By CariAnn Todd, Senior Manager
Have you ever asked yourself “If the auditor is policing our benefit plan, who is policing the auditor?” In addition to the professional requirements imposed on CPA’s who are members of the American Institute of Certified Public Accountants (AICPA), when it comes to audits of employee benefit plans, the Department of Labor (DOL) is also keeping their eye on auditors and the audit process.
The Department of Labor, under the terms of the Employee Retirement Income Security Act of 1974 (ERISA), has established the ERISA Advisory Council. The Council’s purpose is to advise the Secretary of Labor on the topics of employee welfare and pension benefits. The Council meets four times per year and addresses various issues. In 2010, the Council studied employee benefit plan auditing and financial reporting models, with a major focus on retirement plans. Issues specifically addressed in 2010 were the quality of plan audits and auditors, limited-scope audits and 403(b) plans. Highlights of the Council’s report follow.
Audit Quality and Auditors
In 2004, a DOL study found that approximately 30% of plan audits did not comply with professional audit standards or reporting requirements. The study concluded that this was not the result of insufficient guidance on the topic. Instead, the substandard audit work is directly related to auditors with inadequate training and experience, a misunderstanding of the limited-scope audit requirements, as well as a lack of quality control procedures. The study, along with the DOL’s Audit Quality Enforcement Programs, further found an inverse correlation between audit deficiencies and the number of ERISA audits performed. Meaning, the fewer audits performed by the CPA firm, the higher number of audit deficiencies found.
The AICPA annually issues an Audit & Accounting Guide for Employee Benefit Plans. The 2011 version is 468 pages. The AICPA also offers a number of continuing education courses for its members. In addition, they have established the Employee Benefit Plan Audit Quality Center (EBPAQC). Firms who choose to be a member of the EBPAQC must adhere to a list of guidelines that include:
- A designated audit partner to oversee the employee benefit plan audit practice
- A program to ensure all auditors are adequately trained on an annual basis, including a minimum number of hours that must be completed
- Performance of annual inspection procedures
- A peer review firm that is also an EBPAQC member
The DOL also provides a variety of resources on the EBSA website and is well represented at various conferences throughout the year.
The ERISA Advisory Council concluded that there are ample resources and other opportunities for CPA’s to educate themselves in this area. However, it also noted that membership in the various organizations that can help improve audit quality is voluntary, not mandatory. Finally, the Council found that many aspects of the audit seem widely misunderstood or unknown, including the importance of the auditor’s evaluation of the plan’s internal control system. Effective internal controls are the backbone of a plan’s ability to safeguard its assets and properly report its financial condition.
The Council’s recommendations regarding Audit Quality were:
- The DOL should require plan administrators to identify on Form 5500 whether or not the plan auditor is a member of the EBPAQC.
- The DOL should establish a fiduciary safe harbor in the initial selection of plan auditors who are members of the EBPAQC.
BeachFleischman is a member of the EBPAQC. We provide annual training to our audit staff on the unique issues that arise during the audit of a retirement plan, as well as information on new regulatory, auditing or reporting guidance issued by the AICPA, FASB or DOL. We also regularly send our management team members to conferences around the U.S. that are targeted at retirement plan regulatory and audit issues. With an audit base of 45 retirement plans and rising, we have dedicated several staff members to specializing in this practice area.
Under ERISA, a plan administrator can instruct the auditor to limit the scope of testing on investment information prepared and certified by a qualified trustee or custodian as complete and accurate. Entities that meet this qualification are banks or similar institutions (trust companies) or insurance carriers that are regulated, supervised and subject to periodic examination by a state or federal agency. As an example, assets held by a brokerage house are not eligible for certification. However, many of the large brokerage houses have trust divisions that can hold assets and are eligible to certify (Fidelity vs. Fidelity Management Trust Company).
Audit problems arise when the auditor doesn’t understand the concepts of the limited-scope audit. For example, the scope limitation is limited to the assets that are certified. It does not extend to participant data, contributions, benefit payments or anything else. Therefore, the difference between a full scope audit and a limited-scope audit can be relatively small, especially for a plan with traditional, publicly-traded investments.
