plan auditors what are they thinking?...10/17/2016 1 plan auditors –what are they thinking?...

10/17/2016

1

PLAN AUDITORS – WHAT ARE THEY THINKING?

CariAnn J. Todd, CPASenior Manager

BeachFleischman, PCTucson, AZ and Phoenix, AZSatellite operations: Dallas, TX and Washington, DC

[email protected]

10/17/2016

2

PLAN AUDITORS – WHAT ARE THEY THINKING?

May 1 – When is the AICPA EBP Audit Guide going to get here?

June 1 – I love EBP audit season, this year is going to be great!

July 1 – Issued my first financial statement, so far so good!

August 1 – Do Sponsors ever read their plan documents, or just sign them?

September 1 – Holy $#!& it’s already September 1st???

October 1 – What time is happy hour?

What is an Audit?

• The objective is for the auditor to express an opinion as to whether the plan’s financial statements are presented fairly, in all material respects, and in conformity with U.S. generally accepted accounting principles (GAAP).

• The auditor plans and performs the audit to obtain reasonable assurance that material misstatements are detected.

10/17/2016

3

What is an Audit?

Potential disconnect …

The tangible result of the audit is the auditor’s

opinion on the financial statements, which

present plan-level data.

The path to the auditor’s opinion weaves its way

through participant-level data and plan compliance.

Phases of an Audit:• Pre-audit / planning

• Understanding internal controls

• Testing operational compliance and account balances

• Financial reporting

Other considerations:• Fiduciary responsibility

10/17/2016

4

Pre-Audit / Planning

Who Is in Charge?

An effective team, with one designated leader:- Sponsor- TPA or Recordkeeper- Trustee/Custodian- Auditor


Leadership of the Process = Audit Efficiency

Audit Efficiency =

• Less time on site

• Fewer delays waiting on information

• Timely completion of the audit

• Reasonable fees

10/17/2016

5


The Document Request Letter

• aka “PBC Letter” – prepared by the auditor

• Comprehensive list of information and documents needed by the auditor

• Each item should be assigned to a responsible party (Sponsor, TPA, Recordkeeper, Trustee, Custodian, etc.)

• Set deadlines for completion


Documents requested – 1st year

Plan Document – signed

Adoption Agreement – signed

Summary Plan Description

IRS Letter (advisory, opinion, etc.)

Contracts with service providers - signed

Participant enrollment package

List of participating employers

10/17/2016

6


Documents requested – Recurring

Plan amendments – signed

Correspondence with IRS or DOL

Meeting minutes for trustees, administrative committee, investment committee, etc.

Fidelity bond

Testing results



Census, reconciled to payroll summary

Contributions summary, by pay period

Schedule of receivables

Schedule of investments

Certification (for limited-scope audit)

Schedule of loans

Schedule of payables

10/17/2016

7

Test of Deposits



Schedule of distributions

Schedule of fees paid (by plan and by sponsor)

Participant accounts report

Bank statements and reconciliations

SOC1 Report for Service Providers

Actuarial reports

10/17/2016

8


Depending on the Auditor’s Risk Assessment and Audit Approach, pre-audit requests may also include preparation of confirmation letters for …

• Participant data

• Plan receivables

• Investments (in a full scope audit)

• Benefit payments

• Participant loans

Internal Controls

The auditor will consider internal controls for all of the following:

• Sponsor

• Recordkeeper

• TPA

• Custodian / Trustee

10/17/2016

9

Internal Controls

At the Sponsor level, gaining an understanding of internal controls may include:

• Inquiry

• Completion of checklists

• Walkthroughs of significant cycles

• Tests of controls

Internal Controls

• At the Sponsor level, gaining an understanding of internal controls provides the auditor with information necessary to assess risk and determine the extent of testing required for certain attributes.

• Example… the payroll cycle

10/17/2016

10

Internal Controls

• For service providers, gaining an understanding of internal control is most easily gained via review of a SOC1 Report

• In the absence of a SOC1, the auditor will determine procedures necessary to sufficiently understand the controls in place at the service organization

Internal Controls

• For service providers, the existence of internal controls, specifically as provided in a SOC1 report, allow the auditor to reduce, but not eliminate, the extent of substantive audit procedures performed

• Example… paperless transactions: investment elections, benefit payments, loans, etc.

