auditing overview for employee benefit plans pugh & company, p.c

Auditing Overview for Employee Benefit Plans

08/2010 PUGH & COMPANY, P.C. 2

Learning Objectives

Provide an overview of the audit process including :

Risk assessment

Significant audit areas

Actuarial assumptions

SAS 70 reports

Terminating plans


Risk Assessment

• Summary of Risk Assessment Standards– Objectives of risk assessment standards

• Understanding of the entity

• Assessment of risk

• Improve linkage between assessed risk and work performed

– Assessment process • Continuous process - must occur throughout the

audit

• Evaluation of audit findings (questions to ask throughout the process)

– Has audit risk been reduced to acceptably low level?

– Has risk of material misstatement been reduced to an acceptably low level?

– If the answer is no to either of these, the audit is not complete.


Risk Assessment Process

Procedures Performed • Preliminary engagement activities.• Inquiries of plan management and others.• Preliminary analytical procedures.• Observation and inspection.• Discussion among the engagement team.Understanding Obtained• Industry, regulatory, and other external factors. • Nature of the plan.• Objectives, strategies, and related business risks.• Measurement and review of the plan's financial performance.• Internal control.• Selection and application of accounting policies.• Fraud risk factors.Decisions and Judgments Made• Decisions at the Financial Statement Level:

– Materiality at the financial statement level.– Materiality for particular items of lesser amounts.– Risks of material misstatement at the financial statement level.– Overall audit strategy.

• Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level:– Tolerable misstatement.– Risks of material misstatement at the relevant assertion level, including identification of significant

risks.– Nature, timing, and extent of further audit procedures (including tests of controls and substantive

procedures).


Risk Assessment

• Materiality– Based on economic conditions you might

expect a lower materiality level.

– Lower materiality levels may add additional time to the job.

• Need to be efficient in selecting audit steps in the risk assessment process.


Risk Assessment

• Materiality…– Documentation

• Need to document basis for materiality

• Need to document any changes in materiality that occur during the audit and how they were determined

– Contributions (special bonus/special compensation)

• Need to document lower level of planning materiality for certain items

– Administrative expenses (declining profitability of plan sponsor)


Risk Assessment

• Understanding the Plan and Its Environment – The Plan

• Review plan document – Consider summarizing significant information

• Document flow of information– Plan sponsor

– Record keeper

– Custodian

– Trustee

– Actuary


Risk Assessment

• Understanding the Plan • Records

– Where are they located?

– How do we gain access to the data?

• Specific plan investments – Are there hard to value assets?

– GICs

• Information technology – How is information communicated between

» Plan sponsor?

» Service organization?

» Participants?


Risk Assessment

• Understanding the Plan Sponsor’s industry

• Consider factors affecting the industry that could affect the plan

– Decreased sales – Increased costs – Layoffs – Cash flow problems

– Increase risk of bankruptcy

• Increase incentive to minimize expenses through

– Misallocation of required employer contributions

– Misuse of forfeitures

– Shifting plan administrative expenses directly to plan


Risk Assessment

• Understanding Plan Sponsor • Consider interviewing plan sponsor employees

– Owners

– Key Management

– Participant (especially in ESOP)

» Ask

What do they know about the plan?

How do they conduct transactions?

What are their expectations?

Should be done during fieldwork on financial statement audit when possible and incorporated into fraud interview process


Risk Assessment

• Understanding Plan Sponsor • Interview dos and don’ts

– Dos» Face to face interviews» Interview personnel involved in all aspects of the

plan’s operations» Share hypothetical situation to initiate fraud

discussion Treatment of lost

participants and the related fraud opportunities

How and frequency of contribution reconciliations

Don’ts» Conduct the interview in the presence of other

client employees» E-mail questions to management» Interview only the primary audit contact» Ask only yes and no questions


Risk Assessment

• Understanding the Design and Implementation of Internal Controls – Who is ultimately responsible for

properly implementing and operating an employee benefit plan?

• The plan sponsor– The responsibility of the plan can not be

passed to the service providers

– Implementation of appropriate monitoring controls is critical where plan operations is outsourced


Risk Assessment

• Understanding Internal Controls– Plan administration controls

• Determining plan provisions

• Establishment of the investment policy

• Authorization of certain transactions

• Monitoring and on-going evaluation of service providers


Risk Assessment

• Understanding Internal Controls…– Entity level controls – who is in charge of

the plan• Monitoring (board of directors)

• Personnel (hiring, training, evaluations)

• Integrity and ethics (ethics policies)

• Segregation of duties (protection of assets)


Risk Assessment

• Understanding Internal Controls… – Transaction level controls

• Eligibility determination

• Contributions

• Distributions

• Investment transactions

• Allocation to participants accounts (currently a hot topic in the industry)

• Forfeitures (currently a hot topic in the industry)

• Plan fees (currently a hot topic in the industry)

• Participant investment elections

• Transfers, mergers, new plan setups


Risk Assessment

• Understanding Internal Controls… – Unique control environment

• Important to understand and document who does what

• Significant controls may be outsourced to third parties

• Certain areas may have shared responsibilities

• A control at one entity might mitigate risk in another area (e.g. vesting)


Risk Assessment

• Understanding Internal Controls… – Participant Controls

• How many people open their statement, reconcile it to the payroll deductions, recalculate employer contributions, recalculated allocations, and review investment losses?

