YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 5GENERAL AUDITOR GUIDANCE325.1 AUDITOR ACCESS TO THE WEBPlan administrators may now provide securelimited access to a plan’s financial reports on theTIAA-CREF Plan Sponsor website to plan auditors.Properly authorized, auditors are able to view anddownload year-end reports directly from the securePlan Sponsor website. The auditor profile precludesreview of other types of plan reporting or data. Tobegin the approval process, download and completethe Auditor Access Authorization/Change Form(http://www.tiaa-cref.org/ucm/groups/content/@ap_ucm_p_tcp/documents/document/tiaa01009427.pdf)and return to TIAA-CREF.TIAA-CREF sends out reminders to plan sponsorsin advance of the expiration of their auditors’ accessto the site. Plan sponsors must complete a newauthorization form to renew their auditors’ accessif necessary.Please complete the form using the followinginstructions:SECTION 1: GENERAL INFORMATIONCheck the appropriate box:“I am a third-party auditor applying for online accessto Plan Financial Reports. (Auditor and PrimaryAuthorizer must sign Section 5.)”, or“I am a Primary Authorizer of my institution and amdeleting access to TIAA-CREF’s Plan AdministratorServices for a Third Party Auditor. Please completethe application for the replacement user (if applicable)and indicate the user to be deleted in Section 4.”SECTION 2: PLAN ACCESSIndicate the plan(s) to which access is beingrequested.SECTION 3: SECURITY QUESTION AND ANSWERHave the plan auditor complete his or her securityquestion and answer for TIAA-CREF for purposesof authentication when accessing secure information.SECTION 4: DELETE AUDITORSComplete this section to revoke a previouslyprovided access from a plan’s list of AuthorizedUsers. TIAA-CREF recommends that access bereviewed no less frequently than annually.SECTION 5: SIGNATURESThe Auditor and Primary Authorizer mustsign to complete authorization.5.2 REQUESTS FOR ADDITIONALINFORMATIONWe expect that most, if not all, of the informationneeded to meet the plan administrator’s ERISAreporting and disclosure requirements will beavailable on the secure Plan Sponsor website.To request additional information to supportplan reporting responsibilities, contact yourInstitutional Liaison for more information. If servedby the Administrator Telephone Center, contacta TIAA-CREF consultant at 888 842-7782.5.3 Audit Support ToolkitTIAA-CREF has developed an Audit Support Toolkitto assist in the exchange of information and documentsbetween TIAA-CREF, the plan sponsor and theindependent qualified public accountant (IQPA). Withinthis Toolkit are frequently asked questions and auditsupport guidelines along with a template for use bythe IQPA to request documentation of selected testsof transactions. Follow this link for more information:http://www.tiaa-cref.org/plansponsors/land/audit_toolkit/index.html
CHAPTER 6STATEMENT ON AUDITING STANDARDS NO. 706.1 SAS 70, IN GENERALBecause a significant portion of an entity’s controlenvironment may be outsourced to a service provider,a Statement on Auditing Standards 70 (SAS 70)report may be useful in providing user auditorswith a sufficient understanding of controls at theservice organization to assess the risks of materialmisstatement of a user organization’s financialstatements. A SAS 70 provides a basis of reliance onthe effective operation of plan controls which mayreduce the nature, timing and extent of plan-leveltesting. Additionally, the SAS 70 provides an efficientmeans for a user to gain an understanding of relevantcontrols executed at the service organization.6.2 TIAA’S SAS 70 REPORTSTIAA’s SAS 70 reports cover institutionalrecordkeeping operations for qualified and ERISA403(b) plans that require an auditor’s opinion aspart of their Form 5500 filing. The TIAA SAS 70reports include control objectives along with thedetailed control activities that are designed to meetthose control objectives. The reports are intendedto provide reasonable assurance that those controlobjectives are designed and operating effectively.The control objectives and control activities aredefined and written by TIAA and audited byPricewaterhouseCoopers LLP (PwC), TIAA’s serviceauditor. PwC releases a 12-month SAS 70 everysix months for the 12 months ended June 30 andDecember 31, which coincides with the plan yearends of the majority of benefit plans recordkept byTIAA-CREF. PwC issued unqualified opinions for the12-month periods ended 12/31/2009 and 6/30/2010.The 12/31/2010 SAS70 report should be availableduring the second quarter 2011 and will be posted onthe TIAA-CREF Plan Sponsor website.The TIAA SAS 70 reports cover:New business and maintenanceEnrollmentsContributionsParticipant account maintenanceDistributionsInvestments – pricing, trading, and dividendsPlan reportingEach operational area contains User ControlConsiderations that describe aspects of the userorganizations’ control environment that mayaffect proper transactional processing. It is theresponsibility of the plan administrator to assessthe interaction of the controls identified in theSAS 70 with an individual plan’s internal controls.Each SAS 70 report is confidential and its useis limited to the management of TIAA-CREF,its clients and the independent auditors ofTIAA-CREF’s clients. Unauthorized use of theSAS 70 reports, in whole or in part, is strictlyprohibited. The SAS 70 reports are available on thesecure Plan Sponsor website in the Message Center.33