Improving employee benefit plan audits

All Rights of Use and Reproduction Reserved

Copyright © 2016 Marks Paneth LLP

IMPROVING EMPLOYEE BENEFIT PLAN AUDITS – GETTING IT RIGHT AND AVOIDING PENALTIES

The Office of Robert Bach, Esq.

Rita Piazza

Robert Bach

AGENDA

• Background

• DOL Assessing the Quality of Employee Benefit Plan Audits

• DOL Audit Quality Study – Summary of Frequent

“Unacceptable, Major” Audit Deficiencies

• Common and Recurring Operational Issues Seen in an Audit

• The Responsibilities of Plan Fiduciaries

• AICPA EBPAQC – The Importance of Hiring a Quality Auditor

• Recent Mailing from the DOL Re: “Tips for Selecting and

Monitoring a Plan Auditor”

3

BACKGROUND

STATUTORY BASIS FOR PLAN AUDITS

• ERISA requires that a plan attach the opinion of a certified public accountant to its Form 5500. 29 USC §§ 1023(a)(1)(B)(i) and 1023(a)(3) • Audit must be performed in accordance with Generally Accepted Auditing Standards (GAAS)• Audit is performed on behalf of participants and beneficiaries.• The Secretary may reject the filing if it is incomplete or if there is a

qualification in the accountant’s opinion. 29 USC §1024(a)(4).


4

BACKGROUND

Responsibilities in the Audit

• Preparation is key• Assign a point person who is responsible for coordinating the audit

and responding to questions and requests for documents. • Make sure all plan governing documents and amendments are

signed in proper form and complete and all plan records are up to date and complete

• Obtain reports from service organizations that are current and complete.


5

BACKGROUND

THE PLAN FIDUCIARY’S ROLE

• Establish and manage plan operations • Establish internal controls to monitor the operations of the plan and its service providers• Employ an individual familiar with GAAS• Appoint an independent auditor • Facilitate the audit process


6

BACKGROUND

BASIC PLAN OPERATIONS

• Plan administration, record keeping and expenses • Receive and record contributions• Maintain participant data and data security• Control management of investments• Benefit processing and payments


7

BACKGROUND

Contributions

• Contributions are correct and made timely• Contributions are properly set up, recorded, deposited and

allocated• Contributions are reviewed for accuracy, i.e. amounts and eligibility• Procedures established to audit contributions and collect

delinquencies


8

BACKGROUND

Participant Data

• Participant and beneficiary data properly recorded • Plan eligibility determined and timely notices provided - Data reviewed to maintain accuracy and continued eligibility - Data security. Access to participant data controlled to prevent

unauthorized charges or identity theft.


9

BACKGROUND

Plan Investments

• Establish investment and funding policy • Select and appoint money and asset managers• Money manager’s performance reviewed; consistent with retention

agreement; review quality of recordkeeping and level of performance.


10

BACKGROUND

Benefit Payments

• Establish process to pay benefit• Train staff to process benefits.• Establish claims and appeal procedures• Set up process to internally audit claims for improper payment,

theft and fraud.


11

BACKGROUND

Plan Administration and Expenses

• The business of administering the plan• Establish monitoring controls to identify and correct potential

problems including the effectiveness of the controls • Establish record retention and destruction policies • Select vendors and review their services• Software and computer systems


12

BACKGROUND

Some of the issues attorneys encounter with their clients

• Mistakes in the information provided to the participants – orally or in writing. Incorrect calculation of benefits.

• Ineffective training and review of performance of the benefit clericals and administrators.

• Plan records are poorly kept and archived.• The plan does not effectively monitor TPA’s or other service

organizations.


13

BACKGROUND

Reports about the Service Organization’s systems

SOC 1 Report – reporting on controls relevant to financial reporting

SOC 2 and 3 Reports – reports are designed for reporting on controls other than those likely to be relevant to user entities internal control regarding financial reporting (controls outside financial reporting)


14

BACKGROUND

Limited Scope Audits Plan management may elect to adopt an exemption under ERISA section 103(a)(3)(c) that allows plan management to instruct the auditor not to perform any auditing procedures with respect to the investment information prepared and certified by a bank, or similar institution or by an insurance carrier that is regulated, supervised and subject to periodic examination by a state or federal agency. This election is available only if the qualified certifying institution certifies both the accuracy and completeness of the investment information submitted. Certifications that address only accuracy or completeness, but not both, do not comply with the DOL’s regulation and therefore are not adequate to allow plan management to limit the scope of the audit. The limited scope exemption is implemented by CFR (code of federal regulation) 2520.103-8 that outlines the DOL’s rules and regulations for reporting and disclosure. This does not exempt the plan from the requirement to have an audit.


