Today, employee benefit plans - and those responsible for administering and overseeing them - are facing greater scrutiny and more regulations than ever before. With the growth in the number of defined contribution plans, the Department of Labor is paying closer attention to how plan administrators and trustees discharge their legal obligations to prudently monitor plan investments, comply with the plan documents and exercise oversight over third-party vendors.
As the DOL has mandated greater transparency over vendor fees, there has been a spike in class-action lawsuits being filed against companies over expenses and revenue-sharing arrangements for investment activities within 401(k) plans.
In this environment, the value of a quality employee benefit plan audit is more important than ever for assisting a fiduciary in fulfilling their responsibilities - and thus minimizing the potential risk for the fiduciary liabilities - of plan administrators and trustees. A high-quality audit provides some assurance to the plan fiduciaries that their auditor has tested the actual operations of the plan against its plan document.
At its simplest, the quality of your benefit plan audit will be a function of the reputation of your auditor for performing quality work and the quality of their audit design. There are some basic things to look for in your auditor and the methodology and scope of the audit plan:
* Auditor credentials, standards and experience are important. Check to see if your auditor is a member of the voluntary Employee Benefit Plan Audit Quality Center. Established by the American Institute of CPAs, the center promotes best practices and provides training in auditing employee benefit plans and identifies common deficiencies found by the DOL during audits. Members of the center have significantly lower numbers of audit deficiencies than nonmembers.
* Also, the firm you hire should require that its auditors stay current on the latest audit requirements and standards by providing and mandating continuous education training for its staff members, including on employee benefit plans.
* Lastly, employee benefit plan audits are unique and present very different challenges than audits of other entities. In this area, experience counts. You should ask how many audits your auditor is conducting and what specific training they obtain.
Audit design
Beyond getting to know your auditor, it's important to understand that audit pricing can vary dramatically. Cost differences are often a function of the design of the audit being provided. Before accepting the lowest bid, make sure you understand what is included in the audit in terms of scope, comprehensiveness and the rigorousness of the testing involved.
An audit should address the most common deficiencies identified by the DOL. Otherwise, the audit will not be helpful in identifying and correcting problems with plan operations and internal controls, and ultimately cannot be counted on to assist the fiduciary in exercising its responsibility to monitor plan operations.
As a rule of thumb, an employee benefit plan audit should be sufficiently comprehensive that it tests all information that would appear on an employee's benefit statement. At a minimum, audit plans should test:
* Employee eligibility. Are employees actually entitled to participate in the benefit plan based on their date of employment and other requirements specified in the plan document?
* Eligible compensation. Plan sponsors need to understand the definition of eligible compensation and, specifically, how to treat bonuses, overtime and shift differentials for purposes of determining employee contributions and company matches.
* Timeliness of contribution. Are employers remitting participant contributions to the plan on a timely basis? Delays in remittances are a major problem from the perspective of the DOL and are likely to invite additional scrutiny of a plan.
In testing these aspects, the auditor should be using a sufficiently large and diverse sample size to provide a high level of confidence that the tests are statistically significant and are capturing any problems with controls or procedures.
The audit also should carefully analyze the SSAE No.16 (see sidebar, right) provided by vendors to plan administrators. This report details the procedures and controls in place at outside service providers. This information is critical for properly monitoring the performance of outside vendors, who directly manage the daily operations of many employee benefit plans, and making sure that these vendors are properly accounting for your employees' contributions, investment elections and investment earnings.
Plan trustees and administrators need to be cognizant of the changed environment for employee benefits plans. The audit no longer should be seen as just another expense for meeting a regulatory obligation. Today, an employee benefit plan audit is a valuable resource to plan fiduciaries by providing them some additional assurance that their plan has been operating in compliance with their plan documents.
Anthony T. Carideo, Jr., CPA, is head of the ERISA audit practice at Wolf & Company, P.C., a Boston-based certified public accounting and business consulting firm providing assurance, tax and risk management services.
