Smoke & Mirrors; Accounting standards, SSAE/SOC

[Puffinator]

Scenario:  TPA uses Relius Administration for their pension clients.  However, they choose not to use the software past the point of inputting basic census data.  Meaning, they choose not to input or import investment data (account balances, distribution/transfer activity, etc.) into Relius for their clients.  Instead, they use a rudimentary Excel spreadsheet to perform Top Heavy testing and basic trust accounting for ALL their clients' plans.  

For audited plans, they provide the Relius SSAE SOC-1 or SOC-2 reports to independent auditors.  If they are failing to utilize their pension software, they are failing to adhere to the accounting standards which the reports are essentially certifying.  Correct?  If auditors do not realize that plans are being manually tested in a spreadsheet (and hence, not necessarily conforming to proper controls & standards, not to mention the increased risk for HUMAN ERROR if this is the TPA's ONLY method of testing), then isn't there potential for HUGE liabilities for all involved? 

The TPA knows they are not using the software as intended/designed, yet continues to supply the reports as though they do.  Management actually made the comment that "auditors and clients wouldn't know the difference anyway..." and "after all, we are technically performing the test... just manually."  When brought to their attention, their response:  "We've always done it this way.  It's too much work to get the trust data into the system.  We tried that one year..."

Wow.  

Now, imagine that two of this TPA's owners/managers hold ASPPA credentials.  Heck, one is even an ERPA.  

Could most of us manually complete a Top Heavy test in our sleep?  Sure.  Conversely, some admins on TPA staff don't have the foggiest notion.  But, that's not the point.  Regardless of staff experience to complete a test accurately (we hope), the FACT is that they are not adhering to accounting standard procedures because they are too lazy, overwhelmed, inept, or all-of-the-above to simply input the trust accounting into a software package which they pay good money to use, and then knowingly try to fly under they radar and pretend that they are following those standards.

Their failure to disclose that they choose to deviate from the controls addressed in the pension software's SSAE SOC reports is deceptive and could potentially cause significant public harm.  They are fully aware they are allowing clients and auditors to infer that they follow applicable procedures for the software they use to provide their services.  Like I tell my kids, allowing someone to infer something that is contrary to reality is the same as lying.  Plain and simple.  At minimum, this is a professional ethics concern.  

At the very least, think of the added expense (time and money) for the clients if this must be addressed.  I guarantee that if the Top Heavy tests for all these years were reviewed, you'd find errors.  You'd find plans that were top heavy and not treated as such.  What if that jeopardizes a plan losing their qualified status?  Think of all the employers and participants who could be affected.

Your thoughts???  How would you handle this?

[My 2 cents]

Just wondering - wouldn't the TPA be obliged, under the applicable federal laws, to have an independent audit performed of its own practices and controls?  Shouldn't an independent auditor have to scrutinize the TPA's controls with respect to the processes they follow?

Just wondering also - would pointing to someone else's control analysis as though it took care of everything they do when they do not actually do things that way be some kind of fraud?

[CuseFan]

So if they don't use the software for trust accounting/account balances, forget about testing, what are they using it for at all? Almost sounds as if they licensed the software solely for the purpose of providing the internal controls reports. Yeah, fraud and breach of ethics immediately come to mind. We use spreadsheets with the best of them, but not in place of a valuation system, and not while purporting to use that valuation system. Wow.

[TPAJake]

Unfortunately, I have seen this movie & it does not have a happy ending.  I can't speak to a resolution, but I agree with your assessment of their improper & less-than ethical practices of furnishing that letter  

[hr for me]

I have to wonder if you are close enough to know these details, do you know who the auditors are and is there anyway to anonymously disclose it to them?  If you are an employee of that firm, I would definitely be looking for another job!

[david rigby]

Pardon me if I don't understand the question.  If the TPA firm is providing Relius SOC1/SOC2 statement(s) to an auditor, that does not cover the controls and procedures of the TPA firm itself.  Does the auditor understand the difference?  Alternatively, if the TPA firm is implying that such SOC1/SOC2 statement(s) are for the TPA firm, that sounds like deliberate deception.  As someone already stated: fraud.

[My 2 cents]

57 minutes ago, david rigby said:

Pardon me if I don't understand the question.  If the TPA firm is providing Relius SOC1/SOC2 statement(s) to an auditor, that does not cover the controls and procedures of the TPA firm itself.  Does the auditor understand the difference?  Alternatively, if the TPA firm is implying that such SOC1/SOC2 statement(s) are for the TPA firm, that sounds like deliberate deception.  As someone already stated: fraud.

Isn't it the job of the auditor of the TPA firm to ascertain whether the TPA firm is really doing what they say they are doing?  The auditor may be willing to accept the Relius SOC1/SOC2 statements as evidence concerning the controls as followed by Relius, but if the TPA firm claims they are doing everything using Relius, the auditor should be verifying that.  So even if the TPA firm is trying to fraudulently claim Relius's controls as their own, the auditor should be able to learn that it is not so.  Otherwise, what use is the entire process?