Benefits and Compensation

Plan Sponsors Using Limited-Scope Audits Should Watch for Proposed Changes

By Mary B. Andersen, CEBS, ERPA, QPA Jul 10, 2017 Benefits and Compensation

Updated: Jan 7, 2018

The American Institute of CPAs’ (AICPA) Auditing Standards Board (ASB) recently issued a proposed Statement on Auditing Standards (SAS) that will affect all independent qualified public audits of employee benefit plans, especially limited-scope audits.audit

The 133-page exposure draft, “Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA,” was issued April 20. The proposed SAS changes are effective for audits of financial statements for periods ending on or after December 15, 2018.

The AICPA ASB is looking for comments on the proposed SAS. It has identified nine specific issues on which it would like feedback. At present, the deadline for submitting comments is August 21, but it is expected that there will be requests to extend it.

Background

Our May 2015 column discussed a report from the U.S. Department of Labor’s (DOL) Employee Benefit Security Administration (EBSA) regarding the quality of Employee Retirement Income Security Act (ERISA) audit work.

The EBSA report found that almost 40 percent of employee benefit plan audits were deficient. It said that the quality of audits could be directly related to the number of audits conducted by a certified public accountant (CPA) firm. The firms that performed the least number of audits had a higher deficiency rate, while the CPA firms that performed the most audits had the lowest deficiency rate.

The EBSA report findings may have been a key factor contributing to the DOL request to the AICPA that it revisit the format of the employee benefits plan auditor report. However, the limited-scope audit has been under the microscope as far back as 2012, when an Office of the Inspector General (OIG) recommended repeal of the limited-scope audit.

The option for a plan to conduct a limited-scope audit arises from ERISA Section 103(a)(3)(C), which lets the plan administrator exclude from review by its independent auditor statements prepared by a bank or similar institution or insurance carrier that is regulated and supervised by a state or federal agency. This provision allows the auditor to rely on statements prepared by such institutions if the statements are certified as “complete and accurate.”

In a limited-scope audit, the auditor still is required to test for ERISA and federal tax Code compliance in all significant audit areas, such as contributions, benefit payments, participant loan processing, hardship distributions, participant data, eligibility to all plan features, and payroll. The extent of the audit procedures applied to each plan will vary, depending on the risk level assessed by the auditor.

While the proposed SAS will affect full-scope audits to some extent, its biggest impact will be on limited-scope audits. DOL regulation Section 2520.103-8 allows a plan to exclude from the audit any statement or information regarding plan assets held by banks, similar institutions, or insurance carriers if the statement or information is prepared and certified by one of those entities. The proposed changes alter the form and content of the limited-scope audit.

This column addresses some of the proposed changes to the limited-scope audit.

When a Limited-Scope Audit is Requested

In a limited-scope audit, the auditor performs audit testing on information not covered by the certified information. The proposed SAS would require that the auditor:

  • Read the certification prepared by the financial institution;
  • Evaluate management’s assessment of the certification;
  • Compare the certified investment information to the plan financials and to the extent they do not match, require additional audit procedures; and
  • Decide whether the plan financial statements are in accordance with the applicable financial framework.

Note: In an employee benefit plan audit, the auditors examine plan financial statements prepared by the plan sponsor. In a limited-scope audit, the auditor does not test the certified information provided by the financial institution. The 2012 DOL OIG report noted that in 2010, more 70 percent of plan audits were limited-scope audits and that the statements provided by the financial institutions certify that the statements are complete and accurate as to holdings, but not to value.

The SAS expects the auditor to obtain an understanding of the types of investments and the methodology for measuring the investments. Plan management would be required to be able to explain how investments are valued, how they are classified on the financial statements and whether the investments are presented in accordance with applicable financial requirements.

Written Representation by Management

The auditor will request written representation from plan management that indicates that management has:

  • Provided the most current plan document, including amendments;
  • Acknowledged its responsibility for administering the plan and that the plan transactions presented in the financial statements are in accordance with the plan provisions, including availability of plan records necessary to determine benefits payable;
  • Acknowledged responsibility for preparing the financial statements;
  • Determined that a limited-scope audit is permissible;
  • Evaluated that the certified information is complete and accurate; and
  • Determined that the investment information is presented in accordance with the applicable financial reporting framework.

