Pensions Process Actuaries -Are they considered a 3rd party? 2299



  • Hello, I’m reviewing a process whereby the objective is to ensure that pension assets and liabilities are not misstated in the accounts.
    Now all the controls seem to be geared towards ensuring that the correct data goes to the actuaries in order to for them to produce the valuations but nothing seems to involve reviewing the actuaries’ output before forwarding to Group Finance for inclusion in the financial statements.
    Normally would there have to be a SAS70 or is it generally accepted that the actuary’s valuations are correct?



    1. How material are the assets and liabilities calcuated by the actuaries?
    2. How predictable are the calculations by the actuaries eg is it mainly unit linked?
      Actuarial as a process is high risk given the complexity of the models used and the assumptions applied. However if the figures they generate are unlikely to fluctuate to a material level or can be predicted fairly accurately then it can be argued they need not be tested.
      If they could have a material impact and are not predicatble then there has to be some testing of the process to ensure that in the very least the assumptions are set correctly and the models operate effectively. You cannot just rely on the original data being correct.
      Do you need a SAS70? Only if the actuarial function is an external orgainsation. Even then you don’t need to get a SAS70, if you have appropriate contractual arrangements you should explore getting your own testing done. In fact I only use SAS70s when there is more than one client of a common third party requiring SOX assurance so we can share the costs - if you are the sole client then a SAS70 is economically the most inefficient way of gaining assurance.
      That being said and you do decide to test the actuaries then whether they are internal or external you may still want to explore using a third party to undertake the testing in this area. Given its complexity it could be beneficial, at least in the first couple of years, to use someone with experience of this area to test the deisgn and operational effectiveness of this area.


  • Actuaries are considered experts and do not require SAS70 coverage.
    You should ensure that you have controls over information provided to the actuary (complete, accurate), assumptions used and information recorded in your financial statements.



  • Not according to my External Auditors.
    But as per above, our liabilties are material and sensitive therefore they probably feel greater assurance is required than just relying on the expertise of the model maker.



  • The guidance is clear that SAS 70 reports are not required from subject matter experts, only from service providers and then only if we are placing any reliance on their processing controls.



  • 100% agree with kymike%0AThe only additional controls that the company would need to have are around how those experts are engaged and how their results are used, however the independent conclusion of a 3rd party expert do not require a SAS70.



  • OK I follow your point but why why classify actuaries as subject matter experts?
    An actuary provides a service where they use complex models based on various assumptions to value assets and liabilities. This is not a simple stick a figure in the start of the process and the answer is spewed out of the end no matter who does the calculation. That is a subjective ‘science’ that has high risk where the incorrect application of an assumption or even misuse of an assumption could throw everything off. We’ve even seen cases where final salary pension schemes have been seriously impacted by incorrect and inappropriate valuations.
    I will accept your statement that actuaries are explicity defined as subject matter experts however just for the record providing complete and accurate data to the actuaries does not confirm you have complete and accurate movements in the P-and-L nor properly valued assets in your BS irrespective of whatever assumptions you report using.
    Of course I should clarify that you are refering to actuarial functions for a company pension scheme and not for large financial institutions.



  • 100% agree with kymike%0AThe only additional controls that the company would need to have are around how those experts are engaged and how their results are used, however the independent conclusion of a 3rd party expert do not require a SAS70. %0AI agree that a SAS70 is not required, partly because GAAS generally include a description of the mutual responsibilities between actuary and auditor, including the requirement for the external attest auditor to gain assurance about the completness and accuracy of data provided by the client to the actuary. The CICA Assurance handbook used to have a long section on that.%0AHowever I don’t think the external auditor is off the hook ‘so to speak’ just by checking the data to prevent the ‘garbage in garbage out’ scenario. It seems to me that the external auditor must also assess the reasonability of the key assumptions used by the actuary, whether the actuarial report is for pension plan financial statement purposes, determining funding requirements and/or pension expense on the employer financial statements.%0AThere is simply too much room to manage the resulting numbers by tweaking the assumptions. The way I see things, the external auditor needs to compare the employer’s (i.e. actuary’s) assumptions to those used in other plans and evidence an assessment of why the assumptions are within the zone of reasonability; and also assess the reasonability of resulting sensitivity analysis which is typically required.%0ASo in brief, I’m thinking that the auditor should validate the data going in, assess the reasonability of the results based on the reasonability of the assumptions used, and quite frankly leave the accuracy of the actuarial calculations to the actuary. It’s up to the actuary (a SME / specialist) to choose an appropriate method and validate their own calculations.%0ATo put this in the context of a sox enagement (ICFR work), management likewise needs to validate the data going ito the actuary, evidence the reasonability of the assumptions used, and evidence that any disclosure concerning sensitivity of results is reasonable. Just another case where financial management with strong ICFR pretty much does 90% of the external auditors actual work:> 😉



