Changes To ERISA Audits And Reporting

The Times They Are-a-Changin, Part II

In July 2019, the AICPA issued SAS 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA. SAS 136 is effective for periods ending on or after December 15, 2021. The purpose of SAS 136 is to “clarify” the auditor’s responsibility in forming an opinion on ERISA plan financial statements. It also addresses the form and expands the content of the auditor’s report.

The clarifications were driven, in part, in response to a study by the U.S. Department of Labor (“DOL”) that found major deficiencies in a significant number of ERISA audits it reviewed. According to the DOL, this study, published in 2015, found that 39% of the ERISA audits had major deficiencies, putting over 22 million plan participants and beneficiaries at risk.

What is SAS 136 All About? As presented in the standard, the objective of SAS 136 are:

  1. Perform an ERISA audit only if preconditions for the audit are agreed upon with management.
  2. When management elects an ERISA Section 103(a)(3)(C) audit (presently known as a limited scope audit), appropriately plan and perform procedures on the certified investment information required by SAS 136 and ERISA.
  3. Form an opinion on the financial statements based on the audit evidence obtained.
  4. Clearly express the opinion of the ERISA plan financial statements.
  5. Perform procedures and report on the presentation of supplemental information.
  6. Appropriately communicate to management and those charged with governance reportable findings.

So here we go. SAS 136 is relatively large. We have outlined some, but not all, of the significant provisions of SAS 136.

Engagement Letter. SAS 136 requires the auditor to obtain the following from management via the engagement letter:

  1. Management is to agree that it is their responsibility to:
    • Maintain current plan instruments, including all plan amendments.
    • Administer the plan and determine that transactions disclosed in the financial statements conform with the plan’s provisions. This includes maintaining sufficient records concerning each participant to determine benefits due.
    • When management elects to have a Section 103(a)(3)(C) audit, determine if:
      • such an audit is permissible,
      • the investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8,
      • the certification complies with 29 CFR 2520.103-5, and
      • the certified information is appropriately measured, presented, and disclosed.
  2. The auditor should inquire how management determined that the entity preparing and certifying the Section 103(a)(3)(C) investment information is a qualified institution.
  3. The auditor should also obtain agreement with management or those charged with governance to provide the auditor, before the dating of the auditor’s report, a draft Form 5500 that is substantially complete.

What Are The Auditor’s Responsibilities?
SAS 136 also emphasizes the auditor’s responsibility to:

  1. Read the most current plan instrument and effective amendments in connection with assessing the audit risk.
  2. Consider whether management has performed the relevant Internal Revenue Code compliance tests
  3. Evaluate whether prohibited transactions have been appropriately reported
  4. Evaluate whether matters are reportable findings. Reportable findings include:
    • noncompliance or suspected noncompliance with laws or regulations,
    • any finding that should be significant and relevant to those charged with governance, and
    • an indication of deficiencies in internal control.
    • The auditor should not communicate in writing that no reportable findings were identified during the audit.

  5. Evaluate management’s assessment of whether the entity issuing the Section 103(a)(3)(C) certification is a qualified institution.
  6. Expand the management representation letter to include representation that:
    • management has provided the most current plan instrument for audit, including all plan amendments,
    • management is responsible for administering the plan and determining that transactions are presented and disclosed according to plan provisions, including sufficient records relating to benefits due participants.
    • When management elects to have a Section 103(a)(3)(C) audit, an acknowledgment that management’s election does not affect its responsibility for the financial statements and for determining whether:
      • Section 103(a)(3)(C) audit is permissible,
      • the investment information is prepared and certified by a qualified institution,
      • the certification meets the requirements in 29 CFR 2520.103-5, and
      • the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework.

Different Auditor’s Report. The content and arrangement of the sections of the auditor’s report have changed. As a result, the auditor’s report (other than a Section 103(a)(3)(C) audit discussed below) is as follows.

