A recent report from the Department of Labors Employee Benefit Security Administration should serve as a wake-up call for plan sponsors to make the audit process and auditor selection a high priority, says the American Institute of Certified Public Accountants.
The EBSA review found that while 61% of audits fully complied with professional auditing standards or had only minor deficiencies under professional standards, the remaining 39% of the audits contained major deficiencies.
And when choosing a benefit plan auditor, the CPA firms size matters less than the depth of the firms benefits practice. While many plan sponsors may simply choose the same firm to audit their benefit plan that audits their companys financial statements, doing so may not always be the best choice, says Sue Coffey, CPA, CGMA, senior vice president, public practice and global alliances with the AICPA.
Coffey and Ian MacKay, who oversees the AICPAs
Whats important for plan sponsors to know about this DOL/EBSA report?
Ian MacKay: We really think the study itself is indicative of the DOL's emphasis on the importance of the audit and ensure that they're done effectively. We think the study is a wake-up call for plan sponsors to make the audit and auditor selection a high priority. The hiring of the plan auditors is a fiduciary function and the plan administrator should use the same care and prudence when hiring the plan auditor [that] they use with hiring any individual or entity that provides services to the plan.
And there are risks to the plan sponsor if a quality audit is not performed. The DOL may impose penalties or reject the plans Form 5500 filings for a deficient audit. Those penalties can be up to $1,100 per day without limit, for filings for the deficient audit.
So the plan sponsor should evaluate whether they have a qualified auditor. Many audits are done by firms that do just a few benefit plan audits. And the audit quality is directly correlated with the number of audits the firm performs. Auditors that audit just a few plans, and have less experience, and little or no specific [employee benefit plan] training tend to have more issues with their audit.
What should plan sponsors look for in a benefit plan auditor?
MacKay: Plan sponsors should carefully evaluate the plan auditors qualifications, including whether they have a proper CPA license, whether they have recent benefit plan audit training, and experience with a particular plan type because the auditor of a 401(k) plan may not be qualified to audit a health and welfare plan or an ESOP plan.
The plan sponsor can use a comprehensive request for proposal that will allow the sponsor to obtain the information that they need to evaluate the qualifications of the auditor. It's important that they communicate the audit objectives and requirements clearly and that the specific facts and circumstances surrounding the audit are known to the auditors that are bidding on the audit. Again, they should ask for how much, and what type of training experience the audit firm has, as well as the specific proposed audit team, the individuals. And the sponsor can ask for references and discuss the auditors work with other plan clients.
Sue Coffey: Typically an RFP is done periodically, and sometimes [they are] few and far between, which is OK. But I think the sponsor should be asking questions annually because things may change, and will change within every CPA firm. On an annual basis [a CPA firm] may engage or bring in qualified staff, [firms] may merge ... One firm may merge with another firm that brings on specialty in an area, for instance health and welfare plans, where they may not have had it in the past. Likewise, the [CPA] firm may lose key staff and experience during the year.
For the plan sponsor to, on an annual basis, be asking questions of their auditor [such as]: Did they have a peer review? Is their peer review a pass? Or, was it a fail? Are they members of the [AICPAs Employee Benefit Plan] Audit Quality Center? What quality control procedures do they have in place to ensure a quality audit? And what type of training experience does the engagement team as a whole have? [There are] a whole bunch of things that you could have, for instance, in this comprehensive RFP request that the sponsor could pull from on an annual basis [to have] just a dialog with the auditor before the engagement begins for the new year.
MacKay: Another example of the annual questionnaire of the auditor: If the [retirement] plan has new investment types, such as those that may be hard to value, what is the auditor's experience with those plan investments? Because the valuation of the investments can be very complex and difficult and you need expertise.
What are some of the most common problematic issues you see plan sponsors grappling with when it comes to benefit plan audits?
MacKay: One is that they may just hire their company auditor to audit the benefit plan without evaluating the auditor's experience and qualifications to do a benefit plan audit. ERISA audits are quite different and more complex, in some respects, than a company audit. They're unique. Consider the company's auditor's qualifications and if they don't have the proper qualifications, then look for an ERISA plan auditor.
With regard to monitoring activities of the outsourced third-party service organization as part of the plan sponsors fiduciary responsibilities, the plan administrators are required to periodically monitor the service organization to ensure that they are properly performing the agreed-upon procedures. So the plan administrator should establish an effective monitoring program over the service organizations that perform recordkeeping and reporting functions for the plan.
There are several ways that this can be done. One is by establishing controls that help ensure that complete and accurate plan information is obtained. The plan administrator can also conduct onsite reviews of the service organization as well as obtaining, and reading and evaluating, the SOC 1 Report [Service Organization Controls Report] from the plans service organization. Thats a very helpful tool that can be used by the plan administrator, as well as the auditor, to understand not just the controls at the service organization, but also whether they are effective, and the impacts that those controls have on the plan itself.
Another area [to watch] would relate to the use of [the] limited scope audit exemption. Plan sponsors need to understand whether theyve obtained a proper certificate, or certification, to select a limited scope audit. For one, the certification has to be from a qualified institution thats defined in ERISA. There [are] special considerations there. We have seen where the certification is received from a non-qualified institution and the DOL would not allow the limited scope audit to be performed in that situation.
Also, its important to understand the limitations of the audit report in a limited scope audit. The auditor will likely not provide any assurance on the plans financial statements because of the significance of the scope restriction imposed by the plan sponsor. That really relates to the investments that are certified. So, in a limited scope audit, the auditor is not auditing the plan investments that are covered on the certification, which typically are very significant to the plan. It's essentially most, if not all, [of] the plan assets. So the auditor is not going to opine on the financial statements.
Another relates to plan investments and how complex and difficult they are to understand and to understand how they are valued. The plan sponsor really needs to understand the nature of the investments, the methods used, and the assumptions used to value these investments for financial reporting. And if need be, they need to talk to or engage experts in investment evaluation and talk to the investment custodian, broker, and others about the nature of the investments so they really have a good grasp on the types of investments and how they impact financial reporting.
Can you explain what a limited scope audit is and why it's important to get rid of them? Is that your position?
MacKay: A limited scope audit is a unique feature in ERISA. The law allows the plan administrator to instruct the auditor not to perform any audit procedures with respect to any information thats prepared and certified by a bank or similar institution, or by an insurance carrier, thats regulated, supervised and subject to periodic examination by a state or federal agency. Thats why we talked previously about qualified institutions that can certify. They have to meet that specific criteria. It can only be a bank or similar institution or insurance company thats regulated by a state or federal agency. And the trustee or custodian must certify those to the accuracy and completeness of the information submitted. When that occurs, that means the auditor is not testing the certified information. So the scope of the audit is limited.
In a limited scope audit, because the auditor is not testing the investments, thats a significant limitation on the scope of the audit and the auditor will not express and opinion on the overall financial statements.
Coffey: Its the plan administrators decision as to whether or not the audit is limited scope, or a full scope audit, which would be comparable to every other type of audit thats performed. This is the only place where any type of limitation like this exists. So thats the first thing I would point out. Its the plan administrator that makes the decision.
The second thing is that, when the plan administrator elects this and instructs the auditor to perform a limited scope audit, at the end of the day, the auditor is required to do other work on the financial statements, but they dont issue any type of opinion on the financial statements. Some may question its usefulness. So that's one of the reasons why we have supported, for a very long period of time, the elimination of the limited scope audit. And the Department of Labor has done so as well.
