The Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA, requires auditors to communicate in writing reportable findings from audit procedures to management or those charged with governance on a timely basis.
The SAS-136-required written communication should include the following:
- Description of reportable finding
- Sufficient information for those in governance to understand the context
- Explanation of the potential effects of the reportable findings on the financial statements or the benefit plan
SAS 136 defines reportable findings as matters that include one or more of the following:
- An identified instance of noncompliance, or suspected noncompliance, with laws or regulations in accordance with AU-C Section 250
- A finding arising from the audit that is, in the auditor’s professional judgment, significant and relevant to those charged with overseeing the financial reporting process in accordance with AU-C Section 260
- An indication of deficiencies in internal controls identified that have not been communicated to management by others and that are of sufficient importance to merit management’s attention in accordance with AU-C Section 265
SAS 136 does not provide examples of “reportable findings,” but based on the criteria outlined above they could be based on the auditor’s “professional judgment” or on an instance of noncompliance. The U.S. Department of Labor’s Employee Benefits Security Administration (EBSA), however, may offer potential examples of “reportable findings.” In 2015, EBSA issued Assessing the Quality of Employee Benefit Plan Audits, in which EBSA estimated that 39% of ERISA audit plan audits had major deficiencies. Those noted included, but are not limited to, the following:
- Failure to report timeliness of participant contributions
- Failure to report that the plan was not following the plan’s definition of compensation for determining contributions
- No documentation of testing investment values or investment income
- Over reliance on SOC 1 reports
- Participant loans were not in compliance with the plan document
- Over reliance on certifying entities’ certification on investments
- No documentation for compliance with laws and regulations
- No testing of forfeitures
Another resource for identifying “reportable findings” could be the EBSA’s Reporting Compliance Enforcement Manual, Chapter 4, “Office of the Chief Accountant Enforcement Programs.” The Office of the Chief Accountant conducts augmented review on the working papers prepared by plan auditors. Audit areas selected for review include the following:
- Assessment of the risk of fraud
- Investments and investment transactions
- Contributions received and receivable
- Benefit payments
- Participant data
- Plan obligations
Understanding EBSA-identified deficiencies and the areas of focus on augmented workpaper reviews highlight the areas that are more prone to reportable findings than others. Below are some matters an auditor should evaluate when considering if they have any reportable findings:
- Not following the plan document for eligible compensation, eligibility, loans, required minimum distributions, vesting, use of forfeitures, entrance into the plan
- No review or verification of census data (date of birth, date of hire, rate of pay, or eligible compensation)
- No review by plan administrator of plan documents, financial statements, or payroll information
- Over-reliance on SOC 1 and 2 reports or no copy of these reports
- Lack of documentation supporting review of SOC 1 and 2 reports or compliance with end-user controls
- Lack of documentation supporting review of cybersecurity at the plan level, plan sponsor, or third-party service provider(s)
- Lack of documentation on reviewing timeliness of contributions
- Lack of documentation on reviewing allocation of investment income to plan participants
- Lack of documentation on participant’s note receivable to the plan or compliance with the plan document
- Lack of documentation regarding plan’s compliance with laws and regulations
Conclusion
As part of the written communication of reportable findings, the auditor may want to identify the underlying cause of the finding, how to remediate the finding, and what changes need to be implemented to policies and procedures to prevent the situation from reoccurring.
SAS 136 states that reportable findings should be included within the required communication with those charged with governance, either in a separate section or placed in such communication as the auditor deems appropriate. Communication with those charged with governance may be combined in a single written communication covering all reporting matters. If the auditor does not identify any reportable findings, the auditor is prohibited from issuing a written communication stating that no reportable findings were identified during the audit.
SAS 136 is effective for audits of ERISA plan financial statements for periods ending on or after Dec. 15, 2021. This means most plan sponsors will see the impact of the new standard for their 2021 year-end audits completed in 2022.
The original article appeared in the Pennsylvania CPA Journal.