Statement on Auditing Standards (SAS) 136 addresses the auditor’s responsibility to form an opinion on the financial statements of employee benefit plans (EBPs) subject to the Employee Retirement Income Security Act of 1974 (ERISA). It also addresses the form and content of the auditor’s report issued as a result of a full scope or an ERISA Section 103(a)(3)(C) audit of ERISA plan financial statements and the audit opinion on the supplemental schedules that must accompany ERISA plan financial statements.
Effective Date
SAS 136 was originally effective for audits of periods ending on or after December 15, 2020, with early implementation forbidden, but was later delayed, becoming effective for periods ending on or after December 15, 2021, with early implementation permitted.
Audits of Multiple Years or Fiscal Years
Several times, we have been engaged to re-audit multiple plan years after the DOL determined that an accounting firm’s work was deficient. When that happens, we are only required to implement SAS 136 for audit periods ending on or after December 15, 2021, and can opt to implement it for the immediately preceding year. It means that calendar year 2021 plans must comply with SAS 136 while calendar year 2020 plans may comply. Similarly, audits for fiscal year plans ending on 9/30/2021 may comply with SAS 136 while the year ended 9/30/2022 must comply.
Management Acknowledgement of Roles and Responsibilities
Although SAS 136 did not substantially change the audit procedures that the AICPA Audit Guide for Employee Benefit Plan Audits suggested, it did clearly delineate the division of roles and responsibilities between management and the auditor and how it is acknowledged and documented through the engagement letter, the management representation letter, the audit report, and the communications of reportable findings to those charged with governance. Since the audit procedures remain substantially unchanged, our focus for this blog will be the items that involve management responsibilities.
Engagement Letter and Management Representation Letter
To properly comply with engagement acceptance requirements, the engagement letter and management representation letter will be updated to obtain and document management’s acknowledgment of its responsibility for the following:
- Maintaining a current plan instrument, including all plan amendments
- Administering the plan and determining that the plan’s transactions that are presented and disclosed in the ERISA plan financial statements are in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of the participants to determine the benefits due or which may become due to such participants
- When management elects to have an ERISA Section 103(a)(3)(C) audit, determining whether:
- an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances,
- the investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8,
- the certification meets the requirements in 29 CFR 2520.103-5, and
- the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework, most often Generally Accepted Accounting Principles (GAAP), which means fair market value at year-end.
The validity of the certification seems like a low-risk audit area that is likely to be compliant, until it isn’t, then things tend to go terribly wrong: accountants are disciplined by their boards of accountancy, previously accepted Forms 5500 get rejected, and the plan sponsor must find a new auditor to reperform three years of ERISA audits. An invalid certification is a very risky proposition if not properly identified.
Evaluation and Documentation of Audit Procedures
When the audit work performed results in the identification of transactions that are not in accordance with the plan instrument, the auditor should evaluate whether the matters are reportable findings.
Reportable findings are defined as matters that are one or more of the following:
- An identified instance of noncompliance or suspected noncompliance with laws or regulations;
- A finding arising from the audit that is, in the auditor’s professional judgment, significant and relevant to those charged with governance regarding their responsibility to oversee the financial reporting process;
- An indication of deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention.
Communication With Management or Those Charged with Governance
The auditor should communicate in writing to those charged with governance, on a timely basis, reportable findings from the audit procedures performed. The written communication should include the following:
- A description of the reportable finding
- Sufficient information to enable those charged with governance and management to understand the context of the communication
- An explanation of the potential effects of the reportable findings on the financial statements or to the plan qualification
The auditor should not issue a written communication stating that no reportable findings were identified during the audit.
Ignorance is Not Always Bliss
Knowledge is power. In my opinion, there is no audit finding so insignificant that the client should not be informed of its existence, so that the plan officials have the opportunity to put processes in place to prevent the same error from happening in the future, and so that corrections can be executed to maintain the plan’s qualified status. Correcting plan errors can be more costly and inconvenient than preventing them. When it comes to staying compliant with plan provisions, an ounce of prevention is better than a pound of cure.
