 for the service organization. SAS No. 70 reports generally cover the relevant operations of a service organization; however, certain operations of the service organization may not be addressed in the SAS No. 70 report, and those operations may be significant to the plan audit. In these instances, the engagement team will need to obtain an understanding of the controls in the relevant areas excluded from the scope of the SAS No. 70 report." Emphasis added.

Both the above guide and the Employee Benefit Plans Strategic Briefing include "recordkeeping" and "benefits administrators" so it covers TPA's. I agree that a SAS 70 report is not required. But with VRUs and automated loan processing, etc., plan administrators/sponsors just do not have any control over these transactions (that is why they have a TPA). As these transactions are a significant part of a plan's internal control they must be tested. Without a SAS70 Type II report on the TPA covering, say, participant investment allocation, how can a plan satisfy me as an auditor that participants balances are correct?

Dell's answer is absolutely correct.