Changes Are Coming To Your ERISA Benefit Plan Audit
(Highlights of SAS 136)
In July 2019, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board (ASB) issued a new auditing standard for audits of employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA), with the goal of improving audit quality and to make the auditor’s report more relevant, clear, and easy to understand. The new standard is Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (SAS 136). The standard prescribes certain new performance requirements for ERISA plan financial statement audits, as well as changes the form and content of the related auditor’s report. The full statement contains over one hundred pages, and we will discuss its highlights and explain what plan management needs to know.
One of the most significant changes is what were formerly known as “limited scope audits” will now be known under SAS 136 as ERISA Section 103(a)(3)(C) audits. Under these types of audits, plan management can elect to exclude from the audit certain investment information a qualified institution holds and certifies. SAS 136 does not change anything in ERISA and management is able to continue such an election. SAS 136 simply clarifies what is expected from the auditor, including specific procedures that are part of performing such an audit and establishes a new form of audit report.
The unique scope limitation permitted under ERISA differs from a typical audit scope limitation, and the ASB wanted to clarify this distinction. Specifically, under ERISA Section 103(a)(3)(C) audits, the auditor no longer can issue a disclaimer of opinion simply because the auditor did not audit the certified investment information. Instead, the auditor’s report will provide for a two-part opinion. The auditor’s report will provide an opinion on whether the information not covered by the certification is fairly presented in all material respects and then also an opinion on whether the certified investment information agrees with, or is derived from, in all material respects, the certification. More information about changes to the auditor’s report is discussed below.
Under SAS 136, management will now be required to acknowledge their responsibility for maintaining a current plan instrument, administering the plan and determining that the plan’s transactions are presented and disclosed in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of the participants to determine the benefits due or which maybe became due to such participants, as preconditions for the audit. Management also will have to acknowledge its responsibility under an ERISA Section 103(a)(3)(C) audit to determine whether such an audit is permissible, whether the investment information is prepared and certified by a qualified institution, whether the certification meets all necessary requirements and whether the certified information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework.
Under SAS 136, auditors will need to consider plan provisions in assessing the risks of material misstatement of the plan financial statements and designing their audit procedures. Auditors will be required to communicate in writing any “reportable findings” from these procedures to those charged with governance in a timely fashion. Reportable findings can include any noncompliance (or suspected noncompliance) with laws and regulations as well as any other issues or deficiencies the auditor believes warrant the attention of plan management.
As previously discussed, the form and content of the auditor’s report will change significantly under SAS 136. The auditor’s report will be longer than the auditor’s report under the previous standards. When management has elected an ERISA section 103(a)(3)(C) audit, the first section of the auditor’s report will describe the scope and nature of the ERISA section 103(a)(3)(C) audit, and will be immediately followed by the opinion and basis for opinion sections. Non-ERISA Section 103(a)(3)(C) audit reports will be required to present the opinion first. Two paragraphs that are also being revised, other than two-part opinion previously discussed, are as follows:
- The “Management’s Responsibility” section of the auditor’s report will be expanded to reflect the preconditions previously discussed, as well as management’s responsibility for a going concern evaluation.
- The “Auditor’s Responsibility” section of the auditor’s report also receives an update that will more clearly outline the auditor’s responsibilities in an ERISA benefit plan audit.
One final change to be aware of under SAS 136 has to do with the auditor’s responsibility to obtain and read a draft of the plan’s Form 5500. Under current standards, auditors are able to issue the auditor’s report prior to the Form 5500 being substantially complete. Under the new standard, auditors will be required to obtain a substantially complete draft of the Form 5500 prior to issuing their report. A “substantially complete” draft includes the forms and schedules that could have a material effect, involving both qualitative and quantitative considerations, on the information in the financial statements and ERISA-required supplemental schedules.
So, what do these changes mean for plan sponsors and management of ERISA benefit plans subject to annual audits? The amount of additional effort required on the part of the auditor and management will depend on the current procedures performed by both parties in comparison to the new standard. Many auditors already are performing the procedure required under SAS 136. In many instances, management already may have sufficient controls over maintaining a current plan instrument, plan administration and determining that the plan’s transactions are presented and disclosed in conformity with the plan’s provisions. In these cases, the largest difference may be terminology changes and an updated auditor’s report. However, in some cases auditors now may be required to perform additional procedures to assess risks and comply with the standard. In the case of ERISA section 103(a)(3)(C) audits (formerly limited scope), management must be prepared to support its conclusion that it qualifies for this type of audit and that it has appropriately assessed the qualifications of the certifying institution. Lastly, plan sponsors need to make arrangements with the preparer of the plan’s 5500 to ensure that auditors will have timely access to a substantially completed Form 5500 prior to issuing the auditor’s report.
SAS 136 and the highlights described above will take effect for audits of financial statements for periods ending on or after December 15, 2020, and early implementation is not permitted. The full text of the standard, including an example of the revised auditor’s report, can be found here.
If you have any questions regarding SAS 136, please contact Spencer Hathaway or your BNN advisor at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.