Defined Contributions Insights MagazineJuly/August 2008
New Standards, New Scrutiny for 401(k) Plan Audits This Year
Thorough audit process may help prevent future plan problems.
By Jan Altman, Greg Auteri, Michael Friedman, Vincent Gaudiuso, Ken Perlman, and Dominic Rovano
Do you remember the first time you met your spouse’s parents? They wanted to know everything about you. There was a barrage of questions as they closely examined your past and assessed your prospects for the future. Well, you’re likely to find yourself in a similar situation this summer, but now the interrogator will be your 401(k) plan auditor. That’s because new, stricter audit standards, known as the “risk assessment standards,” now apply to all audits. For calendar year 2007 401(k) plans, this will be the first audit under the new standards. The new audit will be quite a departure from previous years. Never before have so many new questions, documentation, and evaluations been required. The bottom line: your audit will take longer and demand more of your time.
You can blame the tougher standards on Enron and its ilk. The American Institute of CPA’s (AICPA) tightened standards in the aftermath of widespread corporate accounting fraud in the early part of this decade. The new standards extend to all audits, including audits of employee benefit plans. (See Exhibit 1).
Exhibit 1: New “Statements of Auditing Standards” (SAS)
401(k) plan audit procedures have been reshaped by almost a dozen new “Statements of Auditing Standards” (SAS) issued by the American Institute of CPAs. While many conscientious accounting firms traditionally have practiced good audit procedures, now the AICPA requires all auditors to follow these
directives. There are eight new risk assessment standards:
SAS 104, Amendment to SAS 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”)
SAS 105, Amendment to SAS 94, Generally Accepted Auditing Standards
SAS 106, Audit Evidence
SAS 107, Audit Risk and Materiality in Conducting an Audit
SAS 108, Planning and Supervision
SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
SAS 111, Amendment to SAS 39, Audit Sampling
Three other standards are also relevant to this year’s audit:
SAS 103, Audit Documentation*
SAS 112, Communicating Internal Control Related Matters Identified in an Audit*
SAS 114, The Auditor’s Communication With Those Charged with Governance
*Effective for audits of financial statements for periods ending on or after Dec. 15, 2006. All the others are effective for periods ending on or after Dec. 31, 2007.
Plan sponsors are generally required to file an employee benefit plan audit if the plan has 100 or more participants, under the Employee Retirement Income Security Act of 1974 (ERISA). The audit is submitted as part of the plan’s annual return/report (Form 5500) to the Employee Benefit Security Administration (EBSA) of the U.S. Department of Labor. If the audit is incomplete or substandard, you, the plan sponsor — not your auditor — bear the fiduciary responsibility and liability, including personal penalties. Deficient audits are surprisingly common and are found in approximately one-third of the one million audits filed each year, according to EBSA. Therefore, you should be more diligent than ever in managing the plan audit process. That starts by knowing what to expect.
What’s Different This Year
The new risk assessment standards require the auditor to assess the likelihood that the plan sponsor would make a material misstatement on the plan’s financial statements, either because of weak internal controls or unauthorized transactions. Simply put, the auditor is now looking at the business, not just the books. For example, a cash-strapped company may have difficulty depositing employee contributions on time. Therefore, auditors are obligated to gain an understanding of the plan sponsor’s business and its operating environment, including:
· External factors, such as competitive environment as well as supplier and customer relationships
· The nature of the entity’s business, including its operations, ownership, and governance
· The entity’s objectives, strategies and related business risks
· Measurement and review of the entity’s financial performance
· The design of internal control procedures and whether these procedures have been implemented and are operating effectively
As you can guess, more time will be spent making inquiries of management and employees, reviewing processes, and detailing transactions during the course of the audit. Management should expect auditors to ask detailed questions concerning internal controls, requesting copies of documentation showing that controls discussed have been truly implemented, and observing or walking through controls to determine if they are operating effectively. The auditor will observe controls that cannot be verified merely by inspecting documentation. Auditors also must evaluate management’s attitudes towards the importance of internal controls and its impact on timely and accurate financial reporting.
