/ Published in Employee Benefit Plans, News and Press Releases

New EBP SAS – AICPA issues Statement on Auditing Standards No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA

As expected, In July 2019, the AICPA Auditing Standards Board (ASB) issued AICPA Statement on Auditing Standards No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (“SAS No. 136″ or the “new EBP SAS”). This new standard prescribes certain new performance requirements for ERISA plan financial statement audits and changes the form and content of the related auditor’s report to improve audit quality and enhance the communicative value and transparency of the auditor’s report. It includes new requirements in all phases of an audit of ERISA plan financial statements including engagement acceptance, risk assessment and response, communication with those charged with governance, performance procedures, and reporting.

Good Bye Limited Scope Audit, Hello ERISA Section 103(a)(3)(C) Audit

Another significant change is that an audit performed pursuant to ERISA section 103(a)(3)(C) will no longer be referred to as a “limited scope audit” but rather going forward will be referred to as an “ERISA section 103(a)(3)(C) audit.” The new audit standard includes new performance and reporting requirements specific to ERISA section 103(a)(3)(C) audits.

Clarity on Management’s Responsibilities 

As part of the auditor’s acceptance of the audit engagement the auditor will request plan management (sponsor/administrator) to acknowledge in the engagement letter management’s responsibilities for:

  • maintaining a current plan instrument,
  • administering the plan, and
  • providing the auditor with a draft Form 5500 prior to the dating of the auditor’s report.

New Representations

In addition, the new standard requires that the auditor obtain certain written management representations at the conclusion of the engagement regarding those responsibilities. It also includes new acknowledgements related to management’s responsibilities with respect to the investment certification when management elects to have an ERISA Section 103(a)(3)(C) audit (previously called a “limited scope” audit as noted above).

Focus on Compliance

SAS No. 136 requires the auditor to perform certain procedures when planning and performing the audit that in the past were not expressly required. Most of the required procedures are already included as suggested audit procedures in the extant Audit and Accounting Guide, Employee Benefit Plans and our firm already performs these procedures. As a result, we do not expect the new requirements to result in significant changes to the procedures we perform. However, for some firm which do not currently perform the suggested procedures, substantial changes to audit planning and procedures may be necessary.

Effective Date

SAS No. 136 will be effective for audits of ERISA plan financial statements for periods ending on or after December 15, 2020. This means that 2020 year-end audits being performed in 2021 will be required to follow the performance and reporting requirements of this SAS, including using the new form of the auditor’s report. The EBP SAS prohibits early adoption.

Resources

The AICPA has published At a Glance, New Auditing Standard for Employee Benefit Plans which gives a summary of the changes coming for the benefit plan audits as well as the audit advisory, EBP SAS No. 136: Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA.

Details of the Key Changes of the New EBP SAS:

A new name and type of audit opinion – ERISA section 103(a)(3)(C) audits (previously referred to as “limited scope” audits)

An audit performed pursuant to ERISA section 103(a)(3)(C) will no longer be referred to as a “limited scope audit” but rather going forward referred to as an “ERISA section 103(a)(3)(C) audit.” The EBP SAS includes new performance and reporting requirements specific to ERISA section 103(a)(3)(C) audits.

The new EBP SAS notes that an ERISA section 103(a)(3)(C) audit is unique to EBPs and is not considered a scope limitation, therefore the auditor would no longer issue a modified opinion (typically a disclaimer of opinion) due to information that is certified by a qualified institution. Instead, the report provides a two-pronged opinion that is based on the audit and on the procedures performed relating to the certified investment information. It provides an opinion on whether the information not covered by the certification is presented fairly, and an opinion on whether the certified investment information in the financial statements agrees to or is derived from the certification.

Changes to form and content of auditor’s report

Report on audited financial statements

The EBP SAS significantly changes the form and content of the auditor’s report. The EBP SAS also includes reporting guidance when the auditor identifies a material inconsistency between the draft Form 5500 and the ERISA plan financial statements that requires revision of the audited ERISA plan financial statements or the Form 5500 and management refuses to make the revision.

