Posted By Tyler Starr, CPA
In late 2018, the Auditing Standards Board (ASB) voted to issue a final balloted draft of SAS 13X, which addresses the auditor’s responsibility to form an opinion and report on the audit of financial statements of employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA). It also addresses the form and content of the auditor’s report issued as a result of an audit of ERISA plan financial statements. In our blog “Almost There – Moving Closer to the New EBP Audit Standard” we discuss the changes to the audit report as well as a background of SAS 13X. The earliest SAS 13X will be effective will be for periods ending after December 15, 2020. Early adoption is not permitted.
Possibly the biggest change as a result of the new SAS is the removal of the “limited scope” audit terminology and the related disclaimer. Once effective, SAS 13X will create a concept known as a “103(a)(3)(C)” audit, where the auditor is not disclaiming an opinion, but is instead opining on the non-certified audit areas and performing limited procedures on the investments. The term isn’t as quick to say or as easy to remember as the limited scope audit. At first glance it only appears to be a name change to the same concept, but that is not the case.
Under a limited scope audit, there was a misconception that auditors don’t have to do any work at all since they would be issuing a disclaimer anyway. In fact, that misinterpretation is evidenced by the Department of Labor’s (DOL) reports on audit quality. The DOL’s studies reveal that as the number of limited scope audits have increased, so have the noncompliance rates. In 2013, 83% of all employee benefit plan audits were limited scope, a large increase from 21% in 2001. The DOL’s study in 2014 found that 39% of the 400 plans audited by 232 accounting firms failed to meet at least one professional standard, with about 17% of plans failing to comply with one or more ERISA reporting and disclosure requirement. Close to 60% of the limited scope audits in the study were found to contain audit deficiencies, which resulted in a push to repeal the limited scope audit disclaimed opinion altogether.
The new term, ERISA Section 103(a)(3)(C) audit, references the current provision in ERISA that discusses the limited scope audit. Once effective, instead of disclaiming, auditors will now be issuing an opinion that does not extend to the certified assets. It’s important to note that a disclaimer will still be available for other circumstances, as described in AU-C 705. Under an ERISA Section 103(a)(3)(C) audit, certified investments will get reduced attention from the auditor, with very limited procedures performed as compared to the full set of auditing procedures that would be performed in a regular audit. This begs the question, what procedures will an ERISA Section 103(a)(3)(C) audit require?
The auditor should perform the following procedures during an ERISA Section 103(a)(3)(C) audit:
- Evaluate management’s assessment that the entity issuing the certification is a qualified institution under the DOL’s rules and regulations.
- Identify which investment information is certified.
- Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified institution.
- Obtain the agreement of management that it acknowledges and understands its responsibility for determining the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework.
- Compare the certified information to the information presented and disclosed in the ERISA plan financial statements and ERISA-required supplemental schedules.
- Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
- If, as part of the procedures performed above, the auditor becomes aware that the certified investment information in the financial statements and related disclosures is incomplete, inaccurate, or otherwise unsatisfactory, the auditor should discuss the matter with management to determine the appropriate course of action and perform additional procedures, if necessary.
- Based on the assessed risk of material misstatement, the auditor should perform audit procedures on the financial statement information not covered by the certification, including the disclosures as well as noninvestment-related information. Plans may hold some investments that are not covered by a certification. In that case, the auditor should perform audit procedures on the investment information that has not been certified.
The balloted draft also notes that for all audits of ERISA plan financial statements, including ERISA Section 103(a)(3)(C) audits, the auditor should perform the procedures necessary to become satisfied that received and disbursed amounts (for example, employer or employee contributions, benefit payments, and participant loan processing) reported by the trustee or custodian were determined in accordance with the plan provisions. Although the audit does not extend to certified investment information, areas such as participant data; contributions; benefit payments; participant account balances, including related earnings and other allocations to such account balances; and other transactions are subject to audit procedures, regardless of whether such information is included in the certification. For some auditors, this clarification reinforces the previously elusive notion that testing is necessary to issue an unmodified opinion, even in a 103(a)(3)(C) audit. The old excuse that “it’s just a limited scope audit, I’m going to disclaim anyway” will no longer be available.
In addition to auditors, management may find themselves performing more work because of SAS 13X. Changes resulting from the audit procedures listed above suggest more inquiries of management, which means management should be proactive in what will be expected of them. It’s management’s responsibility for determining that an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances and that the investment information and certification meet the requirements the auditor is going to look at. Specifically, management should verify that the certified values are in compliance with Generally Accepted Accounting Principles (GAAP) or the applicable reporting framework and that they are certified as of the correct financial statement date. These are two items that will pose the most problems for plans that have assets without a readily determinable fair value.
The new standards set forth by the ASB put an emphasis on disclosure requirements; however it’s important to recognize that SAS 13X is not just a reporting standard, but an auditing performance standard. The new SAS will provide the auditor with clear objectives and requirements, which will hopefully provide clarity regarding the extent of work the DOL expects in a limited scope audit. While some audit firms may not see much change in the level of work they do going forward, some auditors will have to perform more extensive procedures once SAS 13X becomes effective. Again, the earliest this will be effective will be for periods ending after December 15, 2020, pending more detail. Although the language in the audit opinion will not change until audits performed during 2021, all auditors should look to SAS 13X as the standard to follow for audit procedures and best practices.
Photo by Thomas Hawk (License)