15

BACKGROUND

Limited Scope Audits, continued:This exemption only applies to the investment information certified by the qualified certifying institution and does not extend to participant data, contributions, benefit payments, required financial statement disclosures or other information, regardless of whether it is included in the certified information.


16

BACKGROUND

Limited Scope Audits, continued:

The limited scope exemption does not apply to information about investments held by a broker or dealer, or an investment company. If a limited scope audit is to be performed on a plan funded under a master trust agreement then separate individual plan certifications from the certifying institution need to be obtained by plan management to support the allocation of the assets and the related net income to the specific plan.


17

BACKGROUND

Independent Auditor’s Report (UNQUALIFIED OPINION)

We have audited the accompanying financial statements of ABC 401(k) Plan, which comprise the statements of net assets available for benefits as of December 31, 20X2 and 20X1, and the related statement of changes in net assets available for benefits for the year ended December 31, 20X2, and the related notes to the financial statements.

Management’s Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

Auditor’s Responsibility

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.5 Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.


18

BACKGROUND

Independent Auditor’s Report (UNQUALIFIED OPINION) Continued:

Opinion

In our opinion, the financial statements referred to above present fairly, in all material respects, the net assets available for benefits of the Plan as of December 31, 20X2 and 20X1, and the changes in net assets available for benefits for the year ended December 31, 20X2, in accordance with accounting principles generally accepted in the United States of America.

Report on Supplementary Information6

Our audits were conducted for the purpose of forming an opinion on the financial statements as a whole. The supplemental schedules of [identify title of schedules and period covered] are presented for the purpose of additional analysis and are not a required part of the financial statements but are supplementary information required by the Department of Labor’s Rules and Regulations for Reporting and Disclosure under the Employee Retirement Income Security Act of 1974. Such information is the responsibility of the Plan’s management and was derived from and relates directly to the underlying accounting and other records used to prepare the financial statements. The information has been subjected to the auditing procedures applied in the audits of the financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the financial statements or to the financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information is fairly stated in all material respects in relation to the financial statements as a whole.________________[Auditor’s signature]

[Auditor’s city and state]

[Date of the auditor’s report]


19

BACKGROUND

Independent Auditor’s Report (Limited Scope Audit Report)

Report on the Financial Statements

We were engaged to audit the accompanying financial statements of XYZ 401(k) Plan, which comprise the statements of net assets available for benefits as of December 31, 20X2 and 20X1, and the related statement of changes in net assets available for benefits for the year ended December 31, 20X2, and the related notes to the financial statements.

Management’s Responsibility for the Financial Statements

Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

Auditor’s Responsibility

Our responsibility is to express an opinion on these financial statements based on conducting the audits in accordance with auditing standards generally accepted in the United States of America. Because of the matter described in the Basis for Disclaimer of Opinion paragraph, however, we were not able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion.

Basis for Disclaimer of Opinion

As permitted by 29 CFR 2520.103-8 of the Department of Labor’s Rules and Regulations for Reporting and Disclosure under the Employee Retirement Income Security Act of 1974, the plan administrator instructed us not to perform, and we did not perform, any auditing procedures with respect to the information summarized in Note X, which was certified by ABC Bank, the trustee (or custodian)39 of the Plan, except for comparing such information with the related information included in the financial statements. We have been informed by the plan administrator that the trustee (or custodian)40 holds the Plan’s investment assets and executes investment transactions. The plan administrator has obtained a certification from the trustee (or custodian)41 as of December 31, 20X2 and 20X1, and for the year ended December 31, 20X2, that the information provided to the plan administrator by the trustee (or custodian)42 is complete and accurate.


20

BACKGROUND

Independent Auditor’s Report (Limited Scope Audit Report) continued:

Disclaimer of Opinion

Because of the significance of the matter described in the Basis for Disclaimer of Opinion paragraph, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on these financial statements.

Other Matter

The supplemental schedules [identify schedules] as of or for the year ended December 31, 20X2 are required by the Department of Labor’s (DOL) Rules and Regulations for Reporting and Disclosure under the Employee Retirement Income Security Act of 1974 and are presented for the purpose of additional analysis and are not a required part of the financial statements. Because of the significance of the matter described in the Basis for Disclaimer of Opinion paragraph, we do not express an opinion on these supplemental schedules.

Report on Form and Content in Compliance With DOL Rules and Regulations

The form and content of the information included in the financial statements and supplemental schedules, other than that derived from the information certified by the trustee (or custodian),43 have been audited by us in accordance with auditing standards generally accepted in the United States of America and, in our opinion, are presented in compliance with the Department of Labor’s Rules and Regulations for Reporting and Disclosure under the Employee Retirement Income Security Act of 1974.