• Can we rely on the participant to contribute to the internal control structure?

– They may not understand the internal control process

– They may not open their statement on a regular basis

– They may not know what to look for

– The internal control process is not their responsibility unless we directly ask them to review a confirmation

– We should not rely on this to reduce control risk


Risk Assessment

• Documentation of Internal Controls– Identify individual audit areas and

related control objectives• Consider classes of transactions

– Activity in participant’s account

– Existence and occurrence

• Account balances – Investments

– Receivables

– Payables

• Disclosures


Risk Assessment

• Documentation of Internal Controls…– Document controls

• Client memo and flowcharts

• Incorporate reference to SAS 70 controls when appropriate

– Verification through walkthroughs

– Consider flow of information between plan sponsor and the service organization for each individual audit area and control objective

– Consider missing steps in the control process


Risk Assessment

• Documentation of Internal Controls…– Engagement team discussion

• Fraud

• Error

• Ask “what could go wrong”?

• Consider if you only had 8 hours to perform audit procedures - what would you want to do before you personally signed the opinion?

• Must be tailored to each plan – cannot rely on one discussion for all plans

• Consider the uniqueness of the various plans


Risk Assessment

• Challenges of an Employee Benefit Plan Audit– When assessing risk keep the following

in mind• Many clients see the audit as a “necessary

evil”

• Many plan sponsors do not have the policies and procedures in place or do not have them sufficiently documented

• Many plan sponsors that rely heavily on service providers may not be as rigorous in their procedures and oversight

• Overuse or underuse of the SAS 70


Risk Assessment

• Policies and Procedures of the Plan Administrator Related to the Service Organization – Plan administrator should have an

understanding of what the service organization does and what controls are in place

• They should be reviewing the SAS 70 annually


Risk Assessment

• Policies and Procedures …– Reconciliation of participant accounts to

service organization records should be performed on a timely basis

• Payroll information should be reconciled to the contribution records

– In total

– By participant

• Reconciling census data provided to service organization to appropriate payroll records

• The audit can not be the control


Risk Assessment

• Policies and Procedures …– Consider who has access to the data

provided to the service organization and the ability to make changes to override controls

• CFO/Controller

• Human resources

• Payroll

• IT


Risk Assessment

• Other Procedures of the Plan Administrator– Document transactions that are approved

• Contributions

• Use of forfeitures

• Distributions

– Meet with investment manager

• Audit consequences – Document polices and procedures

– Consider management points related to significant deficiencies


Significant Audit Areas

• Participant data• Payroll• Cash• Investments• Contributions received and receivable• Benefit payments• Investment income• Fees and Expenses• Actuarial Assumptions• Form 5500• SAS 70• Terminating Plans


Participant Data & PayrollParticipant Data & Payroll

Objectives include determining:

• Whether all covered employees have been properly included in employee eligibility records

• Whether accurate participant data for eligible employees were supplied to the plan administrator and, if applicable, the plan actuary



Types of data to be tested:

• Demographic – birth date, hire date

• Payroll data – wage rate, hours worked, earnings, contributions to the plan



Examples of substantive procedures

• Recalculate payroll for selected participants for one or more pay periods

• Trace individual payrolls from the payroll journal to the participants earnings records

• Review personnel files for hiring notice, pay rate, birth date, termination date


Cash

• Typically small– If held under a trust agreement or under

an insurance contract, confirmations are usually adequate

– If held independent of a trust agreement or insurance contract, customary audit procedures considered appropriate


Investments

• Limited Scope Audit– Obtain and read a copy of the

certification

– Determine whether the entity issuing the certification is a qualifying institution under DOL regs

– Compare the investment information certified by the trustee or custodian to the information contained in the plan’s financial statements and related disclosures


Investments

• If the auditor becomes aware that the certified information my be incomplete or inaccurate the auditor should instruct the plan administrator to:– Request that the trustee or custodian recertify or

amend the certification for such investments at their appropriate year-end values or recertify or amend the certification to exclude such investments from the limited scope certification or

– Instruct the auditor to perform full scope procedures on such investments excluded from the certification

• If not done auditor should consider modifying his or her report


Investments

• Full Scope Audit– Determine nature and location of

investments from minutes, agreements with custodians, advisors, etc.

– Obtain or prepare a schedule of investments showing beginning balance, purchases sales, ending balance

– Typical audit programs have specific procedures depending upon the type of investments held, such as mutual funds, limited partnerships and derivative.


Investments

• Full Scope Audit (cont.)– Confirm investments held by third-party

custodians

– Perform analytical procedures on average and ending balances

– Test investment income

– Test fair value

– Test the calculation of unrealized gains and losses


Stable Value Funds & GIC’s

GIC’s - Audit Considerations• Obtain, read and evaluate the GIC contract• Maturity dates, minimum crediting rates, rate resets.• Is the contract fully benefit responsive?

