5. Overseeing Managing Plan Audits

Question 1

The FASB issued the FASB Accounting Standards Codification (ASC) as the single source of authoritative, nongov, U.S. GAAP. The Codification is updated through the issuances of FASB Accounting Standards Updates. What are the purposes of these ASUs?

Answer 1

FASB doesn’t consider ASUS as authoritative in their own right. Instead, new ASUs serve only to update the Codification and provide background info about the guidance.

Question 2

Explain how the Codification treats the accounting and reporting standards for EBP in the topic: FASB ASC 960, Plan Accounting - Defined Benefit Pension Plans

Answer 2

Establishes the accounting and financial reporting standards for defined benefit retirement plans

Question 3

Explain how the Codification treats the accounting and reporting standards for EBP in the topic: FASB ASC 962, Plan Accounting - Defined Contribution Plans

Answer 3

Includes the accounting & fin reporting standards for defined contribution retirement plans

Question 4

Explain how the Codification treats the accounting and reporting standards for EBP in the topic: FASB ASC 965, Plan Accounting - Health and Welfare Benefit Plans

Answer 4

Provides the accounting and financial reporting standards for HWBPs.

Question 5

Explain the purpose of ASC Topic 960

Answer 5

Establishes financial accounting and reporting standards for the annual fin statements of defined benefit pension plans. FASB believes ASC Topic 960 is generally consistent with the views of the DOL and the American Academy of Actuaries. This means that most private pension plans will be able to prepare 1 set of fin statements in accordance with ASC Topic 960 for filings under ERISA and for distribution to other users.

Question 6

ASC Topic 960 applies to which plans?

Answer 6

All ongoing plans, funded/unfunded, that provide pension benefits for the EEs of 1+ ERs or for the members of a trade or other EE ass’n, including:
1. Plans subject to ERISA
2. Plans not subject to ERISA
3. Plans w/ no intermediary funding agency, or plans that may be financed through 1. One or more trust funds, 2. One or more contracts with insurance entities or 3. A combo thereof

Plans maintained ex-US that are similar to plans maintained within US are also subject to these rules if the fin statements of such plans are intended to conform to GAAP.

ASC Topic 960 doesn’t apply to gov’t-sponsored SS plans.

All pension plans that issue fin statements in conformity with GAAP, including plans with <100 participants, are covered by ASC Topic 960.

Question 7

Summarize (5 points) the accounting and reporting reqs of ASC Topic 960

Answer 7

1. The plan fin statements should be prepared on the accrual basis of accounting and should include a statement of net assets available for benefits as of the EOPY and a statement of changes in net assets available for benefits for the PY then ended.
2. Plan investments should be presented at their fair value, except for insurance contracts, which should be presented in the same manner as req’d for ERISA filing (i.e., fair value or contract value).
3. Info should be included about a) the actuarial present value of accumulated plan benefits and b) significant changes therein
4. Accumulated plan Ben info may be disclosed in one of 3 places: 1. On the face of the statement of net assets available for bens and on changes in net assets available for bens; 2. In separate statements, or; 3. In the notes to the fin statements
5. The actuarial present value of accumulated plan bens should be based on EE earnings & service rendered before the measurement date. Plan actuaries shouldn’t consider future sal increases or Ben improvements unless they’re specified (e.g., automatic COLA).

Question 8

Although ASC Topic 960 doesn’t identify any one group as the primary users of plan fin statements, the content of them should focus on the needs of ____; why are its needs paramount?

Answer 8

Plan participants, because pension plans exist primarily for their benefit.

However, plan fin statements should be useful to others who:
1. Advise or represent participants
2. Are current/potential investors or creditors of the ER
3. Are responsible for funding the plan, or
4. For other reasons have a derived/indirect interest in the status of the plan

Question 9

Does ASC Topic 960 require fin statements that compare more than one year’s info? Explain?

Answer 9

No. It recommends, but doesn’t require, supplementing the fin statements with voluntary disclosures of matters deemed important.

