Evaluating Your Third Party AdministratorHR Resource
October 9, 2012 — 2,360 views
Evaluating Your Third Party Administrator
Careful monitoring of a third party administrator for a benefits program is not simply good business sense, but it is also required by law. The new Section 408 (b) (2) of the Employee Retirement Income Security Act (ERISA) strengthens rules for benefits administrators to uphold their fiduciary responsibilities. It also specifies the types of information that third party administrators must provide to the plan administrators. The Employee Benefits Security Administration (EBSA) advises those responsible for employee benefit plans to take steps to monitor service providers:
- Review the service provider's performance
- Read any reports third party administrators provide
- Check the actual fees that have been charged
- Ask about policies and procedures, such as claims processing systems
- Ensure that plan records are maintained properly
- Follow up on complaints from participants in the plan
Most of the tasks on this list can be accomplished by scrutinizing the reports that many third party administrators are required to provide. If they are not required to provide them by law, they should provide them according to recognized and accepted auditing standards. For many years, service providers had auditors provide an independent Statement on Auditing Standards (SAS) 70 report. Such a report details the procedures in place to ensure that claims are processed and administered correctly.
There are two types of an SAS 70. A Type I SAS 70 gives basic information about the types of controls that are in place for processing claims and administering funds. A Type II SAS 70 is much more in depth. A Type II describes the testing performed by auditors and lists any problems or deficiencies within the system. A Type II SAS 70 allows plan sponsors to monitor a third party administrator more thoroughly than a Type I.
The American Institute of Certified Public Accountants (AICPA) is phasing out the SAS 70 report. Instead, they are starting to use the Statement on Standards for Attestation Engagements (SSAE) No. 16, or SSAE 16, as part of Service Organization Control (SOC) reports. The AICPA felt that SAS 70 reports were being used for purposes outside of the original intent, which was to report on financial controls, not service standards. The new SOC 1 Report will provide a report on financial controls in place. SOC 2 and SOC 3 Reports will give reports on controls at such businesses as data processing centers and Software as a Service (SaaS).