21

DOL ASSESSING THE QUALITY OF EMPLOYEE BENEFIT PLAN AUDITS

Objective

The primary objective of EBSA’s (Employee Benefits Security Administration) review was to assess the level and quality of IQPAs’ (Independent Qualified Public Accountants) audits of ERISA-covered employee benefit plans.EBSA’s assessments involved a review of the Form 5500 Annual Return/Report filings and related audit reports for the 2011 filing year (plan years beginning in 2011). The Agency selected a statistically valid sample of 400 plan audits from a target population of 81,162 Form 5500 filingsfor 2011 in which an accountant’s report/audit opinion was attached.

22


Objective

Those 81,162 audits were performed by 7,330 different CPA firms Historically, EBSA has found that CPAs with smaller employee benefit plan audit practices tended to have the most audit deficiencies. Therefore, the Agency divided the population of CPAs into six strata based on the number of plan audits that the CPA firm performed with the desire to more definitively determine where in the population deficient audit work predominated.

23


Findings

Overall, EBSA’s review found that 61% of the audits fully complied with professional auditing standards or had only minor deficiencies under professional standards. However, 39% of the audits (nearly 4 out of 10) contained major deficiencies with respect to one or more relevant GAAS requirements which would lead to rejection of a Form 5500 filing, putting $653 billion and 22.5 million plan participants and beneficiaries at risk.

24


Findings• There is a clear link between the number of employee benefit plan audits

performed by a CPA and the quality of the audit work performed. CPAs who performed the fewest number of employee benefit plan audits annually had a 76% deficiency rate. In contrast, the firms performing the most plan audits had a deficiency rate of only 12%.

• The accounting profession’s peer review and practice monitoring efforts have not resulted in improved audit quality or improved identification of deficient audit engagements. In 4 of the 6 audit strata, a substantial number of CPA firms received an acceptable peer review report, yet had deficiencies in the audit work that EBSA reviewed.

25


Findings• CPA firms that were members of the American Institute of Certified Public

Accountants’(AICPA) Employee Benefit Plan Audit Quality Center tended to produce audits that have fewer audit deficiencies. Overwhelmingly, most CPAs in the two smallest audit strata are not Employee Benefit Plan Audit Quality Center members

• Training specifically targeted at audits of employee benefit plans (EBPs) may contribute to better audit work. As the level of EBP-specific training increased, the percentage of deficient audits decreased.

• Of the 400 plan audit reports reviewed, 67 (17%) of the audit reports failed to comply with one or more of ERISA’s reporting and disclosure requirements.

26


Conclusion• Once again, the smaller the firm’s employee benefit plan audit practice,

the greater the incidence of audit deficiencies• Audit areas that are unique to employee benefit plans such as

contributions, benefit payments, participant data and party-in-interest/prohibited transactions, continue to lead the list of audit deficiencies.

• CPAs failed to comply with professional standards either because they were not adequately informed about employee benefit plan audits, or failed to properly utilize the technical materials that were in their possession. However, even having the proper technical guidance did not ensure that a quality audit was performed.

27


Conclusion

• The Peer Review process does not appear to be an effective tool in identifying deficient plan audit work and ensuring compliance with professional standards. While selecting an employee benefit plan audit is a required part of the peer review process, CPAs who performed deficient audits often received acceptable peer review reports.

• Members of the AICPA’s Employee Benefit Plan Audit Quality Center (EBPAQC) tend to have fewer audits containing multiple GAAS deficiencies.

28


Enforcement

• Target small EBP practices• Target CPA firms in the 25-99 plan audit strata given their high deficiency

rates and the amount of plan assets ($317.1 billion) and plan participants (9.3 million) at risk from deficient audits.

• Work with NASBA• Amend ERISA to assess a penalty of $1000 a day against accountants

whose 5500 is rejected because of a deficient audit• Work with AICPA Peer Review staff• Issue regulations concerning qualification requirements• Amend ERISA and repeal limited scope audit exemption• Amend ERISA to establish accounting principles and audit standards

29


2011 Form 5500 DatabaseCPA Firms Performing Plan Audits

Number of Plans Audited Number of CPA Firms Number of Audits

Performed1-2 3,684

4,8913-5 1,519

5,7736-24 1,603

17,74725-99 433

18,910100-749 77

15,418750+ 14

18,423Total 7,330

81,162

30


Acceptable Audit does not contain any findings

Acceptable – minor Audit is acceptable, minor findings in certain areas of audit

Unacceptable – minor GAAS deficiencies , however overall audit quality is

not adversely affected

Unacceptable – major GAAS findings and overall quality is

adversely affectedIt appears that the increased number of limited-scope audits has contributedto declining audit quality. CPAs have less incentive to focus on relevant audit areas when they know the engagement will result in their issuance of “no opinion” on the plan’s financial statements.