Even though the primary objective of pension plan fin statements is to provide info that helps users assess the plan’s present/future ability to pay benefits, Topic 960 doesn’t require comparative fin statements.

Question 10

List supplements info that FASB recommends be included in the annual fin statements of a plan

Answer 10

Recommends, but doesn’t require, supplementing w vol disclosures of matters deemed important, including:
1. Statement that includes info re: net assets available for benefits as of EOPY
2. Statement includes info re: changes during the year in net assets available for bens
3. Info re: actuarial present value of accumulated plan bens as of either beginning of EOPY
4. Info re: effects, if significant, of certain factors affecting the YOY change in actuarial present value of accumulated plan bens

Question 11

DOL can assess significant penalties if a required auditor report for a qualified EBP is missing/deficient. What’s the amount of penalty, and on whom is it levied?

Answer 11

Up to $1,100 per day, capped at $50k per annual Form 5500, on plan sponsor.

Question 12

How has the level of significant deficiencies in plan audits changed in recent years? Explain?

Answer 12

Despite the efforts of the DOL EE Benefits Security Administration Office of Chief Accountant to work closely with the Am Institute of CPAs to oversee the quality of EBP audits performed by CPAs, the level of significant deficiencies in plan audits has continued to increase.

Question 13

What were the results of the 2014 DOL audit quality study?

Answer 13

Showed that nearly 4/10 EBP audits had “Unacceptable-Major” deficiencies that adversely affected overall audit quality and that the remaining plan audits either implied with pro audit standards or had minor deficiencies.

Question 14

What is the EBPAQC? Is there any evidence this entity has any effect on the quality of plan audits?

Answer 14

AICPA established the EE Benefit Plan Audit Quality Cnter after the 2004 audit quality study. It is a voluntary membership org for firms that perform EBP audits. Its purpose is to promote the quality of plan audits.

EBPAQC has several membership reqs related to experience, education, and audit firm quality control. Although the 2014 EBPAQC study found that members of EBPAQC perform higher-quality audits, one or more GAA Standards deficiencies were found in 30% of audits performed by member firms. Nonmembers of EBPAQC had an 82% GAAS deficiency rate and also tended to have substantially more deficiencies, ranging to as many as 15 major deficiencies in a single audit engagement.

Question 15

EBSA (the DOL EE Bens Sec Admin) has conducted studies to determine which factors have an impact on the quality of EBP audits. What have these studies shown about the relationship between audit quality and a CPA firm’s peer review rating?

Answer 15

CPA firm EBP audits are reviewed as part of the AICPA practice-monitoring peer review program. EBSA concluded that a CPA firm’s peer review rating had little bearing on the firm’s plan audit compliance. In one study, 48% of deficient plan audits were performed by CPA firms with “clean” peer review reports.

Question 16

EBSA (the DOL EE Bens Sec Admin) has conducted studies to determine which factors have an impact on the quality of EBP audits. What have these studies shown about the relationship between audit quality and the number of audits performed each year by the CPA firm?

Answer 16

Based on audit quality results in each of six strata, EBSA concluded that audit firms that perform a smaller number of EBP audits each year tend to have a greater incidence of audit deficiencies.

This finding is consistent with the result of previous EBSA audit quality studies.

Question 17

What penalties against CPA firms that perform deficient plan audits are available through ERISA? Explain?

Answer 17

While EBSA can reject a plan’s annual Form 5500 filing and assess civil penalties against the plan sponsor until plan audit deficiencies are remediated, ERISA currently provides EBSA no enforcement power to assess civil penalties against CPA firms performing deficient audits.

Question 18

EBSA has found numerous audit cases where no audit work was performed, or where there was a lack of evidence of work performed. What are signs a plan sponsor should look for to see that audit work is, actually, being performed on the plan>

Answer 18

If the auditor isn’t making inquiries to understand how the plan operates and isn’t asking to see plan sponsor records to complete audit testing, there’s a good chance the audit work is deficient.