  • I agree with graybeard. The external auditor generally cannot rely on the valuations provided by the actuary (or any other subject matter expert) like the public client can. Our external auditors have their internal specialists review the valuation by our external actuary for reasonableness.
    For SOX purposes, the public company client does not need to have a SAS 70 from the actuary and can rely on the valuation provided by the actuary. The public company, however, needs to ensure that controls exist over the completeness and acuracy of the data sent to the actuary and over recording values on the ledger based on the actuarial report.



  • %0AI agree that a SAS70 is not required, partly because GAAS generally include a description of the mutual responsibilities between actuary and auditor, including the requirement for the external attest auditor to gain assurance about the completness and accuracy of data provided by the client to the actuary. The CICA Assurance handbook used to have a long section on that.%0AHowever I don’t think the external auditor is off the hook ‘so to speak’ just by checking the data to prevent the ‘garbage in garbage out’ scenario. It seems to me that the external auditor must also assess the reasonability of the key assumptions used by the actuary, whether the actuarial report is for pension plan financial statement purposes, determining funding requirements and/or pension expense on the employer financial statements.%0AThere is simply too much room to manage the resulting numbers by tweaking the assumptions. The way I see things, the external auditor needs to compare the employer’s (i.e. actuary’s) assumptions to those used in other plans and evidence an assessment of why the assumptions are within the zone of reasonability; and also assess the reasonability of resulting sensitivity analysis which is typically required.%0ASo in brief, I’m thinking that the auditor should validate the data going in, assess the reasonability of the results based on the reasonability of the assumptions used, and quite frankly leave the accuracy of the actuarial calculations to the actuary. It’s up to the actuary (a SME / specialist) to choose an appropriate method and validate their own calculations.%0ATo put this in the context of a sox enagement (ICFR work), management likewise needs to validate the data going ito the actuary, evidence the reasonability of the assumptions used, and evidence that any disclosure concerning sensitivity of results is reasonable. Just another case where financial management with strong ICFR pretty much does 90% of the external auditors actual work:> 😉 %0AI agree with you here. My responses come from a client rather than auditor perspective, but you are right to say that there are additional checks the auditor should follow. Certainly in my own Big 4 days we used to, sometimes, have the actuarial work checked by our own specialists.



  • I agree with these responses. I realise that in my case we do more work becuase firstly we rely on actuarial services a lot more than just for a pension scheme so for us it is very high risk but also because we work in partnership with our external auditors and undertake a lot of the work ourselves to aid fee reduction. Clearly this has meant that we have gone beyond our own SOX needs and we are undertaking work that our auditor requires but in the longer term this a more efficient and economic solution.



  • Conclusions:
    (a) Big 4 companies has their own specialists (why public company does not??);
    (b) SAS70 is not required (since it’s a well knowing firm in the market);
    © SOX control should be based on some internal review by someone in the public company (not only in those information provided for the actuary, but also on the reasonably of the P-and-L accounted each year);



  • Conclusions:
    (a) Big 4 companies has their own specialists (why public company does not??);
    (b) SAS70 is not required (since it’s a well knowing firm in the market);
    © SOX control should be based on some internal review by someone in the public company (not only in those information provided for the actuary, but also on the reasonably of the P-and-L accounted each year);
    Auditors can leverage their specialist over many clients. It generally does not make financial sense to have an acturary within a public company if all there was to value was the pension liability.



  • Some service providers have SAS70’s. Just ask them. Once some of their clients paid for it, they might want to offer it to you as well.
    No try no gain. 😉


Log in to reply