Advanced Limited Scope Audit Issues

Posted by Maria T. Hurd, CPA


Plans that obtain a valid limited scope certification for the completeness and accuracy of investment information from a regulated financial institution such as a bank, trust company, or insurance company, can instruct their auditors to exclude investment information from the scope of their audit. In a limited scope audit, the auditor is still required to test all significant audit areas, such as contributions, benefit payments, participant loan processing, hardship distributions, participant data, eligibility to all plan features, and payroll. The extent of the audit procedures applied to each plan feature will vary from plan to plan, depending on the risk level assessed by the auditor using walk-through procedures for the plan processes, and examination of SOC 1 reports on the effectiveness of controls at service organizations.

Can authorized representatives of a regulated institution issue the certification?

DOL Reg. 2520.103-5(d)(1) provides that a limited scope certification must be signed by a person authorized to represent the insurance carrier, bank, or trust company. Each plan sponsor must determine, with the help of their auditor, whether entities issuing limited scope certifications on behalf of the regulated institutions are authorized to represent the eligible entities for this purpose. In our experience, recordkeepers that issue limited scope certifications under an agency relationship with a trustee or custodian can provide an explicit statement of authority from the regulated institution as part of the certification.

Must an auditor rely on a limited scope certification if instructed by the plan sponsor?

With the increasing complexity of investments held by retirement plans, many custodians or trustees that do not provide valuation services for hard-to-value investments will certify as to the best information available to them, which may not represent fair value at year end. For this reason, auditors cannot blindly accept a limited scope certification without performing some due diligence regarding certification process for investments without a readily determinable fair market value. When auditors determine that the certified values do not represent fair value, they cannot exclude those values from the scope of the audit, since in that case, the certification would not constitute an appropriate basis for limiting the scope of the audit.

For investments properly covered by a valid limited scope certification, the auditor has no responsibility to test the accuracy or completeness of investment information, obtain an understanding of internal controls maintained by the certifying institution over investments held and investment transactions executed for the plan, or assess control risk associated with asset valuation and investment earnings. For investments excluded from the limited scope certification, the auditor must apply audit procedures to ensure that the fair value is in conformity with U.S. Generally Accepted Accounting Principles (GAAP) as promulgated by the Financial Accounting Standards Board (FASB).