The plan sponsor should realize:
1. The plan sponsor must be involved in internal control and fraud inquiries for the audit firm to properly plan the audit.

2. The audit testing that occurs during the fieldwork phase cannot be completed without records maintained by the company: personnel files, payroll records, deferral elections, Ben payments, participant loan pkgs…
3. The fin statements can’t be completed without the involvement of the plan admin, who will ultimately sign the mgmt representation letter to take responsibility for the plan’s fin reporting.

Question 19

What can make a plan sponsor suspect the auditor hasn’t conducted adequate planning for the audit?

Answer 19

If the auditor arrives on the first day of fieldwork with little previous communication and immediately starts performing audit testing, this is an indicator of inadequate planning, supervision, and/or internal controls work on the part of the auditor.

Question 20

Does a plan admin have the right to examine an auditor’s work papers?

Answer 20

No.

Plan admin doesn’t have the right to examine auditor’s work papers for any purpose, including do assess audit quality.

Question 21

A plan admin who is seeking to engage a well-qualified auditor will focus all discussions to matters specific to their own plans. To encourage a productive discussion, the plan admin should provide a potential audit firm with these 7 items:

Answer 21

1. Plan docs or SPDs
2. Prior year 5500 and audited fin statements, and who prepared them
3. Scope of the audit (full/limited; limited aka ERISA Ss. 103a3c audit must conform to Statement on Auditing Standards 136)
4. List of external service providers, e.g. investment trustee, record keeper/actuary, ERISA atty, payroll processor)
5. Summary of changes in plan provisions and/or service providers
6. Summary of any plan corrections or issues encountered for the year to be audited
7. Info re: access to prior year audit work papers

Question 22

An engagement letter to the client from the independent qualified public accountant (IQPA) at the beginning of a plan audit should include (6 points):

Answer 22

1. Objective & scope of the engagement
2. Statement that due to the inherent limitations of an audit, there’s a risk that a material misstatement may not be detected
3. Identification of the applicable financial reporting framework
4. Reference to the expected form and content of reports to be issued
5. Statement that circumstances may occur in which a report may differ from its expected from and content
6. A list of matters re: the various responsibilities of plan mgmt & the auditor

Question 23

An audit engagement letter should include a list of responsibilities of plan mgmt (7 points):

Answer 23

1. Understanding the objective of the audit
2. The plan’s fin statements and the selection & application of the accounting policies
3. Establishing & maintaining effective internal control over financial reporting
4. Designing and implementing programs and controls to prevent & detect fraud
5. Identifying & ensuring that the plan complies with the laws & regs applicable to its activities
6. Making all fin records and related info available to the auditor
7. Adjusting the financial statements to correct material misstatements

Question 24

An audit engagement letter should detail the (4) responsibilities of the plan auditor:

Answer 24

1. Conducting the audit in accordance with GAAS
2. Obtaining reasonable rather than absolute assurance about whether the fin statements are free of material misstatement, whether caused by error or fraud
3. Obtaining an understanding of the plan & its environment, including its internal controls, sufficient to assess the risks of material misstatement of the fin statements and to design the nature, timing, and extent of further audit procedures
4. The expression of an opinion on the plan’s fin statements

Question 25

Following a plan audit, the auditor communicates (6) significant findings/issues from the audit:

Answer 25

1. The auditor’s view about qualitative aspects of the plan’s significant accounting practices, including accounting policies, estimates, and fin statement disclosures
2. The process mgmt used to develop accounting estimates, including fair value estimates, and the basis for the auditor’s conclusions as to the reasonableness of those estimates
3. Significant difficulties encountered during the audit
4. Disagreements with mgmt about matters that could individual or in the aggregate be significant to the fin statements or auditor’s report, regardless of whether the disagreements were satisfactorily resolved
5. Misstatements brought to the attention of mgmt as a result of auditing procedures
6. If mgmt consulted with other accountants wrt accounting or auditing matters re: the plan

Question 26

Briefly discuss the initial procedures a plan auditor follows when beginning to establish a preliminary audit strategy.

