EBPAQC Alert No. 365

EBPAQC Alert

 
DOL to Begin Outreach to Firms on Audit Quality; EBP Panel Provides Input on FASB Fair Value Measurement Proposal; EBP Cybersecurity Concerns Raised by DOL
   
  AICPA
April 15, 2016
EBPAQC Alert #365
 
In This Alert
DOL to Begin Outreach to Firms on Audit Quality
EBP Panel Provides Input on FASB Fair Value Measurement Proposal
EBP Cybersecurity Concerns Raised by DOL
 
Additional Resources
EAlerts (archived)
Live Forum webinars (archived)
Resource Centers
Tools
 
 
Stay Informed
We welcome any suggestions or questions - please send them by e-mail at EBPAQC@aicpa.org.
Members of the Employee Benefit Plan Audit Quality Center (EBPAQC) may only reproduce and distribute EBPAQC EAlerts internally within the firm to other Center member firm personnel as part of the firms' professional services. For information about permission to copy any part of these documents for redistribution or inclusion in other work, please click on the copyright notice at the bottom of the page or phone the AICPA copyright permission hotline (919) 402-4031.
©2016 The American Institute of Certified Public Accountants.
AICPA Online privacy policies and copyright information.
AICPA, 1211 Avenue of the Americas, New York, NY 10036.
Dear Center Members
 
DOL to Begin Outreach to Firms on Audit Quality
Beginning in mid-April, the Department of Labor's Employee Benefits Security Administration (EBSA) is expected to begin sending letters by US mail to the managing partners of all firms that perform ERISA audits communicating the findings in its report, Assessing the Quality of Employee Benefit Plan Audits, which found deficiencies in the quality of audit work performed by independent CPAs with respect to financial statement audits of ERISA employee benefit plans for the 2011 plan year (see EBPAQC EAlert #346, May 29, 2015). The DOL letter will also inform firms of EBSA's intentions to continue to review the quality of ERISA plan audits, and to encourage firms to use the resources available from the AICPA, the EBPAQC, state CPA societies, and other vendors. The DOL's communication to firms is part of a broader DOL outreach initiative on the importance of audit quality of ERISA plans. The DOL has previously communicated with all state boards of accountancies and all ERISA plan administrators that meet the requirements to have an independent audit.
EBP Expert Panel Provides Comments on FASB Proposal on Changes to the Disclosure Requirements for Fair Value Measurement
The AICPA Employee Benefit Plans Expert Panel (EP) provided input to the AICPA's Financial Reporting Executive Committee (FinREC) in drafting a comment letter on the FASB Exposure Draft of a Proposed Accounting Standards Update (ASU), Fair Value Measurement (Topic 820) - Disclosure Framework - Changes to the Disclosure Requirements for Fair Value Measurement. The proposal asked if employee benefit plans (EBPs) should be allowed the same exemptions that apply to private companies from certain proposed disclosure requirements, including: 1) changes in unrealized gains and losses disaggregated by general type of investment and levels of the fair value hierarchy; 2) the Level 3 range, weighted average, and time period information; and 3) a Level 3 rollforward.

FinREC and the EP agreed that EBPs should be allowed these same exemptions because the amendments in the proposed ASU would essentially overturn certain amendments included in ASU 2015-12, Plan Accounting, which acknowledged and corrected for conflicting guidance in accounting for EBPs between Topic 820 and Topics 960, 962, and 965. In addition, these disclosures are not relevant because plan participants do not use these financial statements to make investment decisions or track investment performance.

Click here to read the FASB ASU proposal.

Click here to read the FinREC comment letter
EBP Cybersecurity Concerns Raised by DOL
During the recent EBPAQC 2016 Designated Partner Planning webinar, DOL EBSA Chief Accountant Ian Dingwall expressed concerns that EBP plan administrators may be vulnerable to cyber-attacks and thus exposed to risks relating to privacy, security, and fraud. Because most plan sponsors and service organizations use electronic means to conduct financial transactions and interface with participants, plan and participant records, whether maintained in-house or by an external third party administrator, may be at risk.

The responsibility to implement processes and controls to restrict access to a plan's systems, applications and data, including third party records and other sensitive information, resides with those charged with plan governance. Chief Accountant Dingwall encouraged plan administrators to evaluate the plan's cybersecurity governance, including service providers and their vendors, by performing the following steps in the risk assessment process:
Review written information security policies, including those regarding encryption
Conduct periodic audits to detect threats
Perform periodic testing of backup and recovery plans
Determine responsibility for losses, including adequacy of cybersecurity insurance coverage
Establish training policies to reinforce data security
EBP auditors may wish to make their plan clients aware of the DOL's concerns. While many plans obtain a SOC 1 report on controls at a third-party service organization, it is important to note that a SOC 1 report addresses a plan's internal control over financial reporting and does not address broader entity cybersecurity controls and risk. The auditor's responsibilities with respect to cybersecurity matters in a financial statement audit are outlined in CAQ Alert #2014-03, Cybersecurity and the External Audit. The CAQ Alert states that the auditor's understanding of the IT systems and controls should be taken into account in assessing the risks of material misstatement to the financial statements, including IT risks resulting from unauthorized access. Systems and data in scope for most audits usually are a subset of the totality of systems and data used by companies to support their overall business operations, and the audit's focus is on access and changes to systems and data that could impact the financial statements. In contrast, a company's overall IT platform includes systems (and related data) that address the operational, compliance and financial reporting needs of the entire organization. From an operational risk or privacy perspective, companies implement processes and controls to restrict access to their systems, applications and data, including third party records and other sensitive information. Accordingly, given the focus on a narrower slice of a company's overall IT platform, an audit of the financial statements in accordance with professional standards likely would not include areas that would address such a seecybersecurity breach. However, if information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures.

The Alert includes general information for auditors and should not be relied upon as being definitive or all inclusive, and auditors should refer to the rules, standards, guidance, and other resources in their entirety, and to carefully evaluate which requirements apply in their situations.

The AICPA has developed a Cybersecurity Resource Center that provides tools and information that auditors can use to help clients better address cybersecurity risks. Also, a Cybersecurity Working Group of AICPA's Assurance Services Executive Committee is currently working with the AICPA's Auditing Standards Board to develop practitioner guidance for performing examination-level attestation engagements related to cybersecurity.

The National Institute of Standards and Technology released the first version of a Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure and help owners and operators of critical infrastructure to manage cybersecurity-related risk.
*   *   *   *   *
Sincerely,

AICPA Employee Benefit Plan Audit Quality Center
     
To change your email address and preferences at any time click here.
Click here to unsubscribe. Read our privacy policy.
American Institute of Certified Public Accountants, 220 Leigh Farm Road, Durham, NC 27707-8110