UPDATED October 27, 2021 – Originally published August 13, 2019.
There has been a significant new development for employee benefit plan administrators of large plans who opt for a “limited scope audit” by the plan’s auditor for Form 5500 reporting of the plan’s financial information, as permitted by ERISA Section 103(a)(3(C). This new development only applies if information on the plan’s assets is provided by and certified to by a “qualified financial institution” such as a bank, insurance company or other similar institution holding the plan’s assets. The certification provided by the bank must attest to the accuracy and completeness of the financial records. Under current practice, the plan’s auditor will generally indicate on the plan’s Form 5500 that the auditor has not included the certified assets in its examination, by issuing a “disclaimed” opinion on the plan.
Over the years, the value of a bank’s certification has been the subject of much wrangling in the ERISA community between plan auditors and the banks that hold plan assets, with plan administrators often in the middle. Nor were plan sponsors happy with receiving a “disclaimed” auditor’s opinion. The Department of Labor has also questioned whether the current certification practice provides sufficient information to the plan and to the government. In 2016, the DOL proposed, but did not finalize, a new reporting regulation that would have strengthened the requirements for the use of the limited scope audit, and placed additional obligations on the issuers of the certifications.
In July 2019, the American Institute of Certified Public Accountants (AICPA) took matters into its own hands and issued new requirements for ERISA plan audits, Statement on Auditing Standards No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (“SAS 136”). Among other topics, the SAS addresses an auditor’s responsibilities when a plan has opted to use a limited scope audit. According to Statement on Auditing Standards No. 141, the effective date of SAS 136 is December 15, 2021. Consequently, 2021 year-end audits performed in 2022 will be required to use the new form of auditor’s report and to follow the requirements of SAS 136.
As a symbol of the change, AICPA will no longer use the term “limited scope audits.” In future, they will be known as ERISA Section 103(a)(3(C) audits. SAS 136 includes new performance and reporting requirements for these audits, and because of that, the audit will no longer be considered to have a scope limitation. As a result, in lieu of the standard “disclaimed” opinion, SAS 136 requires the auditor to issue a two-pronged opinion stating that the information on the financial statements not covered by the certification is fairly presented; and that the investment information contained in the financial statements reconciles with or is derived from information in the bank’s certification.
While these accounting rules do not modify ERISA and are primarily directed at auditors, SAS 136 has direct consequences for the sponsors of employee benefit plans subject to the audit requirements, echoing longstanding guidance from the Department of Labor advising that plan administrators have a fiduciary duty, when opting for a limited scope audit, to ensure that the certification process is a sufficient substitute for an audit of the financial information.
Under SAS 136, a plan administrator will need to agree to the following conditions in its engagement letter with the auditor: (1) to provide the auditors with copies of the current plan document, (2) to provide auditors with a copy of the draft Form 5500 for review and to reconcile inconsistencies, and (3) to discuss with their auditor any reportable findings, including a discussion of any prohibited transactions that have not been properly reported in the supplemental schedules. The plan administrator will also be required to make written representations of its own compliance with its statutory responsibilities for administering the plan, with specific representations on the plan’s election to use an ERISA Section 103(a)(3)(C) audit, including that the bank’s certification is in compliance with the DOL rules, and that the certified investment information is appropriately measured, presented and disclosed in accordance with the applicable financial reporting framework, so that it may be compared to information in the plan’s financial statements.
Although plan auditors will not begin using these changes until plan years that end after December 15, 2021, we recommend that plan administrators of large plans that use or are planning to use a Section 103(a)(3)(C) audit consider their new obligations under the AICPA Guidelines. If you have questions regarding SAS 136 and Section 103(a)(3)(C) audits, please contact Susan Elizabeth Rees or Jason Kotlyarov.