SOX as it applies to TPA's for H_and_amp;W Benefits 58



  • I am seeking information on SOX as it pertains to Third Party Administrators of Health and Welfare Benefit Plans. Where can I find some guidance?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • I would read this article as it hits home on the difficulties company have with this issue. I would imagine that all TPA’s will need a Type II SAS 70 report and will have to have their own SOX 404 and 302 compliance program even if they are a private company.
    http://www.cfo.com/Article?article=13818-and-f=CBIZ



  • You can only outsource work not your responsibility.
    That means that you’re still liable what happens to your data at the TPA’s site.
    The Questions is: will you cover the risk of financial misstatement by requesting a SAS70, where you in addition to the TPA also have to rely on some maybe dubious external auditor? Or do you want to rely on your own controls? If so, you better ask for a right to audit the TPA processes by your own internal auditors or if not granted, install controls to check the quality of information delivered by the TPA before you process it.



  • However, I am seeking guidance from the perspective of the TPA. I am the TPA that provides the H-and-W financial data for various clients. How does SOX apply to me?



  • SOX 404 applies to SEC registrants only. However, as a TPA, you will likely be impacted if you have clients who are SEC registrants and do not already have SAS 70 Type II work performed and make reports available to those clients. Your clients who are SEC registrants will need to have assurance that there are adequate controls in your business to ensure that the data you provide to them (on which they rely for financial reporting) has the proper controls around it to ensure accuracy and completeness. This assurance may come via the SAS 70 report or they may request that you allow them to come in and document your processes and controls around the handling of their data.



  • I now feel comfortable with the information you have provided. 🙂



  • I agree with the suggestions above.
    We were working with a top 10 Insurance firms based out of Philadelphia. Some of their critical business processess are outsourced to a TPA based out of India.
    The suggestions from our external auditors is to get a SAS 70 Type- 2 from the TPA. These external auditors helped determine the key controls.
    I also attended a SOX Symposium by ISACA in Chicago. PCAOB and other panel members who were present there also suggested the above approch
    Madhav Vedula
    mvedula_at_consultant.com



  • When getting a SAS70-2 as a TPA to give to your SOX customers, you should select an audit company registered at the PCAOB. It’s most likley that the external auditors at the SOX customers side won’t accept a SAS70-2 from a not registered audit company.



  • I just completed the ISACA Sox conference in Dallas, another thing that they mentioned was to make sure your outsourced relationship uses a different audit firm than your SOX external auditors. This is something they (the big 4) are taking to the PCAOB but in the meantime, it is something to take into consideration. They are going under the idea that there is a conflict of interest if the audit firm does the SAS70 for your vendor AND the same firm does your external SOX audit.


Log in to reply