What You Should Know About ERISA Plan Audit Changes
|By Craig Erickson, Partner-in-Charge, Employee Benefit Plan Group|
In July 2019, the American Institute of Certified Public Accountants (AICPA) issued a new Statement on Auditing Standards (SAS 136) designed to regulate and improve the audit quality for plans governed by the Employee Retirement Income Security Act of 1974 (ERISA).
The new standards were originally intended to apply to audits of financial statements for periods ending on or after December 15, 2020, but the AICPA delayed the original effective date by one year due to the COVID-19 pandemic.
Employee benefit plan sponsors and their auditing firms must now anticipate starting these new procedures for periods ending on or after December 15th of this year. It’s a good idea to begin working to understand SAS 136 and its effect on the audit process.
Why SAS 136?
The origins of SAS 136 lie in 2015, when the Department of Labor’s Employee Benefits Security Administration (EBSA) assessed the quality of audits that independent qualified public accountants were doing on employee benefit plans.
These examinations found various issues that the EBSA wanted addressed, and the AICPA responded by creating SAS 136 to lay out specific procedures for ERISA audits. The goals of the changes are to boost the quality and increase the transparency of these audits.
What’s new in SAS 136?
SAS 136 stipulates new procedures for engagement acceptance, risk assessment and response, communication with those charged with governance, and performance procedures and reporting.
Here are some of the most notable changes auditors and plan managers can expect.
Changes to audit reports and engagement letters
- The auditor’s report must now list the responsibilities of the auditor, including professional judgments and communication with those governing the plan.
- The auditor’s report must also include management’s responsibility for the assessment and the auditor’s responsibility for management’s assessment, if applicable.
- The engagement letter must lay out management’s responsibilities, including maintaining and administering a plan instrument and maintaining records of plan transactions and benefits and financial statements.
Changes to audit procedures and documentation
- If the plan sponsor elects a limited scope audit (now called an ERISA Section 103(a)(3)(C) audit), management must approve and ascertain that the qualified institution can certify the investment information.
- The auditor must wait to issue the auditor’s report until management provides a complete draft of Form 5500.
- The auditor must communicate all reportable findings to the plan managers.
Change to limited scope audits
- The limited scope audit is renamed ERISA Section 103(a)(3)(C) audit.
- This type of audit now involves more stringent reporting requirements.
Q&A on SAS 136
When will the SAS become effective?
SAS 136 will be effective for audits of ERISA plan financial statements for periods ending on or after December 15, 2021. Auditors should expect to apply the new standards to 2021 year-end audits being performed in 2022, including using the new form of the auditor’s report.
Is early implementation allowed?
The SAS allows early implementation, and the statement includes transitional implementation reporting guidance upon initial adoption of the SAS when performing an ERISA section 103(a)(3)(C) audit.
Can plan sponsors still choose a limited scope audit?
Yes, although the name “limited scope audit” is now being changed to “ERISA section 103(a)(3)(C) audit.” This is because ERISA section 103(a)(3)(C) allows plan management to exclude from the audit certain investment information held by and certified to by a qualified institution. The SAS lays out specific procedures that auditors must adhere to when performing and reporting on an ERISA section 103(a)(3)(C) audit.
Have engagement acceptance responsibilities changed?
Yes. The SAS’s Terms of Engagement lay out new engagement acceptance requirements, as well as changes to the preconditions for an audit. Management responsibilities must be listed in the engagement letter, including with respect to the investment certification during an ERISA Section 103(a)(3)(C) audit.
Do auditors have to communicate with those charged with governance?
Yes. The SAS requires the auditor to communicate with management and/or those charged with governance in specific ways. For example, the auditor must communicate reportable findings in writing in a timely manner in accordance with the SAS. The statement also lays out various matters that the auditor must discuss with management and those charged with governance.
Do auditors have to request new management representations?
Yes. The auditor must obtain certain written management representations regarding management’s responsibilities.
The best thing auditors and plan managers can do to ensure compliance with SAS 136 is gear up for adoption.