Best Practices for Monitoring Retirement Plan Service Providers

October 2021

BY

Beth GarnerNational Practice Leader, EBP and ERISA Services

Luanne MacnicolAssurance Partner, Central Region Practice Leader

As a plan sponsor it is good practice to formalize a process around monitoring service providers. Establishing, documenting, and executing this process can help to ensure that each vendor is achieving the objectives set out at the beginning of the relationship. Monitoring service providers also helps plan sponsors proactively identify opportunities to improve the plan.
 

Who Monitors What?

Typically, the individuals in charge of a plan’s daily operations—such as the plan administrator or benefits department—are responsible for the day-to-day monitoring of service providers. The plan committee, on the other hand, provides higher-level oversight and reviews fees, service agreements, and other information.

Regardless of how monitoring responsibilities are split, the process should be documented, and those charged with monitoring must be aware of their specific roles and responsibilities. This can help to limit the likelihood of potential issues slipping through the cracks.

In addition to having a well-documented process, plan sponsors should record the findings and outcomes of their monitoring efforts. Fiduciaries should document whether service providers adhered to professional standards and legal and regulatory requirements, as well as whether vendor controls and procedures worked effectively and benefited the plan. Plan sponsors should also note whether there were any corrections, resolutions to issues, changes to fee arrangements, or any other changes to the relationship because of the monitoring process. 
 

Helpful Guidelines from the DOL and AICPA

In its document, Meeting Your Fiduciary Responsibilities, the Department of Labor (DOL) outlines several steps that plan sponsors should take to properly evaluate and monitor service providers. These include reviewing service providers’ performance, analyzing their reports, and fact-checking their fees. In a previous article we discussed the DOL’s recently outlined range of practices for combatting the growing threat of cybercrime to ERISA-covered retirement plans, including key focus areas when selecting and monitoring service providers.

The American Institute of Certified Public Accountants (AICPA) Employee Benefit Plan Audit Quality Center (EBPAQC) offers a free plan advisory guide to help plan sponsors effectively select and monitor outsourced plan recordkeepers and reporting functions. Several of the EBPAQC tips—such as checking on the timeliness and accuracy of specific recordkeeper functions—can be used to evaluate other service providers’ performance as well.
 

How SOC Reports Can Help

Service Organization Control (SOC 1) reports can be a powerful tool to help plan sponsors get assurance that their service providers have proper controls in place and are working to benefit a plan and its participants. These reports offer an objective, third-party assessment of the operating effectiveness of an organization’s controls. In fact, some plan sponsors require that their service providers and other vendors provide a recently completed SOC-1 report.

SOC reports can provide a host of valuable information about service providers. For example, qualified or significant exceptions in SOC reports could be a red flag that prompts plan sponsors to increase their review of a vendor’s controls. Plan sponsors can also review complaint logs from participants, resolutions to issues, and unusual transactions to see whether service providers are operating effectively. To learn more, see our article, “Why plan sponsors should read  their service providers’ SOC reports.”

Some service providers don’t have SOC 1 reports, so plan sponsors may need to get creative when evaluating vendors. This may lead to more work and additional expense for the plan sponsor and auditor. The AICPA’s guide offers several tips for these situations, including guidance on performing on-site visits.