  1. Title. As usual, the auditor’s report should have a title that clearly indicates that the report is that of an independent auditor
  2. Addressee. The report should be addressed as appropriate.
  3. Auditor’s Opinion. The first section is the auditor’s opinion. Accordingly, the opinion is now front and center instead of buried at the bottom of the report.
  4. Basis for Opinion. The next section is the “Basis of Opinion.”
  5. Going Concern. When applicable, the auditor should report per AU-C section 570, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern.
  6. Key Audit Matters. When engaged to do so, the auditor reports key audit matters under AU-C section 701. (See our blog posted September 15, 2021, for a discussion of key audit matters – it’s new.)
  7. Responsibilities of Management for the Financial Statements. This section describes management’s responsibility for:
    • the preparation and fair presentation of the financial statements,
    • when required by the applicable financial reporting framework, evaluating conditions and events that raise substantial doubt about the plan’s ability to continue as a going concern,
    • maintaining a current plan instrument, including all plan amendments,
    • administering the plan and determining that the plan’s transactions conform with the plan’s provisions, including keeping sufficient records regarding participant benefits
  8. Auditor’s Responsibilities for the Audit of the Financial Statements.
    • This section should state that the objectives of the auditor are to:
      • obtain reasonable assurance about whether the financial statements are free from material misstatement, whether due to fraud or error, and
      • issue an auditor’s report that includes the auditor’s opinion,
      • state that reasonable assurance is a high level of assurance, but not absolute,
      • state that the risk of not detecting a material misstatement resulting from fraud is higher than one resulting from error,
      • state that misstatements are material if, individually or in the aggregate, they could reasonably be expected to influence the economic decision of the users of the financial statements.
    • There are additional required wording related to:
      • exercise of professional judgment and maintenance of professional skepticism,
      • identification and assessment of risks of material misstatement, whether due to fraud or error and the design and performance of audit procedures in response to those risks,
      • obtaining an understanding of internal control to design audit procedures, but not to express an opinion on internal control,
      • evaluating the appropriateness of accounting policies and estimates, and evaluating the overall presentation of the financial statements,
      • concluding whether there is substantial doubt about going concern,
      • stating that the auditor is required to communicate with those charged with governance regarding certain matters.
  9. Modifications to the Opinion. The next section is to explain any modifications the auditor may have to the standard report.
    • Qualified opinion,
    • Inability to obtain sufficient appropriate audit evidence,
    • Adverse opinion.
  10. ERISA-Required Supplemental Schedules. This section of the report addresses whether the ERISA-required supplemental schedules are fairly stated
  11. Other Reporting Resposibilities. If the auditor addresses other reporting responsibilities in addition to GAAS, it is reported in a section titled “Report on Other Legal and Regulatory Requirements.”
  12. Conclusion. The report is concluded with the auditor’s signature, address, and date of the auditor’s report.

Not The Same Old Limited Scope Auditor’s Report. The auditor’s report for an ERISA section 103(a)(3)(C) audit arrangement is as follows.

  1. Scope and Nature of the ERISA Section 103(a)(3)(C) Audit
    • The first section should include a description of the scope and nature of the ERISA Section 103(a)(3)(C) audit and should have the heading “Scope and Nature of the ERISA Section 103(a)(3)(C) Audit.
    • This section includes several requirements describing the limitation of the auditor’s report under this section of ERISA.
  2. Auditor’s Opinion. If no material misstatements are identified, and no scope limitations exist, the auditor’s report should include a statement that:
    • the amounts and disclosures, other than those agreed to or derived from the certified investment information, are presented fairly, in all material respects, in accordance with the applicable framework,
    • the information related to assets held by and certified by a qualified institution agrees to, or is derived from, in all material respects, the information prepared and certified by an institution that management determined meets the necessary ERISA requirements,
    • identifies the applicable financial reporting framework
  3. Basis for Opinion. This section should:
    • state that the audit was conducted in accordance with US GAAS
    • refer to the section of the report that describes the auditor’s responsibilities for GAAS,
    • state that the auditor is required to be independent of the plan and meets other ethical requirements,
    • state whether the auditor believes that audit evidence is sufficient and appropriate to provide a basis for the ERISA Section 103(a)(3)(C) audit opinion.
  4. Going Concern. Next is the going concern section.
  5. Key Audit Matters. If so engaged to do so, the key audit matters section follows.
  6. Responsibilities of Management for the Financial Statements. This section describes management’s responsibility for the following:
    • the preparation and fair presentation of the financial statements following the applicable framework, and for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether fraud or error,
    • the election of the ERISA section 103(a)(3)(C) audit and that the election does not affect management’s responsibility for the financial statements,
    • going concern discussion,
    • maintaining a current plan, including all amendments,
    • administering the plan.
  7. Auditor’s Responsibilities for the Audit of Financial Statements. The auditor should do the following:
    • state that except for investments under ERISA section 103(a)(3)(C), the auditor’s objectives are to
      • obtain reasonable assurance about whether the financial statements are free from material misstatements,
      • issue an auditor’s report that includes the auditor’s opinion
    • state that reasonable assurance is a high level of assurance, etc.,
    • state that the risk of not detecting a material misstatement from fraud is higher than that of an error,
    • describe what constitutes a material misstatement,
    • exercise professional judgment and skepticism,
    • identify and assess risks of material misstatement and design and perform procedures responsive to those risks
    • obtain an understanding of internal control to design appropriate audit procedures, but not for expressing an opinion on the plan’s internal control,
    • evaluate the appropriateness of accounting policies and estimates, and evaluate the overall presentation of the financial statements,
    • conclude if conditions or events in the aggregate raise substantial doubt about the plan’s ability to continue as a going concern,
    • state that the audit did not extend to the certified investment information, except for specific limited procedures performed
    • state that the objective of an ERISA section 103(a)(3)(C) is not to express an opinion about whether the financial statements as a whole are fairly presented,
    • and state that the auditor is required to communicate with those charged with governance certain matters.
  8. Modifications to the Opinion. The next section is to explain any modifications the auditor may have to the standard report.
    • Qualified opinion,
    • Inability to obtain sufficient appropriate audit evidence,
    • dverse opinion.
  9. ERISA-Required Supplemental Schedules
    • This section of the report addresses whether the ERISA-required supplemental schedules are fairly stated.
  10. Other Reporting Resposibilities
    • If the auditor addresses other reporting responsibilities in addition to GAAS, it is reported in a section titled “Report on Other Legal and Regulatory Requirements.”
  11. Conclusion. The report is concluded with the auditor’s signature, address, and date of the auditor’s report.