31


Audits Containing 5 or More Deficiencies

IQPA # of Deficient AuditsAudits with 5 or More

Deficiencies1-2 72

533-5 65

406-24 64

3725-99 27

14100-749 3

1750+ 3

1

32


Did Plan Audits Comply With ERISA and DOL Reporting Regulations?67 reports had areas of non compliance:• In 11 (16%) instances, the supplemental schedule(s) required by ERISA

reporting and disclosure requirements were not attached or prepared.• In 11 (16%) instances, the footnotes to the plan’s financial statements

were either incomplete or missing entirely.• In 8 (12%) instances, the CPA’s audit report was not manually signed, as

required by DOL regulations.• In 7 (10%) instances, delinquent employee contributions were not

properly reported or disclosed in the CPA’s report or the plan’s Form 5500 filing.

33

DOL AUDIT QUALITY STUDY SUMMARY OF UNACCEPTABLE / MAJOR AUDIT DEFICIENCIES

Investments:Full scope audit:• 18 Failure to test investment transactions• 14 Failure to test investment income• 7 Failure to test end of year asset values• 5 No evidence of work performedLimited scope audit:• 10 Audit work papers do not contain the certification• 6 Failure to adequately test change in service provider• 5 Certifying entity does not qualify for limited scope

34


Notes receivables:• 30 No/inadequate testing of compliance with plan• 21 No work performed• 7 No review of supporting loan documentation• 5 No/inadequate testing for determination of delinquent loans that should

be reported as deemed distributions

35


Contributions Received & Receivable:• 53 Failure to test timely remittance of employee contributions• 35 Failure to test compliance with plan compensation provisions• 24 No/Inadequate testing of use of forfeitures• 10 Failure to agree/reconcile contributions to plan sponsor payroll

records, employee records, custodian/trust, and/or Schedule H• 10 No/inadequate testing of rollover contributions (material amount)• 9 No work performed• 7 Failure to address testing errors and/or variance and their impact on

financial statements• 5 No/inadequate testing of contribution receivable(s)

36


Benefit Payments:• 41 No recalculation of benefit payments• 38 No/inadequate work regarding eligibility of individuals receiving

benefit• 28 No work performed• 19 No/inadequate work regarding validity of claims• 10 Inappropriate reliance on SOC1 report• 9 No/inadequate work regarding forfeitures• 7 Failure to trace benefit payments to individual participant's account• 6 No/inadequate work regarding participant receipt of benefit payment• 6 No/inadequate testing of hardship/in-service benefit payments

37


Participant Data, Including Individual Participant Accounts:• 89 Failure to adequately test allocations to participant accounts• 73 No/insufficient testing of payroll data• 68 No/Inadequate testing of participant investment options• 41 No reconciliation of total individual participant accounts to total

plan assets• 35 Failure to adequately test eligibility, terminations and forfeitures• 29 Failure to test compliance with plan compensation provisions• 18 No work performed• 10 Failure to adequately test change in service provider• 10 Inappropriate reliance on SOC1 report

38


Plan Obligations:• 7 No/insufficient testing of census data (defined benefit pension plans)

39


Parties In Interest/Prohibited Transactions:• 46 No work performed• 39 Failure to document related parties/parties in interest• 29 Failure to document results of inquiries of management• 17 Inadequate work

40


Plan Tax Status:• 27 No work performed• 20 No evidence IRS tax compliance tests were reviewed• 8 No tax determination letter obtained• 7 Failure to document results of inquiries with management

41


Commitments & Contingencies:• 33 No work performed• 12 Failure to document results of inquiries with management• 8 Inadequate work

42


Administrative Expenses:• 55 No work performed• 7 Inadequate work performed

43


Subsequent Events:• 42 No work performed• 14 Failure to review interim financial information• 13 Failure to document results of inquiries with management• 9 Inadequate work performed

44


Plan Representations:• 6 Inadequate representations obtained• 5 Client representations were not appropriately tailored to the plan

45


Compliance with GAAS & GAAP:• 57 Inadequate footnote disclosures• 28 Inappropriate presentation of financial information on financial

statements• 16 No/lack of ASC 820 Fair Value Measurement disclosures

46


Compliance with Department of Labor Rules and Regulations for Reporting and Disclosure:• 11 No/inadequate footnote disclosures• 11 Required supplemental schedules not prepared/attached• 9 Incomplete Schedule of Assets Held for Investment (e.g., does not

include all investments, missing participant loans, no indication of parties in interest, etc.)