Answer 26

As the auditor begins, risk assessment becomes the focus and the auditor begins performing procedures to obtain an understanding of the plan & its environment, incl. internal controls in place at the plan sponsor (e.g., participant & payroll data) and the controls in place at outside service providers (e.g., payroll, investments, record keeping).

Question 27

What are the controls an auditor looks for at the outset of a plan audit?

Answer 27

By seeing whether controls are in place to ensure plan ops are consistent with the plan doc.

The plan service providers (actuary, trustee, record keeper…) should have controls in place to ensure that the appropriate data is used in calculating plan obligations, that EE & ER contribs are complete & accurate, that participant accounts are handled properly, that distribs and loans are processed accurately, that WBP claim payments (as applicable) are processed correctly, and that investments & investment transactions are properly accounted for.

The plan sponsor should be able to document both the controls in place at the sponsor and service provider levels, and what they do to monitor these controls.

Question 28

An auditor is req’d to identify control deficiencies and to determine the level of severity of each deficiency. What are the 3 levels an auditor can use?

Answer 28

1. Material weakness
2. Significant weakness
3. Other weakness

Question 29

An auditor is req’d to identify control deficiencies and to determine the level of severity of each deficiency. Explain “Material weakness”

Answer 29

This is a deficiency, or combo of deficiencies, in internal control, such that there’s reasonable possibility that a material misstatement of the entity’s fin statements will not be prevented or detected and corrected on a timely basis.

Question 30

An auditor is req’d to identify control deficiencies and to determine the level of severity of each deficiency. Explain “Significant weakness”

Answer 30

This is a deficiency, or a combo of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

Question 31

An auditor is req’d to identify control deficiencies and to determine the level of severity of each deficiency. Explain “Other weakness”

Answer 31

The auditor has the option of discussing other less severe deficiencies in internal control that are not significant or material.

Question 32

What is the purpose of a management comments letter?

Answer 32

A management comments letter is a written communication intended for plan mgmt and those charged with governance.

In the comm, the auditor discusses the various significant deficiencies and material weaknesses that have been identified.

Auditor has the option of discussing less severe deficiencies in internal control, too. These are matters that haven’t been comm’d to mgmt by other parties and that, in the auditor’s prof jdgmt, are of sufficient importance to merit mgmt attention.

If the other items are communicated orally, the auditor should document the comm. Making such comms in writing reflects the importance of these matters and assists those charged w governance in fulfilling their oversight responsibilities.

Question 33

Identify 3 types of deficiencies/weaknesses that plan auditors commonly communicate to management

Answer 33

1. Internal plan processes
2. Regulatory reqs
3. Outside service providers

Question 34

Discuss 3 common deficiencies involved with internal plan processes

Answer 34

1. Processing of participant contribs
2. Participant loan repayment
3. Hardship withdrawal control errors

More detail-
1. Implementation of proper controls ass’d with the recon process bt participant elections, payroll withholding, and the amounts deposited to the participant’s acct can help ensure accuracy of the plan and participant’s asset/acct balances. Plan mgmt should have controls in place to reconcile remittances per the payroll system to plan deposits.

2. Many times it is discovered that participant loans selected for testing were not properly set up for repayments in the payroll system. This is often due to the fact that there are different systems in place bt the payroll and the plan admin system.
3. Like participant loans, hardship withdrawals involve multiple departments on-site the plan sponsor org ,and the involvement of an outside service provider. Errors that occur include controls not being in place wrt adequate review of the withdrawal request, incl review of the related docs req’d to support the financial hardship, and review of the amnt being requested. Often there is not a proper control in place over the cessation of participant deferrals, if applicable. This is frequently the result of communication lapses bt payroll & HR depts.