Custom-Designed Audits for Each Plan Sponsor
All of this work occurs before the actual audit begins, because each audit now must be tailor-made to focus on areas judged to contain the highest risk. In the past, auditors had the option of using a “default” audit to the maximum level of control risk. This is no longer an option. The auditor is obligated to design a customized audit whose nature, timing, and extent will depend on what risks the auditor uncovers during the risk-assessment phase of the engagement. Based upon the high-risk areas identified, the auditor will develop further audit procedures that are designed to reduce the risk of material misstatement to an acceptable low level. The auditor will examine that plan transactions and asset balances are presented in accordance with generally accepted accounting principles. (See Exhibit 2 for a detailed list of what is examined.)
Exhibit 2: Financial Statement “Assertions”
SAS 106 includes an in-depth discussion of financial statement “assertions” (a statement of fact or belief), now called “relevant assertions,” and audit procedures for obtaining the related audit evidence. The auditor will be weighing the risk of material misstatements based on its examination of management’s assertions. The following summarizes the three different types of assertions.
Assertions Regarding Transactions and Events
· Occurrence — transactions and events that have been recorded have occurred and pertain to the entity.
· Completeness — all transactions and events that should have been recorded have been recorded.
· Accuracy — amounts and other data relating to recorded transactions
and events have been recorded accurately.
· Cutoff — transactions and events have been recorded in the correct
accounting period.
· Classification — transactions and events have been recorded in the
proper accounts.
Assertions Regarding Balances at Period End
· Existence — assets, liabilities, and net assets exist.
· Rights and obligations — the entity holds/controls rights to assets; liabilities are the obligations of the entity.
· Completeness — all assets, liabilities and net assets that should have been recorded have been recorded.
· Valuation and allocation — assets, liabilities, and net assets are included in the financial statements at appropriate amounts and any resulting valuation adjustments are appropriately recorded.
Assertions Regarding Presentation and Disclosure
· Occurrence and rights and obligations — disclosed events and transactions have occurred and pertain to the entity.
· Completeness — all disclosures that should have been included in the financial statements have been included.
· Understandability — financial information is appropriately presented and information in disclosures is understandable to users.
· Accuracy and Valuation — financial and other information are disclosed accurately and at appropriate amounts.
In addition, the AICPA now details what your auditor should do to sufficiently document audit procedures — a process that had not been explicitly defined previously. Poor audit documentation is one of the most common reasons that audits are found deficient by EBSA, and now the work papers must be more explicit than ever. SAS 103, Audit Documentation, requires that the audit documentation be sufficiently detailed to give experienced auditors a clear understanding of the work performed, the evidence obtained, and the conclusions reached. This standard clarifies that verbal explanations do not, by themselves, provide sufficient support for the auditor’s work. Auditors will have to spend extra time fully describing the procedures they perform and how the information supports their conclusions. In addition, plan sponsors may need to provide more documentation to be included in the auditor’s files.
SAS 103 also states that auditors can prepare their reports but cannot date them until they have sufficient, appropriate evidence to support the opinion. Sometimes this evidence may not be ready for months. Consequently, the auditor will have to update the audit report to include subsequent events testing up through the report date. This additional audit work will be factored in audit fees.
Better Communication Counts
The Department of Labor is not the only entity that will get more detailed reports. Now your auditor is charged with clearly communicating a number of things to the people in charge of the plan’s governance. Specifically, SAS 114, The Auditor’s Communication With Those Charged with Governance, details what auditors should communicate with those charged with governance, such as a plan trustee, pension committee, or audit committee, who will bear responsibility for the audit. At the start of the audit, the auditor must provide an overview of the timing and scope of the audit. At the conclusion of the audit, the auditor should communicate significant audit findings to those charged with governance. Comments may be along the line of difficulties encountered in the audit application of accounting principles, noteworthy client estimates made, and other important matters.
Another standard, SAS 112, Communicating Internal Control Related Matters Identified in an Audit, became effective for Plan Year 2006. It requires the auditor to communicate in writing an assessment of your plan’s internal controls on an annual basis. The SAS 112 letter outlines certain deficiencies or weaknesses in your plan’s internal controls, called control deficiencies. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. (Note: SAS 112 does not require your auditor to search for control deficiencies, but rather to evaluate them if they have been identified.)
SAS 112 stipulates that identified deficiencies must be communicated every year in which the deficiencies existed, even if your auditor had previously communicated them to you. These communications are private communications between you and your auditor. However, if the Department of Labor is performing a compliance audit on your plan, they may request to see any such communication from your auditor.