New Financial Audit Rule Increases Requirements for Plan Sponsors

Retirement plan sponsors that are required to submit a financial audit with their Form 5500 filings next year will find they have more responsibilities related to the audit.

In July 2019, the American Institute of Certified Public Accountants (AICPA) issued a new audit standard for employee benefit plans, SAS 136, or “Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA [the Employee Retirement Income Security Act].” SAS 136 was originally effective for periods ending on or after December 15, 2020; however, due to the COVID-19 pandemic, the effective date was delayed to this coming December 15.

Timothy Verrall, a shareholder in law firm Ogletree Deakins’ Houston office, notes that the effort to enhance audit requirements has been in the works for years. The 2010 ERISA Advisory Council studied employee benefit plan auditing and financial reporting models and found that many deficiencies in limited-scope audits of retirement plans might be due to misunderstandings. In a 2011 report, the council concluded that the limited-scope audit should not be repealed, but its quality and required certifications should be reinforced and strengthened.

For background, two main types of audits are permissible for Form 5500s: limited scope and full scope. A limited-scope audit is more focused on the participants in the plan and aims to ensure their accounts are correct, whereas a full-scope audit delves into more detailed testing of plan investments. To qualify for a limited-scope audit, the qualified institution holding the assets of the plan must certify the “completeness and accuracy” of the reports.

But, in the past, regulators have found problems with those audits. In May 2015, the Department of Labor (DOL)’s Employee Benefits Security Administration (EBSA) issued a report looking at Form 5500s filed for 2011 plan year, Verrall explains. It picked 400 out of the more than 80,000 audits filed with the Form 5500s and found 39% had major deficiencies.

“The agency found some were deficient based on audit standards and some were deficient by ERISA standards,” Verrall says. “Audit quality was all over the place. Information was not getting assessed correctly, and noncompliance was not getting surfaced.”

He adds that the EBSA concluded limited-scope audits were a big problem because auditors didn’t evaluate or scrutinize important data they received from recordkeepers; they just signed off on the data. The study also found audit firms that don’t do a lot of plan audits have lower-quality audits, but top plan auditors didn’t have as many major errors.

Verrall says the report pushed for the AICPA to modify audit standards so auditors would do a better job and ask better questions of plan sponsors. That’s what led to SAS 136.

Changes in Plan Sponsor Responsibilities

Currently, plan sponsors just supply information to auditors, who look at financial information in addition to plan administration, since that can affect plan health and financials, Verrall says.

He explains that, typically, most audit firms send a letter to the designated plan management that includes two or three pages of questions inquiring about events such as investments that went bust and the termination of service providers, as well as what happened to the plan during the year covered by the audit. “Auditors just took plan sponsors’ word for it,” he says. Auditors would also look at plan administration items such as how many new loans participants took and whether loan repayments were made. Verrall notes that auditors would use a data feed to do some spot-checking of a sample.

“The theory was if you have a random sampling and find problems of a particular type, it was indicative of a greater issue,” he explains. “Then, the auditors would have a discussion with the plan management representative and raise issues.”

However SAS 136 will bring some big changes, Verrall says. “Limited-scope audits are not limited scope anymore,” he explains. “Limited-scope audits essentially allowed auditors to take plan providers’ word about inflows and outflows of cash, and they didn’t verify information was correct. This is one of the issues the DOL identified as a problem in its 2015 study.”

Now, what used to be called a limited-scope audit is an ERISA Section 103(a)(3)(C) audit. Verrall explains that the letter the auditor will provide to the plan management representative will be more detailed and will require plan sponsors to deliver more content. He says it will require plan sponsors to first investigate and confirm they are eligible for this type of audit; they’ll then have to make a representation in writing that they are eligible for the exception to the full-scope audit.

“Plan sponsors can expect to get a lot of questions about whether they are doing what they are supposed to do as far as plan management,” Verrall says. “Some plan sponsors will have to come up with some independent assessment, but for those with big providers to help, this will probably not be a big deal.”

Brent DeMay, a Naperville, Illinois-based partner in professional services firm Sikich’s accounting group who focuses on employee benefit plans, says the changes related to limited-scope audits are truly new requirements. He notes that limited-scope audits have traditionally accounted for the majority of financial audits and allowed auditors to issue a disclaimer of opinion, without giving a formal opinion. According to DeMay, this created a lack of transparency about what the auditor did.

“But now, auditors cannot disclaim an opinion; they must be clear about what they did as auditors,” he says. “SAS 136 also created a two-part opinion. A certification statement is still allowed concerning investments and investment income, although now auditors have to opine on the form and content of the certified information. However, auditors must also give a formal opinion on anything not in the investment certification.”

This leads to a new responsibility for plan sponsors, he continues. “To elect to have Section 103(a)(3)(C) audit, plan sponsors have to engage an auditor for that scope of service, then sponsors have to confirm with their service providers that they can offer a complete and valid certification statement,” DeMay explains.

