RETIREMENT PLAN SPONSORS THAT ARE required to submit a
financial audit with their Form 5500 filings next year will find they have more
responsibilities related to the audit.
In July 2019, the American Institute of Certified Public
Accountants (AICPA) issued a new audit standard for employee benefit plans, SAS
136, or “Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and
Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA
[the Employee Retirement Income Security Act].” SAS 136 was originally
effective for periods ending on or after December 15, 2020; however, due to the
COVID-19 pandemic, the effective date was delayed to this coming December 15.
Timothy Verrall, a shareholder in law firm Ogletree Deakins’
Houston office, notes that the effort to enhance audit requirements has been in
the works for years. The 2010 ERISA Advisory Council studied employee benefit
plan auditing and financial reporting models and found that many deficiencies
in limited-scope audits of retirement plans might be due to misunderstandings.
In a 2011 report, the council concluded that the limited-scope audit should not
be repealed, but its quality and required certifications should be reinforced
and strengthened.
For background, two main types of audits are permissible for
Form 5500s: limited scope and full scope. A limited-scope audit is more focused
on the participants in the plan and aims to ensure their accounts are correct,
whereas a full-scope audit delves into more detailed testing of plan
investments. To qualify for a limited-scope audit, the qualified institution
holding the assets of the plan must certify the “completeness and accuracy” of
the reports.
But, in the past, regulators have found problems with those
audits. In May 2015, the Department of Labor (DOL)’s Employee Benefits Security
Administration (EBSA) issued a report looking at Form 5500s filed for 2011 plan
year, Verrall explains. It picked 400 out of the more than 80,000 audits filed
with the Form 5500s and found 39% had major deficiencies.
“The agency found some were deficient based on audit
standards and some were deficient by ERISA standards,” Verrall says. “Audit
quality was all over the place. Information was not getting assessed correctly,
and noncompliance was not getting surfaced.”
He adds that the EBSA concluded limited-scope audits were a
big problem because auditors didn’t evaluate or scrutinize important data they
received from recordkeepers; they just signed off on the data. The study also
found audit firms that don’t do a lot of plan audits have lower-quality audits,
but top plan auditors didn’t have as many major errors.
Verrall says the report pushed for the AICPA to modify audit
standards so auditors would do a better job and ask better questions of plan
sponsors. That’s what led to SAS 136.
Changes in Plan Sponsor Responsibilities
Currently, plan sponsors just supply information to
auditors, who look at financial information in addition to plan administration,
since that can affect plan health and financials, Verrall says.
He explains that, typically, most audit firms send a letter
to the designated plan management that includes two or three pages of questions
inquiring about events such as investments that went bust and the termination
of service providers, as well as what happened to the plan during the year
covered by the audit. “Auditors just took plan sponsors’ word for it,” he says.
Auditors would also look at plan administration items such as how many new
loans participants took and whether loan repayments were made. Verrall notes
that auditors would use a data feed to do some spot-checking of a sample.
“The theory was if you have a random sampling and find
problems of a particular type, it was indicative of a greater issue,” he
explains. “Then, the auditors would have a discussion with the plan management
representative and raise issues.”
However SAS 136 will bring some big changes, Verrall says.
“Limited-scope audits are not limited scope anymore,” he explains. “Limited-scope
audits essentially allowed auditors to take plan providers’ word about inflows
and outflows of cash, and they didn’t verify information was correct. This is
one of the issues the DOL identified as a problem in its 2015 study.”
Now, what used to be called a limited-scope audit is an
ERISA Section 103(a)(3)(C) audit. Verrall explains that the letter the auditor
will provide to the plan management representative will be more detailed and
will require plan sponsors to deliver more content. He says it will require
plan sponsors to first investigate and confirm they are eligible for this type
of audit; they’ll then have to make a representation in writing that they are
eligible for the exception to the full-scope audit.
“Plan sponsors can expect to get a lot of questions about
whether they are doing what they are supposed to do as far as plan management,”
Verrall says. “Some plan sponsors will have to come up with some independent
assessment, but for those with big providers to help, this will probably not be
a big deal.”
Brent DeMay, a Naperville, Illinois-based partner in
professional services firm Sikich’s accounting group who focuses on employee
benefit plans, says the changes related to limited-scope audits are truly new
requirements. He notes that limited-scope audits have traditionally accounted
for the majority of financial audits and allowed auditors to issue a disclaimer
of opinion, without giving a formal opinion. According to DeMay, this created a
lack of transparency about what the auditor did.
“But now, auditors cannot disclaim an opinion; they must be
clear about what they did as auditors,” he says. “SAS 136 also created a
two-part opinion. A certification statement is still allowed concerning
investments and investment income, although now auditors have to opine on the
form and content of the certified information. However, auditors must also give
a formal opinion on anything not in the investment certification.”
This leads to a new responsibility for plan sponsors, he
continues. “To elect to have Section 103(a)(3)(C) audit, plan sponsors have to
engage an auditor for that scope of service, then sponsors have to confirm with
their service providers that they can offer a complete and valid certification
statement,” DeMay explains.