Bottom line: The proposed SAS requires the plan sponsor to acknowledge its responsibility when it comes to the audit. The auditor would be required to get it in writing.

Increased Auditing

Auditors generally seek to determine the materiality of a particular issue when determining the amount of testing performed. The SAS would require “substantive procedures” for certain plan provisions, regardless of materiality. These procedures include an evaluation that plan document terms have been followed in determining:

  • Eligibility;
  • Benefit payments;
  • Vesting;
  • Contributions;
  • Appropriate reporting in supplemental financial statements of any prohibited transactions;
  • Expense allocation;
  • Assets are fully allocated to participant accounts;
  • Forfeiture use; and
  • Correct recording of participant account activity.

In addition, the auditor would be expected to perform audit procedures related to the various Internal Revenue Code (IRC) nondiscrimination tests (for example, coverage, 401(k) nondiscrimination, top-heavy status, annual additions, 402(g) limits on deferrals, minimum funding, etc.).

The auditor must evaluate the results, determine the effect on the plan’s financial statements and indicate any internal control deficiencies.

The exposure draft includes model language regarding specific plan-provision testing for the auditor to include in the audit report.

Some auditors already test some of these items. For example, auditors will send letters to participants about plan entry and contribution elections. Testing results are not included in the audit report, but remain a part of the auditor’s “working papers.”

Proposed Exposure Draft

Requiring plan sponsors to acknowledge their responsibility concerning employee benefit plan audits is not a bad thing, as many sponsors are unaware of the extent of their responsibility. This change will most likely increase plan sponsor costs, especially when plan sponsors opine on certified financial statements prepared by financial institutions. Plan sponsors may need to engage the appropriate subject-matter expert to comment on asset valuation and financial statement presentation.

Specific plan provision testing might lead to plan sponsors’ conducting more-frequent internal compliance reviews before an audit begins, and result in a stronger focus on and adherence to compliance obligations.

However, the amount of auditor testing and reporting on plan administrative procedures could be problematic when attached to the auditor’s opinion, which is provided with the annual Form 5500 filing. The regulations are complex, and errors are bound to happen.

If an auditor finds something, includes it in the audit report, and it is an error that can be corrected under the Internal Revenue Service’s (IRS) Employee Plans Compliance Resolution System (EPCRS), it raises red flags unnecessarily. In addition, plan administrative errors reported in the audit report could be data mined by competitor service providers and used as an entrée to “poach” contracts for administrative work.

It is unclear if requiring specific plan testing on issues not determined to be material by the auditor will provide any benefit. It is clear that additional testing will increase the cost of the audit. Other costs will rise to the extent that management engages counsel or consultants to respond to the auditor’s comments. Expenses paid from plan assets will affect participants—but incorrect plan administration and asset valuation could have a greater impact.

If the deficiencies uncovered in EBSA’s report were the main impetus for the exposure draft, time will tell if the additional procedures and management representations improve audit quality. The changes could lead to smaller CPA firms walking away from employee benefit plan audit work. They also could increase the frequency of deficient audits because there are more required steps.

Key Takeaway for Plan Sponsors

Plan sponsors are advised to:

  • Read the exposure draft, especially if using a limited-scope audit, and discuss its ramifications with their auditors;
  • Conduct internal compliance review and avoid any potential airing of “dirty laundry,” should the specific plan-provision testing requirements remain in the exposure draft. They also should ensure that well-documented procedures and controls exist and are being followed;
  • Talk to service providers and internal staff about any past errors and confirm that appropriate procedures and controls have been implemented to prevent the reoccurrence of errors; and
  • Revisit the details of any service agreement to ensure that roles and responsibilities are clearly defined.
Mary B. AndersenMary B. Andersen is president and founder of ERISAdiagnostics Inc., an employee benefits consulting firm that provides services related to Forms 5500, plan documents, summary plan descriptions, and compliance/operational reviews. Andersen has more than 25 years of benefits consulting and administration experience. Andersen is a CEBS fellow and member of the charter class. She also has achieved the enrolled retirement plan agent designation. She is the contributing editor of the Pension Plan Fix-It Handbook.

Leave a Reply

Your email address will not be published. Required fields are marked *