In July 2019, the AICPA issued SAS 136, which makes significant changes to virtually every aspect of audits of employee benefit plans covered by ERISA. The revision with the most significant impact on auditors is the effective replacement of the “limited scope audit” provisions with new Section 103(a)(3)(C) audit rules. This SAS effective date will be for periods ending on or after December 15, 2020. Early adoption is not permitted.
In May 2015, the Department of Labor (DOL) released a report on audit quality. The findings disclosed that 39% of the audits in its samples contained major deficiencies with respect to one or more relevant GAAS requirements which would lead to rejection of a Form 5500 filing, putting $653 billion and 22.5 million plan participants and beneficiaries at risk. Close to 60% of the limited scope audits in the study were found to contain audit deficiencies. There are four statistically based studies from 1988 to 2014 which show the increase in the percentage of plan audits that do not comply with professional audit standards over the past 26 years. During this period, the percentage of limited-scope audits has increased from 48% in 2001 to 83% in 2013. It appears that the increase in non-compliant audits corresponds with the increase in the number of limited-scope audits. In other words, it appears that the increased number of limited-scope audits has contributed to declining audit quality.
Under a limited scope audit, there was a misconception that auditors don’t have to do any work at all since they would be issuing a disclaimer anyway and this misinterpretation is evidenced by the DOL report on audit quality-see above. In response to these deficiencies, the AICPA created the ERISA Section 103(a)(3)(C) audit provisions to impose new duties on auditors performing engagements in which plan management elects to exclude plan investment information. Instead of issuing disclaimers, auditors must issue an opinion that excludes the certified assets and must obtain and evaluate management representations as to which investment information is certified, and that the entity issuing the certification is a qualified institution under DOL regulations such as a bank or insurance carrier. The new rules significantly increase the auditor’s responsibilities in performing audits under Section 103(a)(3)(C) election.
The auditor should perform the following procedures during an ERISA Section 103(a)(3)(C) audit:
- Evaluate management’s assessment of whether the entity issuing the certification is a qualified institution under the DOL’s rules and regulations.
- Identify which investment information is certified.
- Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified institution.
- Obtain the agreement of management that it acknowledges and understands its responsibility for determining the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework.
- Compare the certified information with the related information presented and disclosed in the ERISA plan financial statements and ERISA-required supplemental schedules.
- Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
- If, as part of the procedures performed above, the auditor becomes aware that the certified investment information in the financial statements and related disclosures is incomplete, inaccurate, or otherwise unsatisfactory, the auditor should discuss the matter with management and perform additional procedures to determine the appropriate course of action.
- Based on the assessed risk of material misstatement, the auditor should perform audit procedures on the financial statement information not covered by the certification, including the disclosures, as well as noninvestment-related information. Plans may hold some investments that are not covered by certification. In that case, the auditor should perform audit procedures on the investment information that has not been certified.
- For all audits of ERISA plan financial statements, including an ERISA Section 103(a)(3)(C) audit, the auditor should perform the procedures necessary to become satisfied that received and disbursed amounts reported by the trustee or custodian were determined in accordance with the plan provisions
The new language in the audit report provide better clarity regarding management’s responsibility and the auditor’s responsibility, as well as an opinion on the financial statements in the case of ERISA Section 103(a)(3)(C) audits, which will hopefully alleviate some of the concerns and misunderstandings regarding the value and the extent of work that is required in an EBP-specific limited scope audit.