The American Institute of Certified Public Accountants (‘AICPA’) has issued Statement on Auditing Standards (‘SAS’) 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA. This standard’s effective date was delayed from the original date to offer implementation relief during the COVID-19 pandemic and will now become effective for audits of the plan’s financial statements for periods ending on or after December 15, 2021 (early implementation is permitted).
Limited Scope Audits vs. ERISA Section 103(a)(3)(c) Audits (‘103(a)(3)(c) Audits’)
One change integral to the standard overall is the elimination of what has been traditionally referred to as ‘limited scope’ audits, which comprises a majority of all plan audits performed. Now referred to as 103(a)(3)(C) audits, the audit report cannot ‘disclaim’ an opinion and will provide a clearer depiction of the responsibilities of plan management and the plan auditor. As a result, a 103(a)(3)(c) audit will now have a two-part opinion to include not only opining on the proper form and presentation of certified investment information (including whether the information presented agrees to or is derived from the information being certified), but also an opinion on whether information not covered by the investment certification is presented fairly.
Revised Auditor’s Report Formats
The new auditor’s report will be rearranged to emphasize the auditor’s opinion as well as to detail expanded responsibilities for both plan management and plan auditors. If plan management elects a 103(a)(3)(c) audit, a “Nature and Scope of the ERISA Section 103(a)(3)(c) Audit” section is required to be presented prior to the auditor’s opinion and acknowledges management’s election to perform an ERISA 103(a)(3)(c) audit, which also includes additional responsibilities of plan management.
Note that in the initial year of implementation: whereas the prior year’s audit was a DOL-permitted limited scope audit, the current year’s audit will be a 103(a)(3)(c) audit, and two reports will be issued. The current year audit report will be the new 103(a)(3)(c) report, and the prior year will be the previous format of a DOL-allowable disclaimer, reissued for the current year audit report date.
Expanded Management Responsibilities
For all plan audits, the standard clarifies that management has responsibilities including:
- maintaining a current plan instrument (including all plan amendments)
- properly administering the plan
- determining that the plan’s transactions are presented and disclosed in the financial statements in conformity with the plan’s provisions, including maintaining sufficient records with respect to each participant (with either current or future benefits under the plan)
- provide the auditor with, at a minimum, a substantially complete draft of Form 5500
- (for 103(a)(3)(c) audit) acknowledge their responsibility for assessing if a 103(a)(3)(c) audit is permissible, including whether the investment information is prepared and certified by a qualified institution and the certification complies with the requirements of 29 CFR 2520.103-5. Management should complete this assessment for each reporting period
Expanded Auditor Responsibilities
Also applicable to all plan audits, your auditors will have some expanded responsibilities that may result in new questions and additional discussions during your audit. These new responsibilities range from:
- engagement acceptance
- audit risk assessment and planning (including the auditor’s consideration of relevant plan provisions and testing of such provisions)
- communications of reportable findings with those charged with governance
- additional responsibilities relating to ERISA-required supplemental schedules and Form 5500, such as whether prohibited transactions identified by management (or via audit procedures) have been properly reported
- (for 103(a)(3)(c) audit) obtain management’s evaluation of whether such an audit is permissible as mentioned above
You may also see increased communication from your auditor to management and those charged with governance, due to requirements to communicate reportable findings, including noncompliance with the provisions of the plan instrument and identified or suspected noncompliance with laws or regulations. Auditors are tasked with further evaluating internal control findings or other errors observed during the plan audit to determine if the matter is deemed as a reportable finding. Evaluation criteria the auditor may use in making this determination includes what gave rise to the issue or finding, how the issue or finding was identified and corrected, the nature of the issue or finding and whether the issue or finding is indicative of a lack of management’s oversight of the plan including outsourced service providers, reporting expertise and understanding of the plan.
The standard indicates that examples of matters that may need to be evaluated include:
- misapplication of plan provisions
- untimely contributions
- census data errors
- failure to perform required non-discrimination compliance testing
- financial reporting or disclosure misstatement
- insufficient monitoring of the plan’s service organizations (including review of their SOC 1 reports)
- inadequate complimentary user entity controls
Ultimately, this standard is intended to improve the communicative value and audit transparency of the auditor’s report to reflect the complex and specialized nature of plan audits and address the DOL’s request for plan auditors to issue a formal opinion on 103(a)(3)(c) (formerly limited scope) audits that can withstand a rigorous degree of scrutiny.
Not only does the change in the standards portray the need for a high quality, knowledgeable employee benefit plan audit expert; it also demonstrates the importance of plan management’s active oversight in administering and monitoring the plan throughout the year.
For assistance with your employee benefit plans and implementation of SAS 136, please contact your trusted Sikich advisor.
The complete auditing standard can be viewed at: https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/sas-136.pdf.