DeMay says one of the largest differences in SAS 136 compared with the previous language is more of a clarification than a change, because many additional performance requirements for plan sponsors were considered best practices in the past but were not formally clarified.

DeMay says plan sponsors will need to provide a written report to plan auditors acknowledging they have taken responsibility for plan administrative duties. This might include acknowledging that plan documents are maintained and remedial amendments adopted timely, that the plan is being operated according to provisions of the plan document and that the plan sponsor is maintaining sufficient records for any current or future benefits owed to participants. DeMay notes that’s not an exhaustive list.

He says the written representation will be attached to the auditor’s opinion. “These changes make the audit opinion more valuable,” DeMay says. “From a communications standpoint, SAS 136 offers more transparency about responsibilities for auditors and plan sponsors. A lot of what’s in the standard falls on the auditor, but the biggest thing for plan sponsors to be aware of is the clarification on having a renewed focus on active oversight of the plan.”

DeMay says the certification that the plan sponsor is maintaining sufficient records for any current or future benefits under the plan is unique. He says there has not been a safe harbor on record retention, but the new standard says records need to be maintained as long as a participant has a current or future benefit under the plan.

Another big change, Verrall says, is that plan sponsors will be required to provide the auditor with a substantially complete draft of the plan’s Form 5500 and its schedules before the audit so the auditor can compare the form to its findings and let plan sponsors know if there will need to be corrections to the form. “This is intended to plug the differences between information on the Form 5500 and the audit report,” he says.

More Information Could Be Exposed

Verrall notes that SAS 136 also provides more specific direction to auditors on what the standard calls “reportable information,” which might be of concern for plan sponsors. He explains that auditors are required to report any significant noncompliance and findings of no internal controls.

“Either verbally or in writing, they have to tell plan management and those responsible for plan governance. It is to encourage wider dissemination of auditor findings to all involved on the plan sponsor side so there are no adverse findings fiduciaries don’t know about,” he says. “This is to minimize the chances of hiding issues and sweeping problems under the rug. Whether those findings go into the audit report is up to the auditor.”

The concern, Verrall says, is that the financial audit report is attached to the Form 5500 and is publicly available in the DOL’s EFAST system. Depending on how the auditor responds to the new standards, it may disclose more noncompliance issues, which will be publicly available.

“Anyone can look at it,” Verrall says, “One way lawsuits get started is people doing searches on Form 5500 data filings. This could potentially provide a new source of ammunition to plaintiffs’ lawyers.”

In addition, if an auditor finds a complicated problem, plan sponsors might not be able to solve it by the October 15 deadline for the extension of filing the Form 5500 and financial audit, Verrall says. “We are going to try to be in front of that so plan sponsors are not caught off guard about questions being asked and what will be publicly reported,” he notes.

It might be beneficial to get auditors to start the process earlier than usual so any issues can be corrected, Verrall suggests. Delays are usually a result of coordinating the provision of data and information, but there is nothing preventing plan sponsors and auditors from starting the process early, he says.

Verrall adds that the audit report is a prime opportunity for administrative errors to surface, but it offers plan sponsors an opportunity to clean up their plan, which is ultimately in their best interest. “There will be pain if the can is kicked down the road for years,” he says.

“I think the advice I would have for plan sponsors is to reach out to auditors with the intent to collaborate on implementation of the new standard,” DeMay says. “Auditors are looking to guide clients because this is one of the largest changes in presentation of financial audit opinions specific to employee benefit plans we’ve seen.”

Finding a Quality Plan Auditor

For the process to go smoothly and correctly, it’s important to find a first-class plan auditor. Verrall says the AICPA website has resources for finding quality plan auditors. The site gives an indication of whether auditors focus on and care about retirement plan audits.

DeMay says a starting point is the AICPA’s Employee Benefit Plan Audit Quality Center (EBPAQC). Many firms that specialize in employee benefit plan audits are members of the center.

When looking for a good auditor, DeMay says plan sponsors should recognize the need for knowledge of employee benefit plans.

“There are a lot of changes and clarifications in the new standard that fall to auditors specific to employee benefit plans. Plan sponsors need someone with that expertise,” he says. “A lot of firms have strong audit practices in a variety of industries, but that doesn’t necessarily translate to employee benefit plan audits.” DeMay suggests that plan sponsors interview audit firms that have an employee benefit specialty practice area.

Verrall says some audit firms—both large and small—are really known for their work in doing retirement plan audits. He notes that some small firms are cheaper than big ones, but plan sponsors will get a higher-quality audit if that’s all the firm does. He adds that bigger firms might give a more perfunctory audit. Plan sponsors need to consider whether they want to figure out their plan’s issues or minimally comply with DOL requirements.

Verrall suggests plan sponsors get referrals from their ERISA counsel about what auditors it has dealt with, and DeMay says plan sponsor’s investment advisers could point them in the right direction as well.

“I’d stress that the earlier plan sponsors reach out to auditors for collaboration, the better, to have a successful plan audit,” DeMay says.