Question 35

Discuss the deficiency involved with ERISA Ss.408b2, and explain why important

Answer 35

Lack of proper monitoring of service provider fees and disclosures, as required by Ss.408b2.

Many plan sponsors don’t follow the regs. The regs require the plan’s covered TPA to disclose the admin and investment costs incurred by the plan and plan participants, and the compensation received by the service provider.

This type of deficiency is important bc a plan service provider is considered a party in interest and its services are considered party-in-interest transactions. Without the proper written disclosure under ERISA Ss.408b2, the amounts received by the service provider are considered unreasonable per se, and the related statutory exemption doesn’t apply, resulting in a prohibited transaction.

Question 36

What is the SOC 1? What’s its purpose?

Answer 36

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting = SOC 1

Because plan mgmt is responsible for establishing controls to ensure that plan transactions are timely and accurately processed in its financial statements, when a third-party service provider is involved, plan mgmt obtains this report from the provider, and reviews.

Based on its review, mgmt is able to determine whether the plan sponsor has effective controls to ensure the 1. Proper and complete transmission of data to the service org, 2. Proper processing of data and complete receipt of data from the service org, and 3. Timely recon of data received by the service org.

When the auditor notes that mgmt doesn’t document its review of the SOC 1 Report, or doesn’t incorporate proper controls as they relate to processes performed in conjunction with the service provider, it’s deemed to be a deficiency in its internal controls.

Question 37

What was the goal of the Statement on Auditing Standards No. 136 (SAS 136)?

How has this SAS looked to operationalize and achieve the goal?

Answer 37

To improve the quality of audits of ERISA plans.

By prescribing certain procedures that are req’d to be performed in the audit. Furthermore, SAS 136 seeks to add transparency to the nature & scope of ERISA BP audits as presented in the auditor’s report. The changes mandated by SAS 136 clarify each party’s role & responsibility throughout the audit process and formalize certain procedures that formerly were sometimes left to the auditor’s judgment.

Question 38

What changes does SAS 136 require to audit reports, engagement letters, and other comms in connection with EBP audits?

Answer 38

SAS 136 clarifies the respective responsibilities of auditors and the plan sponsor’s fiduciaries and administrators who oversee and manage the plan. Certain of these responsibilities are now included in the auditor’s report, engagement letters, and req’d comms.

The auditor’s responsibilities must now be disclosed in the auditor’s report, including: professional judgments, professional skepticism, and auditor’s comm with those charged with plan governance.

Management’s responsibilities stated in the engagement letter: to maintain a plan doc, admin the plan, maintain sufficient records for plan transactions and benefits, responsibility for the financial statements.

Under this standard, plan sponsors will see a more through audit report. SAS 136 changes how auditors report their findings to those charged w governance. In addition to communicating deficiencies in internal control, auditors will now also have to communicate “reportable findings” in writing to those charged w plan governance.

Question 39

Describe how what was previously known as a “limited scope audit” changes since SAS 136 became effective

Answer 39

In the past: limited scope audits accounted for the majority of financial audits, and allowed auditors to issue a disclaimer opinion without giving a formal opinion. The situation created a lack of transparency concerning what the auditor actually did. Limited scope audits essentially allowed auditors to take plan provider at their word about in/outflows of cash, and the auditors didn’t have to verify the info was correct.

SAS 136 renamed this as an “ERISA Ss. 103a3c audit.” To opt for such an audit, plan sponsors are req’d to first investigate & confirm whether the plan is eligible for this type. Plan mgmt will then have to make a representation in writing that they are eligible for the exception to a full-scope audit. To elect a Ss. 103a3c audit, plan sponsors have to engage an auditor for that scope of service, and then sponsors have to confirm w their service providers that they can offer a complete, valid cert statement.

SAS 136 creates a two-part opinion. A cert is still allowed concerning investments & investment income, although now auditors have to opine on the form and content of the certified information. Auditors must also give a formal opinion on anything not in the investment cert’n.

