In July 2019, the AICPA Auditing Standards Board (ASB) issued as a final standard, Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (EBP SAS). The EBP SAS prescribes certain new performance requirements for an audit of financial statements of employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA), and changes the form and content of the related auditor's report. It should not be adapted for plans that are not subject to ERISA. SAS No. 136 can be viewed on the AICPA’s website under recently issued standards.
Here are answers that will help you need gain a better understanding of this new SAS.
The EBP SAS is effective for audits of ERISA plan financial statements for periods ending on or after December 15, 2020. This means that 2020 year-end audits being performed in 2021 will be required to follow the performance and reporting requirements of this SAS, including using the new form of the auditor’s report.
No. The EBP SAS prohibits early adoption. The EBP SAS includes transitional implementation reporting guidance upon initial adoption of the SAS when performing an ERISA section 103(a)(3)(C) audit.
The EBP SAS includes new requirements in all phases of an audit of ERISA plan financial statements (EBP audit), including engagement acceptance, risk assessment and response, communication with those charged with governance, performance procedures, and reporting. The standard is not all-inclusive; when performing an EBP audit, all the AU-C sections apply, except for the following, which are specifically covered in the EBP SAS:
- AU-C section 700, Forming an Opinion and Reporting on Financial Statements
- Paragraph .09 of AU-C section 725, Supplementary Information in Relation to the Financial Statements as a Whole
In addition, the EBP SAS contains incremental requirements to AU-C section 210, Terms of Engagement; AU-C section 250, Consideration of Laws and Regulations in an Audit of Financial Statements; AU-C section 260, The Auditor's Communication With Those Charged With Governance; and AU-C section 580, Written Representations.
The EBP SAS replaces AU-C section 700 in its entirety when performing an audit of ERISA plan financial statements. AU-C sections 705 and 706 address how the form and content of the auditor’s report are affected when the auditor expresses a modified opinion or includes an emphasis-of-matter or other-matter paragraph in the auditor’s report. Auditors should comply with AU-C sections 705 and 706 when performing ERISA audits, however the EBP SAS provides the auditor with specific guidance on when and how to apply AU-C section 705 when performing an ERISA section 103(a)(3)(C) audit.
Yes. The EBP SAS does not change ERISA and therefore plan management’s ability to elect such an audit continues to exist. ERISA section 103(a)(3)(C) permits plan management to elect to exclude from the audit certain investment information held by and certified to by a qualified institution. An audit performed pursuant to ERISA section 103(a)(3)(C) will no longer be referred to as a "limited scope audit" but rather going forward will be referred to as an "ERISA section 103(a)(3)(C) audit." The EBP SAS clarifies what is expected of the auditor, including specific procedures when performing an ERISA section 103(a)(3)(C) audit, as well as a new form of report that provides greater transparency about the scope and nature of the audit and describes the procedures performed on the certified investment information.
No. The EBP SAS recognizes that an ERISA section 103(a)(3)(C) audit is unique to EBPs and its election by management is not considered a scope limitation. Therefore, the auditor would no longer issue a modified opinion (typically a disclaimer of opinion) due to only performing limited procedures on information that is certified by a qualified institution. Instead, the report provides a two-pronged opinion that is based on the audit and on the procedures performed relating to the certified investment information. It provides an opinion on whether the information not covered by certification is presented fairly, and an opinion on whether the certified investment information in the financial statements agrees to or is derived from the certification. If, however, the auditor identifies a material misstatement of the financial statements or there is a limitation on the scope of the audit (for example, lack of books and records), then the auditor would modify the opinion in accordance with the EBP SAS and AU-C section 705.
Yes. The EBP SAS includes new engagement acceptance requirements in addition to the preconditions for an audit in AU-C section 210, Terms of Engagement. This will typically result in acknowledgment in the engagement letter of management's responsibilities for maintaining a current plan instrument, administering the plan, and providing the auditor with a substantially complete draft Form 5500 prior to the dating of the auditor's report. It also includes new acknowledgements related to management's responsibilities with respect to the investment certification when management elects to have an ERISA Section 103(a)(3)(C) audit and requires the auditor to inquire of management about how management determined that the entity preparing and certifying the investment information is a qualified institution.