For the first time, Generally Accepted Auditing Standards (GAAS) requires an ordering of certain report elements for all audit engagements, including ERISA audits. The “Opinion” section is required to be placed first, followed by the “Basis for Opinion” section. The “Basis for Opinion” section is new for all entities for which an opinion is issued, which includes a statement that the auditor is required to be independent. For ERISA section 103(a)(3)(C) reports the “Nature and Scope of the ERISA Section 103(a)(3)(C) Audit” section is required to be placed before the opinion and basis for opinion sections. The EBP SAS also requires the use of specific headings. The first section of the auditor’s report should include the auditor’s opinion and should have the heading “Opinion.” Directly following the “Opinion” section, the report should include a “Basis for Opinion” section. The content of the EBP SAS aligns with the requirements of SAS No. 134, Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements. It also contains incremental requirements specific to ERISA audits relating to management’s responsibilities for:

  • maintaining a current plan instrument, including all plan amendments,
  • administering the plan,
  • determining that the plan’s transactions that are presented and disclosed in the financial statements are in conformity with the plan’s provisions, and
  • maintaining sufficient records with respect to each of the participants, to determine the benefits due or which may become due to such participants

The EBP SAS includes illustrative auditor’s reports. In addition, the EBP SAS includes reporting guidance for the auditor’s report for audits:

  • Conducted in accordance with both GAAS and another set of auditing standards.
  • Where prior period financial statements were audited by a predecessor auditor.
  • Where prior period financial statements were not audited.

For an ERISA Section 103(a)(3)(C) audit:

Different reporting requirements apply to ERISA Section 103(a)(3)(C) audits, as follows:

  • The report provides a two-pronged opinion that is based on the audit and on the procedures performed relating to the certified investment information. It provides an opinion on whether the information not covered by the certification is presented fairly, and an opinion on whether the certified investment information in the financial statements agrees to or is derived from the certification. It also includes an additional sentence in the management’s responsibilities section related to the investment certification.
  • The first section of the auditor’s report should include a description of the scope and nature of the ERISA Section 103(a)(3)(C) audit and should have the heading “Scope and Nature of the ERISA Section 103(a)(3)(C) Audit.”
  • The auditor’s responsibilities section should state that:
    • state that the audit did not extend to the certified investment information, except for obtaining and reading the certification, comparing the certified investment information with the related information presented and disclosed in the financial statements, and reading the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
    • accordingly, the objective of the ERISA Section 103(a)(3)(C) audit is not to express an opinion about whether the financial statements as a whole are presented fairly, in all material respects, in accordance with the applicable financial reporting framework.

Report on ERISA-required supplemental schedules

For an audit not subject to ERISA Section 103(a)(3)(C), the EBP SAS now requires the auditor, in situations when the auditor’s report on the audited financial statements contains an unmodified or a qualified opinion, to include a statement about whether, in the auditor’s opinion, the form and content of the information in the accompanying schedules are presented in conformity with the Department of Labor’s Rules and Regulations for Reporting and Disclosure under ERISA.

Other key provisions of the EBP SAS

The new standard includes new requirements in all phases of an audit of ERISA plan financial statements. Other key provisions included in the SAS include the following:

Engagement Acceptance

The EBP SAS includes new engagement acceptance requirements in addition to the preconditions for an audit in AU-C section 210, Terms of Engagement. It requires that the auditor obtain the agreement of management that it acknowledges and understands its responsibilities for the following (which can be done through the engagement letter):

  • Maintaining a current plan instrument, including all plan amendments.
  • Administering the plan and determining that the plan’s transactions that are presented and disclosed in the plan financial statements are in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of the participants to determine the benefits due or which may become due to such participants.
  • Providing to the auditor, prior to the dating of the auditor’s report, a draft of Form 5500 that is substantially complete.
  • When management elects to have an ERISA Section 103(a)(3)(C) audit, determining whether o an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances,
    • the investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8,
    • the certification meets the requirements in 29 CFR 2520.103-5, and
    • the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework

Risk Assessment

The EBP SAS requires that the auditor:

  • Obtain and read the most current plan instrument for the audit period, including effective amendments, as part of obtaining an understanding of the entity sufficient to perform risk assessment procedures.
  • Consider whether to test specific plan provisions as part of risk assessment. Because of the nature of ERISA audits, it would be rare for the auditor, based upon the assessed risks of material misstatement at the relevant assertion level, not to test any relevant plan provisions. The EBP SAS includes an appendix A that provides some examples of plan provisions often included in a plan instrument by audit area.

Planning and Fieldwork

The EBP SAS requires that the auditor perform the procedures necessary to become satisfied that received and disbursed amounts (for example, employer or employee contributions and benefit payments) reported by the trustee or custodian were determined in accordance with the plan provisions. When designing and performing audit procedures, the auditor is required to consider:

  • Relevant plan provisions that affect the risk of material misstatement at the relevant assertion level for classes of transactions, account balances, and disclosures.
  • Whether management has performed the relevant IRC compliance tests, including but not limited to, discrimination testing, and has corrected or intends to correct failures, as applicable.

The auditor also is required to evaluate:

  • Whether prohibited transactions identified by management or as part of the audit have been appropriately reported in the applicable ERISA-required supplemental schedules.
  • Whether items identified that are not in accordance with the criteria specified (for example, not in accordance with the plan instrument), are reportable findings as defined in the EBP SAS.