DeMay says one of the largest differences in SAS 136
compared with the previous language is more of a clarification than a change,
because many additional performance requirements for plan sponsors were
considered best practices in the past but were not formally clarified.
DeMay says plan sponsors will need to provide a written
report to plan auditors acknowledging they have taken responsibility for plan
administrative duties. This might include acknowledging that plan documents are
maintained and remedial amendments adopted timely, that the plan is being
operated according to provisions of the plan document and that the plan sponsor
is maintaining sufficient records for any current or future benefits owed to
participants. DeMay notes that’s not an exhaustive list.
He says the written representation will be attached to the
auditor’s opinion. “These changes make the audit opinion more valuable,” DeMay
says. “From a communications standpoint, SAS 136 offers more transparency about
responsibilities for auditors and plan sponsors. A lot of what’s in the
standard falls on the auditor, but the biggest thing for plan sponsors to be
aware of is the clarification on having a renewed focus on active oversight of
the plan.”
DeMay says the certification that the plan sponsor is
maintaining sufficient records for any current or future benefits under the
plan is unique. He says there has not been a safe harbor on record retention,
but the new standard says records need to be maintained as long as a
participant has a current or future benefit under the plan.
Another big change, Verrall says, is that plan sponsors will
be required to provide the auditor with a substantially complete draft of the
plan’s Form 5500 and its schedules before the audit so the auditor can compare the
form to its findings and let plan sponsors know if there will need to be
corrections to the form. “This is intended to plug the differences between
information on the Form 5500 and the audit report,” he says.
More Information Could Be Exposed
Verrall notes that SAS 136 also provides more specific
direction to auditors on what the standard calls “reportable information,”
which might be of concern for plan sponsors. He explains that auditors are
required to report any significant noncompliance and findings of no internal
controls.
“Either verbally or in writing, they have to tell plan
management and those responsible for plan governance. It is to encourage wider
dissemination of auditor findings to all involved on the plan sponsor side so
there are no adverse findings fiduciaries don’t know about,” he says. “This is
to minimize the chances of hiding issues and sweeping problems under the rug.
Whether those findings go into the audit report is up to the auditor.”
The concern, Verrall says, is that the financial audit
report is attached to the Form 5500 and is publicly available in the DOL’s
EFAST system. Depending on how the auditor responds to the new standards, it
may disclose more noncompliance issues, which will be publicly available.
“Anyone can look at it,” Verrall says, “One way lawsuits get
started is people doing searches on Form 5500 data filings. This could
potentially provide a new source of ammunition to plaintiffs’ lawyers.”
In addition, if an auditor finds a complicated problem, plan
sponsors might not be able to solve it by the October 15 deadline for the
extension of filing the Form 5500 and financial audit, Verrall says. “We are
going to try to be in front of that so plan sponsors are not caught off guard
about questions being asked and what will be publicly reported,” he notes.
It might be beneficial to get auditors to start the process
earlier than usual so any issues can be corrected, Verrall suggests. Delays are
usually a result of coordinating the provision of data and information, but
there is nothing preventing plan sponsors and auditors from starting the
process early, he says.
Verrall adds that the audit report is a prime opportunity
for administrative errors to surface, but it offers plan sponsors an
opportunity to clean up their plan, which is ultimately in their best interest.
“There will be pain if the can is kicked down the road for years,” he says.
“I think the advice I would have for plan sponsors is to
reach out to auditors with the intent to collaborate on implementation of the
new standard,” DeMay says. “Auditors are looking to guide clients because this
is one of the largest changes in presentation of financial audit opinions
specific to employee benefit plans we’ve seen.”
Finding a Quality Plan Auditor
For the process to go smoothly and correctly, it’s important
to find a first-class plan auditor. Verrall says the AICPA website has
resources for finding quality plan auditors. The site gives an indication of
whether auditors focus on and care about retirement plan audits.
DeMay says a starting point is the AICPA’s Employee Benefit
Plan Audit Quality Center (EBPAQC). Many firms that specialize in employee
benefit plan audits are members of the center.
When looking for a good auditor, DeMay says plan sponsors
should recognize the need for knowledge of employee benefit plans.
“There are a lot of changes and clarifications in the new
standard that fall to auditors specific to employee benefit plans. Plan
sponsors need someone with that expertise,” he says. “A lot of firms have
strong audit practices in a variety of industries, but that doesn’t necessarily
translate to employee benefit plan audits.” DeMay suggests that plan sponsors
interview audit firms that have an employee benefit specialty practice area.
Verrall says some audit firms—both large and small—are
really known for their work in doing retirement plan audits. He notes that some
small firms are cheaper than big ones, but plan sponsors will get a
higher-quality audit if that’s all the firm does. He adds that bigger firms
might give a more perfunctory audit. Plan sponsors need to consider whether
they want to figure out their plan’s issues or minimally comply with DOL
requirements.
Verrall suggests plan sponsors get referrals from their
ERISA counsel about what auditors it has dealt with, and DeMay says plan
sponsor’s investment advisers could point them in the right direction as well.
“I’d stress that the earlier plan sponsors reach out to
auditors for collaboration, the better, to have a successful plan audit,” DeMay
says.
Click here for the
original article.