• 8 Unsigned audit reports• 7 Delinquent employee contributions not reported/disclosed• 6 No/Incomplete audit reports attached to the plan's Form 5500• 5 Financial statements do not agree to the Schedule H

47

COMMON AND RECURRING OPERATIONAL ISSUESGENERAL

• Fidelity Bond is required by law, fidelity insurance is not a substitute

• Enforcement problems- the plan administrator will be responsible for penalty

• Sign plan documents properly, compliance fee is very high• Update plan documents for new laws and be sure ALL documents

are SIGNED• Perform separate tests for auto enrollment, if not done properly the

error can be carried forward many years• Hardship withdrawals result in no contributions allowed for 6

months unless plan states otherwise• Definition of compensation should be included in your tests• Engagement letters should be tailored• If Plan document is not signed or you are not operating under your

Plan document, you can lose your tax exempt status

48

COMMON AND RECURRING OPERATIONAL ISSUESGENERAL

• SOC 1 deviations need to be addressed and sometimes additional audit procedures need to be performed

• Obtain list of Parties in Interest from client – DO NOT state NONE because the CPA firm is a party in interest

• Participant complaints are the #1 reason for a DOL audit. Be sure to add that verbiage to rep letter

• An allocated contract is Not part of plan assets• Benchmarking should be documented in minutes• If Plan does not receive a 408(b)(3) notice it is a prohibited

transaction• You must test hardships• Plan sponsors required to retain documentation to substantiate

compliance with hardship distributions and participant loans (handout)

49

COMMON AND RECURRING OPERATIONAL ISSUES401(K) PLANS

• Nondiscrimination testing (ADP/ACP)• Omitting eligible employees• IRC 402(g) limits ($18,000 and over 50 $6,000)• Timely deposit of employee elective deferrals – rule, as soon as

they can be segregated. If 1,3,5 days is a pattern, then you go to 6,7,8 days- you are late. Consistency is important

50

COMMON AND RECURRING OPERATIONAL ISSUES403(B) PLANS

• A slight increase of audits, DOL bringing in new agents• Universal availability• Improper hardship withdrawals• Excess contributions:

Age 50 catch up402(g)15 year ruleEmployees with 15 years of service with their current employer and an annual

average contribution of less than $5,000 per year are eligible for an additional $3,000 contribution per year up to a lifetime maximum catch up of $15,000. This is known as the 15-year rule. For participants eligible for both the age 50 catch up and the 15-year rule, the IRS will apply contributions above the regular limit first to the 15-year rule. Employers are not required to make this provision available.

51

COMMON AND RECURRING OPERATIONAL ISSUES

PLAN AUDITED BY PRIOR ACCOUNTANT

• Review predecessor work papers, identify deficiencies, management letter comments

• Inquire - were they corrected• Look for compliance issues – was plan in compliance with plan

document• Review work paper for test of timely remittances• Review for timely Form 5500 filings• ADP/ACP failures not corrected

52

COMMON AND RECURRING OPERATIONAL ISSUES

SELF DIRECTED BROKERAGE ACCOUNTS - HANDOUT

• Is it covered by certification? If not perform full scope procedures• Is it covered by SOC 1? If not perform walk through of controls over

authorization and execution of trades• Differences in Form 5500 Reporting• Testing participant accounts and audit procedures to consider• Testing Investments

53

THE IMPORTANCE OF HIRING A QUALITY AUDITOR

• Why a financial statement audit is important• Risks to Plan Sponsor if a Quality Audit is Not Performed • Evaluating Auditor Qualifications• The Proposal Process• Proposal Evaluation and Auditor Selection• Documenting the Agreement

54

RECENT MAILINGS FROM THE DOL RE: “TIPS FOR SELECTING AND MONITORING A PLAN AUDITOR

• The number of employee benefit plans the CPA audits each year, including the types of plans;

• The extent of specific annual training the CPA received in auditing plans;

• The status of the CPA’s license with the applicable state board of accountancy;

• Whether the CPA has been the subject of any prior DOL findings or referrals or has been referred to a state board of accountancy or the AICPA for investigation;

• Whether or not your CPA’s employee benefit plan audit work has recently been reviewed by another CPA (Peer Review) and if so whether such review resulted in negative findings.

THANK YOU

Improving employee benefit plan audits

Law

Transcript of Improving employee benefit plan audits