Posted By: Christopher Ciminera, CPA
On July 19, 2019, the AICPA Auditing Standards Board issued SAS 136 – Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA. This standard was a long time coming. The AICPA worked with the DOL and other interested parties to create a new standard that addresses deficiencies found in financial statement audits performed due to the confusion of auditors, their clients, and financial statement users regarding the limited-scope audits and the extend of the required procedures. SAS 136 was originally effective for plans with years ending on or after December 15, 2020; however, due to issues brought upon by the COVID-19 pandemic, the effective date was extended to plans with years ending on or after December 15, 2021. As such, audits of plans with calendar year plan year ends of December 31, 2021, will need to implement this standard.
Who is Affected?
SAS 136 applies to audits of single employer, multiple employer, and multiemployer plans subject to ERISA. Plans not subject to ERISA, such as governmental plans, are not subject to SAS 136.
Although many of the requirements of SAS 136 may have been performed by auditors in the past, SAS 136 officially requires certain steps to be performed by the auditor. In addition to specific audit steps, there are new required management representations and responsibilities (particularly in determining that an entity is a qualifying institution for which an ERISA Section 103(a)(3)(C) audit may be performed).
ERISA Section 103(a)(3)(C) Audit
Prior to SAS 136, auditors provided either a full-scope audit with an unmodified audit opinion or a limited-scope audit with a disclaimer of an opinion. Under SAS 136, an auditor may still perform a full-scope audit; however, instead of a limited-scope audit, the auditor may perform what is now called an ERISA Section 103(a)(3)(C) audit. Note that ERISA Section 103(a)(3)(C) always allowed the exclusion of investment values and investment transaction values from the scope of the audit. SAS 136 now requires the auditor to provide an opinion on all financial information, except for carved out certified information. This is different from a limited-scope audit in which an auditor disclaimed an opinion on the entire financial statements because of the limited scope of the audit procedures performed.
What is a Qualifying Institution?
To perform a 103(a)(3)(C) audit, formerly called a limited-scope audit, a certification must be obtained from a qualifying institution covering the completeness and accuracy of assets it holds for the plan during the plan year under audit. Only a qualifying entity could provide such certification because this entity is regulated and subject to periodic examination by a state or Federal agency. This exception was provided with the understanding that these certifying entities already are subject to regulation and periodic examination, so this would provide relief unnecessary duplicate oversight.
So, what is a qualifying institution? A qualifying institution is defined as a bank or similar institution, or insurance carrier regulated and supervised and subject to periodic examination by a State or Federal agency. It’s now important for management to understand this requirement. That is because unlike in a limited-scope audit, in an ERISA Section 103(a)(3)(C) audit, management now must perform an assessment to determine whether the entity issuing the certification is a qualified institution. The auditor will then evaluate management’s assessment of the certifying entity.
What will Management Need to Represent to the Auditor?
Under SAS 136, management representations will expand. Management will need to represent:
- Management provided the auditor with the most current plan instrument, including all plan amendments.
- Management acknowledges its responsibility for administering the plan and determining the plan’s transactions that are presented and disclosed in the ERISA plan financial statements are in accordance with the plan’s provisions, including maintaining sufficient records with respect to each of the participants to determine the benefits due or which may become due to participants.
- When management elects to have an ERISA Section 103(a)(3)(C) audit, acknowledgement that management’s election of the ERISA Section 103(a)(3)(C) audit does not affect its responsibility for the financial statements and for determining whether:
- An ERISA Section 103(a)(3)(C) audit is permissible under the circumstances,
- The investment information is prepared and certified by a qualified institution,
- The certified information meets the requirements (that the assets are certified as both complete and accurate and signed by an authorized person), and
- The certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework.
What Are the Requirements for Auditors?
As previously mentioned, although many auditors may have been performing these procedures in a retirement plan audit, SAS 136 now specifically requires that an auditor perform certain audit procedures as we’ll review shortly. The DOL Audit Quality Study and the AICPA Peer Review program identified deficiencies in audits where these procedures were not performed by auditors but considered a significant step an auditor should have completed. Because of those instances of deficiencies, SAS 136 provides that auditors perform the enumerated audit procedures which include:
- Obtain and read the most current plan instrument for the audit period, including effective amendments.
- Consider whether management has performed the relevant Internal Revenue Code compliance tests, including but not limited to, discrimination testing, and has corrected or intends to correct failures, as applicable.
- Evaluate whether prohibited transactions identified by management or as part of the audit have been appropriately reported in the applicable ERISA-required supplemental schedules.
- Document considerations in reaching conclusions if the auditor determines it not necessary to test relevant plan provisions.
- Communicate to management reportable findings from the audit procedures performed.
- In the instance when an auditor performs an ERISA Section 103(a)(3)(C) Audit additional procedures include:
- Evaluate management’s assessment of whether the entity issuing the certification is a qualified institution under DOL rules and regulations.
- Identify which investment information is certified.
- Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified institution.
- Compare the certified investment information with the related information presented and disclosed in the ERISA plan financial statements and ERISA-required supplemental schedules.
- Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
- Perform procedures necessary to become satisfied that received and disbursed amounts reported by the trustee or custodian were determined in accordance with plan provisions.
- Obtain a draft Form 5500 and read the draft, before issuing the auditor’s report, in order to identify material inconsistencies with the plan financial statements
- Consider the plan’s ability to continue as a going concern.
The changes made by SAS 136 should now provide a clearer audit opinion so users can understand the auditor’s and management’s responsibilities over the financial statements and should also provide required procedures auditors need to take in a retirement plan audit that they may not have previously performed in previous audits, which may have caused deficient audits. The clearer language in the audit opinion delineating the responsibilities of the auditor and management, and newly required procedures for an auditor to perform in a retirement plan audit, should also help alleviate the noted deficiencies in the retirement plan audits and ensure that the audit procedures are sufficient for the auditor to properly conclude that the financial statements are not materially misstated.