In July 2019, the Auditing Standards Board issued its Statement on Auditing Standards 136, “Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA.” SAS 136 revamps the audit requirements for employee benefit plans subject to ERISA and is effective for plan financial statements for periods ending on or after Dec. 15, 2021.
Under SAS 136, what was previously known as a limited scope audit will now be called an ERISA Section 103(a)(3)(C) audit. There are significant changes in the audit and they generally focus on increased auditor and management responsibility. Increased auditor responsibility is necessary to increase the quality of the audits and the integrity of the profession. Increased management responsibility is critical to increasing plan compliance.
- Auditor responsibility. It’s old news that Department of Labor inspections have indicated that accounting firms that do not specialize in employee benefit plan audits have significantly higher deficiency rates than specialist firms. A common response from these firms is that EBP audits are “not real audits” and “It’s just a disclaimer of opinion.” Years of increased scrutiny from the DOL, peer reviewers, and enhanced oversight have brought the number of EBP auditors down from 7,330 in 2011 to 4,557 in 2019 (down 38%), but the core of the problem remains — many auditors do not understand the risks of the audit. SAS 136 has several changes that clearly explain that these are, in fact, real audits, and that the auditor has a significant amount of responsibility to perform the audit in accordance with professional standards.
- Management responsibility. Management often assumes that “The trust company takes care of everything.” Any real EBP auditor knows that management has a significant amount of responsibility over the plan and a lack of oversight of the plan often leads to noncompliance. When plan management does not administer the plan correctly, participants can be harmed, and the audit can be arduous. SAS 136 has incorporated several changes to clarify management’s responsibility as it relates to EBP-specific matters and ensures that the auditor is aware of it as well.
SAS 136 has numerous changes. Below are a few key areas to keep in mind, related to both auditor and management responsibility, as you audit your Dec. 31, 2021, year-end plans. SAS 136 has many other facets that you should consider in your audits, including communication with management and those charged with governance (“TCWG”), identifying and communicating reportable findings to TCWG, definitive language on changes to risk assessment, planning and field work, review of the draft Form 5500, and others. Firms should take proper continuing professional education and increase their time budgets to ensure adequate time is allocated to comply with the new standard.
Auditor’s report — opinion
The biggest change, by far, is that the auditor will no longer issue a disclaimer of opinion on the financial statements and supplemental schedule in their report, but instead will issue a report with a two-pronged opinion for both the financial statements and supplemental schedules as follows.
For the financial statements, the auditor will opine on whether:
- The amounts and disclosures in the financial statements not covered by the certification are presented fairly, in all material respects, in accordance with the applicable financial reporting framework.
- The certified investment information in the financial statements agrees to or is derived from, in all material respects, the certification.
For the supplemental schedule, the auditor will opine on whether:
- The form and content of the supplemental schedules, other than the information in the supplemental schedules that agreed to or is derived from the certified investment information, are presented, in all material respects, in conformity with the Department of Labor’s rules and regulations for reporting and disclosure under ERISA.
- The information in the supplemental schedules related to assets held by and certified to by a qualified institution agrees to, or is derived from, in all material respects, the information prepared and certified by an institution that management determined meets the requirements of ERISA Section 103(a)(3)(C).
Auditor’s report — Management responsibility
The management’s responsibility section of the new auditor’s report includes an additional paragraph with language to detail management’s responsibility for EBP-specific matters, such as management’s responsibility for administering the plan; maintaining a current plan instrument, including all plan amendments; determining that the plan’s transactions that are presented and disclosed in the financial statements are in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of the participants, to determine the benefits due or which may become due to such participants; and others.
In addition, this section of the report includes an explicit statement to clarify that management’s election of an ERISA Section 103(a)(3)(C) audit does not affect management’s responsibility for the financial statements.
Engagement acceptance
SAS 136 expands on engagement acceptance auditing standards to state that management must determine in writing that:
- It acknowledges and understands its responsibilities for the EBP-specific matters noted in the preceding paragraph;
- That an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances;
- That investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8, and the certification meets the requirements in 29 CFR 24520.103-5;
- That the certified investment information is appropriately measured, presented and disclosed in accordance with the applicable financial reporting framework; and,
- That it must provide the auditor with a substantially complete 5500 prior to the date of the auditor’s report.
The auditor can accomplish these tasks through the engagement letter.
Also, the auditor must inquire with management on how management determined that the entity preparing and certifying the investment information is a qualified institution under DOL rules and regulations and document these inquiries.
Management representations
The auditor is required to obtain additional representations from management at the conclusion of the audit. Management must make representations regarding the additional responsibilities of management and the election of an ERISA 103(a)(3)(c) audit for items discussed in the preceding paragraph management responsibilities and engagement acceptance paragraphs.