10/17/2016

11

Audit Testing

• Each auditor will have their own audit approach to substantive testing of both compliance with the plan document and of account balances

• Extent of testing is determined by assessment of internal controls, assessment of risks, size of the plan (dollars and/or participant count) and prior audit experience

Audit Testing

Participant-level – generally on a sample

• Eligibility – demographics

• Compensation – in line with definition

• Participant contributions – deferral elections

• Employer contributions – formula/true-up

• Benefit payments – eligibility, amount and vesting

• Loans – eligibility

10/17/2016

12

Audit Testing

Plan-level

• Timeliness of deposits

• Contribution receivables

• Investment valuation

• Investment transactions (full scope)

• Liabilities

• Plan expenses

Financial Reporting

• Auditors’ report

• Financial statements

• Auditor required communications

• Management letter

10/17/2016

13

Financial Reporting

• Auditors’ Report: Limited Scope

– Disclaimer of opinion

– Only applies to investment information (no impact on procedures in other areas); allows auditor to rely on Plan level investment information

– Certification must be issued by a qualified party

• Bank, Trust Company, Thrift, Insurance Carrier regulated or supervised and examined by a federal or state agency

– Not accepted by the SEC

Financial Reporting

• Auditors’ Report: Full Scope

– Audit opinion allowed as engagement not limited under DOL regulations

– Requires the substantive testing of investment securities

• Valuation at plan year end

• Purchase and sale activity during the year

• Earnings on investments

10/17/2016

14

Financial Reporting

Service providers can assist with:

• Fair value information

• Details for contracts with insurance companies

• Plan amendments

• Subsequent events

• Tax status – IRS letter, VCP filings, etc.

• Related party or party-in-interest transactions

Financial Reporting

Service providers can assist with (continued):

• Use and availability of forfeitures

• Changes in actuarial assumptions

• Funding status / funding policy

• Partial or actual plan terminations

• Reconciliation of financial statements to Form 5500

10/17/2016

15

Financial Reporting

Required Auditor Communications – Matters to be communicated:

– Auditor’s responsibility under standards

– Planned scope and timing of the audit

– Significant findings from the audit

• Auditor’s view on qualitative aspects of significant accounting practices– Accounting policies

– Accounting estimates

– Financial statement disclosures

Financial Reporting

Required Auditor Communications – Matters to be communicated (continued):

Significant findings from the audit (con’t).

• Significant difficulties encountered

• Uncorrected misstatements

• Disagreements with management

• Other matters that are significant and relevant to those with oversight of the financial reporting process

10/17/2016

16

Financial Reporting

Required Auditor Communications – Matters to be communicated (continued):

• Corrected misstatements (posted adjustments)

• Representations the auditor requests from management

• Management’s consultation with other accountants

• Other significant correspondence with management

Financial Reporting

Management Letter

• An audit typically does not include tests of internal controls

• Auditors have a responsibility to

– Gain an understanding of the internal control environment in order to effectively plan the audit

• Interviews and questionnaires

• Walkthroughs

– Report identified deficiencies in internal control

10/17/2016

17

Financial Reporting

Management Letter

• Deficiency in internal control when the design or operation does not allow management to prevent, detect or correct a misstatement timely

– Design deficiencies

• Control is missing

• Control not properly designed

– Operation deficiencies

• Control not operated as designed

• Control not performed by appropriate person

Financial Reporting

Management Letter

• Findings categorized as follows:

– Material Weakness

– Significant Deficiency

– Control Deficiency

– Best Practices

10/17/2016

18

Management Letter

35

Material Weakness

• A deficiency or combination of deficiencies in internal control such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected and corrected on a timely basis.

Significant Deficiency

• A deficiency or combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention.

Management Letter

36

Control Deficiency

• A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.

Best Practice

• Suggestions for enhancements in internal control based on industry standards or other examples the auditor has witnessed in operation at other clients.

10/17/2016

19

Fiduciary Responsibility

• Generally there are no specific procedures aimed at “testing” whether plan management exhibits the appropriate level of fiduciary responsibility

• The management letter is a good indicator of how well plan management is or isn’t doing in this area

Fiduciary Responsibility

Things we look for:

• Are there minutes? Are they detailed?

• Are service providers monitored?

• Are investment offerings monitored and changed when appropriate?

• Is plan participation considered and encouraged?

• Are signed documents readily available?

• How are management letter comments received? Are the comments addressed timely?

10/17/2016

20

Miscellaneous

• I say po-tay-to, you say po-tah-to

• GAAP requires excess contributions to be recorded as a reduction to current year contributions

• Form 5500 instructions require them to be reported as corrective distributions, line 2f

• Auditor is instructed to add a reconciliation footnote to the financial statements for significant differences between the financial statements and the Form 5500

Miscellaneous

• Short period exception:If the first plan period is a short period of 7 months or less, and an audit is otherwise required, the audit of the short period can be deferred until the second period (the first full year).

• The initial audit will then be a dual period audit, which is more cost effective.

10/17/2016

21

Questions?

Thank you for coming today! Feel free to contact me directly with any follow-up

questions or [email protected]