When management elects to have an ERISA Section 103(a)(3)(C) audit, the auditor also is required to:

  • Inquire of management about how management determined that the entity preparing and certifying the investment information is a qualified institution under DOL rules and regulations, and evaluate management’s assessment of whether the institution is qualified.
  • Perform the following procedures on the certified investment information:
    • Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified institution.
    • Compare the certified investment information with the related information presented and disclosed in the ERISA plan financial statements and ERISA-required supplemental schedules.
    • Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
  • Identify which investment information is certified, and perform audit procedures on the financial statement information, including the disclosures, not covered by the certification as well as noninvestment-related information based on the assessed risk of material misstatement. Plans may hold investments in which only a portion are covered by a certification by a qualified institution. In that case, the auditor should perform audit procedures on the investment information that has not been certified.

Documentation

If the auditor has determined that it is not necessary to test any relevant plan provisions as part of risk assessment, the auditor is required to document the considerations in reaching such conclusion.

Review of Draft Form 5500

The EBP SAS requires the auditor to make appropriate arrangements with management to obtain the draft Form 5500, and read the draft Form 5500 in order to identify material inconsistencies, if any, with the audited ERISA plan financial statements prior to dating the auditor’s report. If the auditor identifies a material inconsistency, he or she should determine whether the audited ERISA plan financial statements or the draft Form 5500 needs to be revised.

Communications with Management and Those Charged with Governance

The auditor is required to make certain EBP-specific communications with management and/or those charged with governance, as follows:

  • Reportable findings (as defined in the EBP SAS) must be communicated in writing to management and those charged with governance in a timely manner in accordance with the requirements in other relevant AU-C sections.
  • The auditor is required to discuss with management prohibited transactions with a party in interest of which the auditor has become aware that have not been properly reported in the applicable ERISA-required supplemental schedule.
  • The auditor should communicate with those charged with governance the auditor’s responsibility with respect to Form 5500, procedures performed relating to Form 5500, and the results of those procedures.

The EBP SAS also addresses what the auditor should do when a material inconsistency between the draft Form 5500 and the ERISA plan financial statements is identified or when the auditor becomes aware of a material misstatement of fact.

For an ERISA Section 103(a)(3)(C) audit, if:

  • The auditor has concerns about whether the entity preparing and certifying the investment information is a qualified institution, the auditor is required to discuss his or her concerns with management. If management does not provide sufficient information that supports its determination that the entity preparing and certifying the investment information is a qualified institution, then the auditor should discuss his or her concerns with those charged with governance and determine the implications for the audit.
  • The auditor becomes aware that the certified investment information in the financial statements and related disclosures is incomplete, inaccurate, or otherwise unsatisfactory, the auditor should discuss the matter with management and perform additional procedures to determine the appropriate course of action.

The auditor should not issue a written communication stating that no reportable findings were identified during the audit.

Management Representations

The EBP SAS requires that the auditor obtain certain written management representations in addition to those required by AU-C section 580, as follows:

  • That management has provided the auditor with the most current plan instrument for the audit period, including all plan amendments.
  • Acknowledgement of its responsibility for administering the plan and determining that the plan’s transactions that are presented and disclosed in the ERISA plan financial statements are in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of the participants to determine the benefits due or which may become due to such participants.
  • When management elects to have an ERISA Section 103(a)(3)(C) audit, acknowledgement that management’s election of the ERISA Section 103(a)(3)(C) audit does not affect its responsibility for the financial statements and for determining whether:
    • an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances
    • the investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8
    • the certification meets the requirements in 29 CFR 2520.103-5, and
    • the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework

Reporting

In addition, the EBP SAS includes new reporting requirements as follows:

When identified prohibited transactions have not been appropriately reported in the applicable ERISA-required supplemental schedules, the auditor is required to:

  • Modify the opinion on the supplemental schedule, when the effect of the transaction is material based on the financial statements as a whole.
  • Include additional discussion in the other-matter paragraph in the auditor’s report on the supplemental schedules describing the prohibited transaction if the effect of the prohibited transaction is not material to the financial statements.
  • If the prohibited party-in-interest transaction is material and is also considered a related party transaction, and that transaction is not properly disclosed in the notes to the plan financial statements, modify the auditor’s opinion on the financial statements due to a departure from the applicable financial reporting framework.

If you have any questions on how this new standard may affect your benefit plan audit, please do not hesitate to contact us.

Tagged under: , , , ,

What you can read next

IRS Terminating Proposed Penalty Notices for Untimely Filed or Incomplete Forms 5500
Plan Fiduciary Update: International Paper Settles Suit Over 401(k) Plan
DOL Seeks Input on Lifetime Income Illustrations Plan