– Contract is between plan and issuer. The contract cannot be sold or assigned without consent of the issuer.

– Contract issuer must be obligated to (1) repay principal and interest, and (2) provide prospective crediting rate adjustments with an assurance the crediting rate will not be < 0%

– Contract requires all participant-initiated transactions to occur at contract value

– An event that limits the ability of the plan to transact at contract value with the issuer and with the participants must be probable of not occurring

– The plan must allow participants reasonable access to their funds

• Confirm principal and income with Insurance Company/Counterparty.

• Assess credit quality of the issuer.• If a plan holds multiple contracts, each contract should be

evaluated individually.


Contributions Received and Receivable

• Typical analytical procedures include:– Comparison to prior year

– Average per participant

– Other expectation such as % of compensation

• Trace to plan sponsor audited financial statements

• Vouch subsequent receipt


Contributions Received and Receivable

Timeliness of remitting participant contributions

Contributions must be remitted ASAP

• Failure to remit may be considered a Prohibited Transaction

• 15th business day of following month is not a safe harbor


Benefit Payments

• Determine participant eligibility (request, approval)

• Recompute amount of benefit

• Vouch payment

• Typical analytical procedures include:– Comparison to prior year

– Average per participant

– Other expectations


Investment Income

• Objective to test whether net assets and transactions have been allocated to accounts properly in accordance with plan document.

• Allocation of investment income to be tested even for limited scope audits.


Investment Income

• Consider reasonableness by comparing current year income and yield to that in the prior year and to investment reports from advisors, trustees, mutual fund companies and to industry indexes or other expectations.

• SAS 70 may be used to reduce but not eliminate scope of testing


Fees and Expenses

• Most defined benefit plans and many defined contributions plans pay administrative expenses out of plan assets

• Typically plan expenses are below materiality levels and therefore are not subject to significant detailed testing

• Auditors should gain an understanding of what expenses are allowed by the plan

• Many times expenses paid out of plan assets are prohibited transactions


Commitments and Contingencies

• Discuss with client

• Review minutes of various committees

• Analyze legal expense

• Request audit inquiry from attorneys

• Obtain client representation


Actuarial Assumptions

• Trends and nature of benefit distributions– Lump sum vs. annuity payments

• Shift in plan population over time—turnover or retirement age

• Recent mergers or acquisitions could cause assumptions to be inappropriate

• Plan benefit formula changes or a freezing of the plan

• Whether consistent gains/losses are generated each year


Form 5500

• Auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report.

• Auditor has no obligation to corroborate other information contained in the 5500.

• Auditor should read the other information in the 5500 and consider whether such information or its presentation is materially inconsistent with information appearing in the audited financial statements


SAS 70

Basic roadmap for auditors

• Read Independent Service Auditor’s Report and Company Overview to determine that correct SAS 70 has been obtained.

• Be mindful that missing control objectives may require additional procedures.


SAS 70

• The following control objectives should be included– Plan setup– Enrollments– Contributions– Distributions, including loans– Investment election changes and

transfers– Investments, including purchases/sales,

income and valuation– Reconciliation and reporting– IT general controls (including access,

changes to programs, back-up)


SAS 70

Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor.


SAS 70

Description of Controls

• Auditors should read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place.

• Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance.


SAS 70

Tests of Operating Effectiveness

• Determine which controls were tested as included in the description of controls – usually listed with testing procedures performed

• Consider the level of testing performed for reliance purposes – inquiries alone will not be sufficient evidence for

confirming implementation

– Observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures.


SAS 70

Exceptions

• Evaluate each exception, including nature, extent and mitigating controls– Nature of exception

• Error in processing?

• Missing evidence?

– Extent of exception• Isolated error?

• One of many included under control objective?

• Did exception lead to qualification of report?

• Special consideration – IT general controls – exceptions and qualification could affect more than one area and may be a significant problem in reliance and use of SAS 70 report.


SAS 70

Exceptions (continued)• Mitigating controls in place

– Are there other controls in place at the service provider to mitigate risk of error?

• Other levels of review such as quality control reviews

• Different access levels that may prevent issues (physical vs. logical access on systems)

– Does the plan sponsor actually perform that control? (e.g. calculate vesting)

– Are there mitigating controls in place at the plan sponsor? (e.g., review and approve calculation of vesting)


SAS 70

Evaluation of SAS 70 report and conclusions reached by auditors should be documented clearly and adequately in audit workpapers as required by SAS 103.

• Documentation can include:– Copy of relevant SAS 70 reports obtained and

evaluated– Checklist of Form used to evaluate SAS 70 report– Memo or checklist /form used above to

document conclusions reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures

– Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions)


Terminating Plans

Overview of Auditing Employee Benefit Plans

Questions?

auditing overview for employee benefit plans pugh & company, p.c

Documents

audit risk

plan review plan document

entity assessment of

plan operations

plan provisi

plan records

assessed risk

plan administrative