Auditing Standard SAS 136: Raising the Bar for Retirement Plan Sponsors Fiduciary Committees
In July 2019, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issued a revised Statement on Auditing Standards No. 136 entitled, “Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA.” Originally slated to take effect for tax periods ending after December 15, 2020, the revised standard was delayed by one year. Audit firms may however choose to adopt the standard on the original effective date.
This newly revised audit standard is important since tax-qualified retirement plans, among others, are required to submit an audit issued by an Independent Qualified Public Accountant (IQPA) with the plan’s annual report, Form 5500. (Small plans, i.e., those with fewer than 100 participants at the beginning of the plan year may qualify for an exemption provided certain requirements related to the composition of the plan’s assets are satisfied.) The purpose of the audit is to certify that plan’s financial statements and schedules are presented fairly and in conformity with Generally Accepted Accounting Principles (GAAP).
Plan sponsors, fiduciaries, and fiduciary committees are all affected by the revised rules in at least the following three ways:
- “Limited Scope” vs. “ERISA Section 103(a)(3)(C)” – What’s in a Name?
Under the prior rules, plan sponsors could elect to commission “limited scope audits,” which excluded certain audit procedures over investments and investment income that are certified by a qualified institution as complete and accurate. A “qualified institution” is a bank, trust company, or similar institution including an insurance company that is regulated and subject to periodic examination by a state or Federal agency. While the revised audit standards continue to allow these audits, the new rules dispense with the reference to “limited scope” audits and instead refer to “ERISA Section 103(a)(3)(C)” audits. The reference of course is the provision of ERISA that establishes the limited scope exception to the general plan audit requirement.
According to the Auditing Standards Board, the reference to ERISA section 103(a)(3)(C) audit is more accurate, since the ERISA provision in issue is not a scope limitation. Properly understood, the prior audits were not limited in scope; rather they were modified (so-called “disclaimers of opinion”) inasmuch as certain information is certified elsewhere, i.e., by a qualified institution. The Board now takes the position that an independent auditor performing an ERISA Section 103(a)(3)(C) audit issues an ERISA-Section 103(a)(3)(C) auditor’s report that is based on the audit and on procedures followed relating to certified investment information.
- New Obligations Imposed on “Management”
For retirement plan sponsors and their fiduciary committees, what is notable about the revisions to SAS 136 is not the new name. It is rather the new and comprehensive set of written representations that must be made to the auditor in connection with the audit process. The written representations required by the revised audit standards include:
- That management has provided the auditor with the most current plan instrument for the audit period, including all plan amendments;
- Acknowledgement of its responsibility for administering the plan and determining that the plan’s transactions that are presented and disclosed in the ERISA plan financial statements are in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of the participants to determine the benefits due or which may become due to such participants;
- When management elects to have an ERISA Section 103(a)(3)(C) audit, acknowledgement that management’s election of the ERISA Section 103(a)(3)(C) audit does not affect its responsibility for the financial statements and for determining whether:
- an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances,
- the investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8,
- the certification meets the requirements in 29 CFR 2520.103-5, and
- the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework.
The auditor is required under the revised standard to request these representations for all periods referred to in the auditor’s opinion.
In regards to who must make the required written representations, the revised standard offers the following guidance:
For an ERISA plan, the appropriate person or persons with whom to communicate may not be clearly identifiable from the engagement circumstances. Some plans have a formal board of trustees (or other formal governing body), and others do not. For a single-employer employee benefit plan, the individual charged with governance may include the individual with the level of authority and responsibility equivalent to an audit committee, such as the named fiduciary, which is often the plan sponsor or an officer thereof; the sponsor’s board of directors or audit committee; or a committee overseeing the activities of the employee benefit plan, such as the employee benefits committee, employee benefit administrative committee, employee benefits investment committee, plan administrator, or another responsible party.
ERISA vests the power over plan maintenance and operation in a “plan administrator,” which is the board of directors (or another top level governing body, e.g., a sole proprietor, LLC manager(s) by default). In many cases, the board of directors or other governing body will formally delegate the role of ERISA plan administrator to one or more fiduciary committees. But, to be clear, absent a proper delegation of authority the default governing body is the ERISA plan administrator. While acknowledging that the role of the plan administrator, the revised standard adopts and refers more generically to “management,” i.e.:
The plan administrator is identified in the plan document as having responsibility for managing the day-to-day administration and decisions for the plan. This SAS uses the term management to include the plan administrator as described in the DOL’s Rules and Regulations for Reporting and Disclosure under ERISA as well as other members of management.
The representations required of management under the revised audit represent a high bar. Some of these are highly technical in nature and will require input and assistance from internal specialists or outside advisers. Whether “an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances” is a legal conclusion that would certainly benefit from sign-off by counsel (in-house or outside). The same is true respecting whether the “investment information is prepared and certified by a qualified institution” and whether the certification meets the requirements of the applicable Labor regulation. Curiously, whether “the certified investment information is appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework” seems something that the auditor is better equipped to answer than management.
- Management Policies and Procedures
Plan sponsors, retirement committees, and others vested with discretionary power over plan administration should maintain proper documentation of their compliance with the revised stagnated. Retirement committees may find it necessary to designate an authorized representative who can make the required representations and attest to both its accuracy and completeness. Where there is no fiduciary committee, it is commonplace for a member of an entity’s management to sign, either relying on their own apparent authority or not giving the matter a second thought. This approach may not (or should not) pass muster under the revised rules.