Question 40

Explain how SAS 136 serves to bring greater linkage bt a plan’s Form 5500 and its audit report?

Answer 40

Plan sponsors are req’d to provide the auditor with a substantially complete draft of the plan’s Form 5500 and its schedules before the audit.

This requirement allows the auditor to compare the Form 5500 to its findings and let the plan sponsor know whether there’ll need to be corrections to the 5500. Accordingly, any differences bt the 5500 and the audit report are identified, reconciled, corrected.

Question 41

How does SAS 136 provide more specific direction to auditors on what is commonly referred to as reportable information?

Answer 41

Under the standard, auditors are required to report any significant noncompliance and findings of no internal controls. Also req’d to comm reportable information in writing to those charged w governance. Reportable info under SAS 136 is similar to internal control matters previously communicated as material weaknesses and/or significant deficiencies by the auditor, but is defined as one or more of the following:

1. An identified instance of noncompliance, or suspected noncompliance w laws/regs
2. A finding arising from the audit that is, in the auditor’s pro judg., significant & relevant to those charged w governance re their responsibility to oversee the fin reporting process
3. An indication of deficiencies in internal control identified during the audit that haven’t be communicated to mgmt by other parties and that, in the auditor’s pro judg., are of sufficient importance to merit mgmt attention.

Question 42

How might SAS 136 create increased scrutiny and perhaps serve as an impetus for legal issues concerning retirement plans?

Answer 42

The financial audit report is attached to the Form 5500 and is publicly available through the DOL EFAST system. Depending on how the auditor responds to the standards, the audit report may disclose more noncompliance issues, which will be publicly available. This transparency could result in heightened legal issues for a retirement plan.

Question 43

What are the two primary types of fraud?

Which is most important to plan fiduciaries?

Answer 43

1. Misappropriation: illegal use of the property/funds of another person for one’s own use or other unapproved purpose, particularly by a public official, a trustee of a trust, or any person w a responsibility to care for/protect another’s assets - e.g., a fiduciary duty
2. Financial statement fraud is where auditors have the most concern. The risk is that the plan’s fin statements may be compromised in an attempt to deceive plan participants and others who rely on that info when making decisions. It also means that plan participant accounts may not be correct.

Question 44

Plan fiduciaries need to understand the 3 main fraud risk factors/conditions that enable fraud:

Answer 44

1. The presence of incentives or pressures to commit fraud
2. Opportunities to carry out the fraud
3. Attitudes/rationalizations to justify the fraud

Question 45

Studies by the Association of Certified Fraud Examiners (ACFE) have identified the (7) most common methods for detecting fraud. Note the very most common and why.

Answer 45

1. Tips are overwhelmingly the most common detection method: EEs are the best source because many do not want their company negatively impacted, so they step forward or go through anonymous hotlines.
2. Internal audit
3. Mgmt review
4. Reconciliations
5. External audit
6. Surveillance
7. Confessions

Question 46

ACFE has identified company departments where fraud is (1) most likely and (b) least likely:

Answer 46

1. Accounting, operations, and upper management tend to be the most frequent departments where fraud activity occurs
2. HR, BoD, and Legal are 3 of the depts where fraud occurrences are low.

Question 47

ACFE identified (4) measures an org can take to deter/minimize fraud:

Answer 47

1. Whistleblower hotlines are the most effective fraud detection tool available. Include provisions for anonymity and strong anti retaliation policies
2. EE support programs are effective bc they provide EE with psych/credit counseling at a time when most needed: before they commit fraud. Also, these programs help redirect EE efforts to more productive solutions to their problems.
3. Codes of ethics/ethics training sessions reduce fraud losses and serve critical roles in helping to investigate fraud cases
4. Make sure all EEs understand what constitutes fraud; communicate a zero-tolerance policy. Publicize prior fraud occurrences and the impact to the company, e.g. lost profits, adverse publicity, lost jobs. EEs should be trained to recognize warning signs that, when comb’d with other factors, indicate fraud.