Due to the continually changing and complex nature of the investments available to plans in the current marketplace, the Council was asked to consider whether the limited-scope exemption should be repealed. There are a number of alternative investments on the market that are hard to value, yet are being certified by the eligible institutions and excluded from audit procedures.
The Council concluded that the limited-scope audit should not be repealed, as they did not see the benefits of full scope procedures, which would increase audit costs for most plans. Instead it made the following recommendations:
- The DOL should clarify the kinds of entities that are qualified to issue certifications under existing regulations and guidance and reiterate that only qualified entities may issue certifications.
- The DOL should amend the limited-scope audit regulations to require that the certification of investment information include a disclaimer that investment values may not have been subject to independent verification of fair value by the certifier.
- The DOL should require plan administrators to include any certification issued in connection with a limited-scope audit in the plan’s Form 5500 filing.
- The DOL should issue informal education materials targeted to plan sponsors and plan auditors that would assist them in understanding their respective obligations with respect to limited-scope audits.
Over 80% of the audits performed by BeachFleischman are limited-scope. We concur with the Council’s conclusions. The entities that are certifying investment information are heavily regulated; therefore, to perform auditing procedures at the plan level on investment values and investment income seems redundant. In our practice, we have also encountered confusion in the market between a certification and a SAS70 report. The latter is a report on internal controls for a service organization. While it provides significant benefits to the audit process, allowing the auditor to better understand and rely on internal controls at the service organization, it does not have any relation to a limited-scope audit.
Prior to 2009, 403(b) plans only had limited reporting requirements and were not subject to the audit requirement. Because of this, recordkeeping for these plans was lax. The implementation of the new reporting requirements and the audit requirement for large plans has placed great challenges on sponsors of 403(b) plans and put auditors in the difficult position of having to disclaim opinions on incomplete financial statements. With limited exceptions, the DOL does not accept disclaimers of opinion and, as such, a Form 5500 that attaches an audit report with a disclaimer of opinion is considered an incomplete filing.
Another concerning issue that affects 403(b) plans is that while a large number of employees may be eligible to participate in the plan, in many cases, only a small number actually contribute to the plan and have an account balance. This leads to situations where an audit is required because the number of eligible participants exceeds 120, but the actual number of participants with account balances is so low that the audit cost is prohibitive ($500 to $1000 per participant). There is also fear that these situations may lead to a sponsor terminating plans to avoid the audit cost, which is contradictory to the DOL’s goal.
Finally, due to the nature of the assets held in many 403(b) plans (i.e. individual custodial contracts or individual annuity contracts) it can be extremely difficult, if not impossible, to locate and identify all of a plan’s assets. Many interested parties have weighed in on the cost/benefit of auditing these types of assets, which the plan sponsor has no responsibility for or active role in maintaining.
After much consideration, the Council made the following recommendation:
- The DOL should waive the audit requirement for 403(b) plans that have plan assets invested entirely in individual custodial contracts or individual annuity contracts. For plans containing those individual type assets and group annuity contracts, only the group annuity contracts would be subject to the audit requirement. For plans with only group annuity contracts, the plan would be fully subject to the audit requirement.
BeachFleischman’s experience with 403(b) plan audits is consistent with the concerns expressed to the Council. While the DOL has provided some relief for plans who struggled to comply with the audit and other regulatory requirements for 2009, we concur with the Council that additional relief for individual custodial contracts and individual annuity contracts is warranted.
The Council was able to scratch the surface of three hot topics in employee benefit plan auditing. We believe that the issue of audit quality is of the greatest concern, as it places undue pressure on CPA firms who are doing it right to compete with the fee pressure from CPA firms who are not. We are sympathetic to the need for our clients to keep their costs under control, and we are continually balancing this against our responsibility to perform an audit in accordance with the standards placed upon us by the AICPA and the DOL. In the end, we do believe that plan audits protect the interests of participants by ensuring that individuals are appropriately included or excluded from plan participation, that participant deferrals are deposited in the plan on a timely basis and that withdrawals are authorized and distributed in the proper amount. Audits also provide assistance to the plan sponsor in meeting their fiduciary responsibility and ensuring a proper system of internal controls surrounding the plan and its financial reporting.
If you have additional questions surrounding audits of employee benefit plans, please contact your BeachFleischman representative or CariAnn Todd at firstname.lastname@example.org.