Some of the most common deficiencies in employee benefit plan (EBP) audits are inappropriate scope limitations due to an improper certification from the trustee or custodian and overreliance on the certification.
Under certain circumstances, plan management is allowed to instruct the auditor to limit the scope of auditing procedures on investment information that has been certified by qualified institutions as complete and accurate. In investigations, the AICPA Professional Ethics Division has noted that auditors rely on improper certifications or overrely on certifications and therefore inappropriately limit the scope of the audit.
Improper certifications can occur when the financial institution holding the plan’s investments does not qualify for the exception provided by 29 C.F.R. Section 2520.103-8, or the institution does not certify the accuracy and completeness of the investment information submitted. Overreliance on the certification can occur when the auditor limits the audit procedures on areas other than investments and related investment information certified by the qualifying institution.
The Professional Ethics Division staff offers the following tips to help auditors avoid these problems:
- Read the agreements between the plan and the custodian/trustee to understand the arrangement between the parties.
- Read the certification from the entity and verify the entity has certified the completeness and accuracy of the plan’s investments.
- Determine whether the entity issuing the certification is a qualifying institution under U.S. Department of Labor (DOL) regulations. Be aware that to be considered a qualifying institution to certify investment information, the institution must be regulated and subjected to routine examinations by a state or federal agency such as a bank or similar institution or an insurance carrier.
- Be skeptical. Some entities may appear to be appropriate but are not able to certify to the plan’s assets. Brokerage firms and investment companies generally would not meet the eligibility requirements for certifying information, although some of these institutions may have established separate trust companies that could meet the requirements to be a qualified institution.
- If there are concerns about whether the institution certifying is qualified, the auditor should instruct plan management to contact the DOL Employee Benefits Security Administration, Division of Reporting and Compliance at 202-693-8364.
- Read the certification from the qualified institution to verify the entity has certified the accuracy and completeness of the investment information submitted.
- Remember that the scope limitation and corresponding limitation of the auditor’s work must extend only to investments and related investment information certified by the qualifying institution.
- Compare the investment information certified by the plan’s trustee or custodian to the financial information contained in the plan’s financial statements and related disclosures. Plan investments that are not held by a qualifying institution, such as real estate, leases, mortgages, participant loans, and any other investments or assets not covered by such an entity’s certification, should be subjected to appropriate audit procedures. Plan management is responsible for engaging the auditor to perform full-scope audit procedures on the investments excluded from the certification.
- The appropriate audit procedures for all non-investment-related information (e.g., benefit payments, employer or employee contributions, and receivables) are the same for a limited-scope audit as a full-scope audit. Do not overrely on the certification.
- Visit the Limited Scope Audits Resource Center on the AICPA Employee Benefit Plan Audit Quality Center page at tinyurl.com/o3kym3r for more information on limited-scope audits.
This column was prepared by staff and volunteers for the AICPA Professional Ethics Division, including Jennifer Clayton, Peter DelVecchia, Rebecca Faris, and John Wiley.
To comment on this article or to suggest an idea for another
article, contact Ken Tysiac, senior editor, at