The EBP SAS discusses AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and emphasizes that the plan instrument is essential to understanding the plan and identifying and performing audit procedures that are responsive to assessed risks. The EBP SAS specifically requires that the auditor obtain and read the most current plan instrument for the audit period, including amendments that are in effect, as part of obtaining an understanding of the entity sufficient to perform risk assessment procedures. The EBP SAS also requires the auditor to consider relevant plan provisions when designing and performing audit procedures.
Evaluation and Documentation. If the auditor has determined that it is not necessary to test any relevant plan provisions as part of risk assessment, the auditor is required to document the considerations in reaching such conclusion. When the audit work performed results in the identification of items that are not in accordance with the criteria specified (for example, not in accordance with the plan instrument), the auditor should evaluate whether the matters are “reportable findings”, which are defined in the EBP SAS as matters that are one or more of the following:
- An identified instance of noncompliance or suspected noncompliance with laws or regulations in accordance with AU-C section 250,
- A finding arising from the audit that is, in the auditor's professional judgment, significant and relevant to those charged with governance regarding their responsibility to oversee the financial reporting process in accordance with AU-C section 260
- An indication of deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor's professional judgment, are of sufficient importance to merit management's attention in accordance with AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit
The auditor should not issue a written communication stating that no reportable findings were identified during the audit.
Yes. The auditor is required to make certain communications with management and/or those charged with governance. Reportable findings should be communicated in writing to those charged with governance, in a timely manner, in accordance with the requirements in other relevant AU-C sections. The EBP SAS also includes discussions of other matters that should be discussed with management and those charged with governance, including matters that may arise when an ERISA Section 103(a)(3)(C) audit is performed.
The EBP SAS requires that the auditor perform the procedures necessary to become satisfied that amounts received and disbursed (for example, employer or employee contributions and benefit payments) reported by the trustee or custodian were determined in accordance with the plan provisions. When designing and performing audit procedures, the auditor is required to:
- Consider relevant plan provisions that affect the risk of material misstatement at the relevant assertion level for classes of transactions, account balances, and disclosures. The EBP SAS recognizes that because of the nature of EBP audits, it would be rare for the auditor, based upon the assessed risks of material misstatement at the relevant assertion level, not to test any relevant plan provisions. The EBP SAS includes Appendix A that provides some examples of plan provisions often included in a plan instrument by audit area.
- Evaluate whether prohibited transactions identified by management or as part of the audit have been appropriately reported in the applicable ERISA-required supplemental schedules.
- When management elects to have an ERISA Section 103(a)(3)(C) audit, the auditor also is required to:
- Identify which investment information is certified, and perform audit procedures on the financial statement information, including the disclosures, not covered by the certification as well as noninvestment-related information based on the assessed risk of material misstatement. Plans may hold investments in which only a portion are covered by a certification by a qualified institution. In that case, the auditor is required to perform audit procedures on the investment information that has not been certified.
- Evaluate management's assessment of whether the institution issuing the certification is qualified (as part of engagement acceptance, the auditor is required to inquire of management about how management determined that the entity preparing and certifying the investment information is a qualified institution under DOL rules and regulations (see answer to question 9)).
- Perform the following procedures on the certified investment information:
- Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified institution.
- Compare the certified investment information with the related information presented and disclosed in the ERISA plan financial statements and ERISA-required supplemental schedules.
- Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
Yes. The EBP SAS requires the auditor to make appropriate arrangements with management to obtain a substantially complete draft Form 5500 and read the draft Form 5500 in order to identify material inconsistencies and material misstatements of fact, if any, with the audited ERISA plan financial statements prior to dating the auditor's report. A draft of the Form 5500 that is substantially complete includes the forms and schedules that could have a material effect, involving both qualitative and quantitative considerations, on the information in the financial statements and ERISA-required supplemental schedules. If the auditor identifies a material inconsistency, he or she is required to determine whether the audited ERISA plan financial statements or the draft Form 5500 need to be revised.
Yes. The EBP SAS requires that the auditor obtain certain written management representations in addition to those required by AU-C section 580, regarding management's responsibilities for maintaining a current plan instrument, administering the plan, and providing the auditor with a substantially complete draft Form 5500 prior to the dating of the auditor's report. It also includes new acknowledgements related to management's responsibilities with respect to the investment certification when management elects to have an ERISA Section 103(a)(3)(C) audit.