6 things benefits pros need to know about SSAE 16
1. Service providers are required to provide a written assertion that states the control system is fairly represented, suitably designed and implemented, controls were properly designed to achieve the stated control objectives and that the controls operated effectively. The service auditor will review and attest against this assertion. With this increased responsibility by management to make a public declaration, employers can be more confident that relevant control systems and processes are represented in the report. It greatly minimizes the risk of "not knowing what you don't know."
2. It requires an expanded description of control system and process. This description will have management's assertion that control environment risk-assessment processes, information and communication systems (including relevant business processes), control activities and monitoring activities relevant to the services provided were presented fairly and operating effectively.
3. Service providers will identify risks that threaten the achievement of control objectives and evaluate whether the described controls sufficiently address the associated risk to achieving the objectives. This includes instances where control objectives were not achieved due to intentional actions by the service organization. Under SSAE 16, if the service auditor identifies deviations that could be the result of an intentional act by an employee, the auditor is required to dig deeper to determine whether the description of the service organization's system is fairly presented and if the controls are properly designed or operating.
4. Guidance for service providers on addressing outsourced services, such as data hosting, is clearly defined. Service providers may opt to use an "inclusive" method, where they provide an assertion on outsourced services along with their own services. Or, then can choose the "carve-out" method, where the nature and functions of the subservice organization are described, but associated control activities are not included.
Employers should be aware of information on all relevant control systems and processes, regardless of whether a function is outsourced to third-party service provider. Benefits professionals may want to discuss with service providers how they monitor controls for outsourced services. For subservice organizations that are carved out, the service provider and its users will want to be assured that they have an SSAE 16 of their own.
Another positive aspect of SSAE 16 is its clear statement regarding use of the report being limited to "customers of the service organization's system during some or all of the period covered by the service auditor's report." So, while an employer can't rely on an SSAE 16 report for its own financial reporting or projections, there is value in requesting an SSAE 16 from a potential service provider.
5. Perhaps the most important part of an SSAE 16 (or any service audit) for employers is the section on User Control Considerations. While not required (and may be labeled differently depending on the service auditor), strong SSAE 16 reports include assumptions made by the service provider about an employer and the expectations about the employer's role in the service provider's control systems environment.
For example, if the control is to provide reasonable assurance that only authorized changes to systems' data are made by the user organization, the service provider may assume that the user organization will notify them in a timely manner of changes in the list of persons authorized to make updates. If your company is unable or unwilling to participate in this process, then the entire control becomes faulty. But without a clear understanding of the service provider's assumptions, this won't be apparent until there's a problem. Decisions to contract with a service provider should be made with a clear understanding and consensus on assumptions made by the service provider relevant to control systems and processes.
Review all user control considerations carefully with management who oversee associated areas of control systems and processes referenced in this section to identify any "assumption gaps." These gaps should be the focus of a dialog with the service provider or project consultant before making a decision to move forward with the service provider. Failure to do so can result not only in a service problem for your company, but could also affect your income statement and balance sheet. If you're unable to identify these assumptions within the report, inquire about them.
6. A Type II SSAE 16 ensures compliance with the Sarbanes-Oxley Act for public companies. Regardless, both public and private companies can have greater confidence in a service provider that actively audits its control systems and processes.
In today's wired world, news of a corporate data security breach is commonplace. While a SSAE 16 can't guarantee this won't happen, it can increase your assurance that your service provider knows how to protect sensitive data.
An SSAE 16 will also give you a good sense of understanding of the service provider's processes. And, while changes do occur, past behavior is often indicative of future behavior. That said, verification of controls obtained in prior service audits regarding satisfactory operation of controls during previous time periods are not sufficient to reduce the amount of testing performed under an SSAE 16. An internal auditor can review the report to identify any areas of concern.
Excerpted from "Farewell, SAS 70. Parting is not such sweet sorrow," EBN April 15, 2011
