How to perform high-quality EBP audits

Employee benefit plan work requires specialized training and careful coordination.
By Ken Tysiac

How to perform high-quality EBP audits
Illustration by Shivendu Jauhari/iStock

When performed correctly, audits of employee benefit plan financial statements can be extremely rewarding for a firm and its auditors.

It takes specialized expertise to excel in employee benefit plan (EBP) audits, but highly skilled and motivated teams can develop efficiency that will be profitable while performing a valuable service in the public interest.

"If you get the right people involved, and they have passion and interest, it works very, very well," said Kris Tveit, CPA, a principal in the EBP Audit practice at CliftonLarsonAllen LLP and a former member of the AICPA Employee Benefit Plans Expert Panel.

There also are times when EBP audits don't work so well. A U.S. Department of Labor (DOL) study released in May reported deficiencies in 39% of 400 EBP audits analyzed from the 2011 plan year. Experts say significant improvement is needed in this area, and a focus on EBP audits is an important part of the AICPA's six-point plan for improving audit quality.

In some cases, more training is needed to ensure an understanding of the policies and procedures that lead to a successful EBP audit. Practitioners without proper training in these highly complex, high-risk audits may misunderstand important concepts such as the limitations of the exemption in limited-scope audits and the extent to which Service Organization Control 1 (SOC 1) reports can be relied on in these audits.

Here are eight things firms and practitioners can do to enable the highest quality in EBP audits:

Establish proper tone at the top

Proper tone at the top means a commitment to performing the engagement correctly. In the case of an EBP audit, this means getting the appropriate training, providing proper supervision and review, assigning qualified staff with experience, and obtaining the proper resources to do the job right.

"It involves a substantial financial commitment," said Bill Lajoie, CPA, a sole practitioner in Littleton, Colo., who has served as a member of the AICPA Employee Benefit Plan Audit Quality Center (EBPAQC) Executive Committee. "If you're not willing to make that investment, you're not going to produce a quality product."

Designating a partner to be responsible for the quality of your firm's EBP audit practice can help set expectations for this work to be performed to the highest standards. And firms should accept or retain clients or EBP engagements only if the proper skills and infrastructure are in place to enable a high-quality audit.

The EBPAQC has numerous tools available to practitioners who perform these specialized audits, and the AICPA | CIMA Competency and Learning website (competency.aicpa.org) offers practitioners a way to assess and build their EBP-related competencies. Taking advantage of these tools can prepare audit professionals to do a thorough job on these audits.

If possible, develop specialists

Many firms that perform more than just a few EBP audits have auditors or teams of auditors who specialize in EBP audits (see "Succeeding With a Narrow Focus," page 56).

"If you've got a dedicated team that really understands this area, you can really get efficient," Tveit said.

Some firms even have teams that specialize in particular areas of EBP audits, such as audits of employee stock ownership plans (ESOPs), health and welfare plans, or defined benefit pension plans.

It can be a challenge for firms to develop EBP specialists because much of the work is performed during a busy season that runs from April through October. But some firms assign these specialists other types of work, including consulting, that can be performed from November through March. Other firms have EBP auditors also develop a second specialty in an area that is not busy from April through October.

Centralizing functions related to EBP audits also can make the process more efficient. For example, some firms use one or two individuals to review all EBP audit reports before they are issued. Some firms centralize the SOC 1 report review process for information in the reports relevant to all plan audits when multiple EBP audit clients use the same service providers.

Communicate, coordinate, and organize

Coordination in EBP audits can be complicated because the auditor is working with various personnel with the plan sponsor, and external vendors or third-party administrators to get information and data. Auditors will be working with human resources personnel as well as the finance and accounting personnel who traditionally provide information during other types of engagements.

This makes planning, communication, and coordination essential to a smooth audit process. A timeline should be established early, and parties need to be informed promptly about what information they will be responsible for providing for the audit. Clients should be educated on accounting rules, regulatory requirements, and the audit process.

All of this information should be documented in the engagement letter.

"Communication flow, coordination, and early planning is a really important part of having a smooth benefit plan audit that isn't pushing right up against the ERISA deadline," said Diane Walker, CPA, who leads Johnson Lambert's EBP practice and serves on the EBPAQC Executive Committee.

In advance of on-site work, it's a good idea to ask clients to provide important information such as trust schedules and certifications, summary plan descriptions, and plan documents. Samples should be selected, and clients should be asked to gather supporting documentation so it will be available when the auditor arrives.

Before engagement planning even starts, it's also a good idea to hold a brainstorming meeting with all supervisors, managers, and partners who participate in EBP audits. This enables anticipation of potential areas of concern and sharing of information on accounting and regulatory changes and how client service can be improved.

Firms should conduct a firmwide inventory of plan clients, performing a review and risk analysis of those clients that includes possible threats to independence. Qualified staff should be identified for each EBP engagement, and the adequacy of staff training should be evaluated carefully.

Understand the meaning of 'limited scope'

The DOL has recommended that Congress amend the Employee Retirement Income Security Act (ERISA) to repeal the limited-scope audit exemption, which has caused confusion for auditors of EBPs. The AICPA supports repeal of the limited-scope audit exemption.

The exemption allows the plan administrator to instruct the auditor not to perform any auditing procedures with respect to investment information prepared and certified by a bank or similar institution, or a regulated insurance carrier.

Auditors performing limited-scope engagements still need to determine that the disclosures in the financial statements and footnotes related to the certified investment information are in accordance with GAAP and in compliance with DOL rules and regulations. Also, the auditor needs to obtain and read a copy of the certification; determine whether the entity issuing the certification is a qualifying institution; compare the information in the certification to that in the financial statements; and perform procedures deemed necessary to become satisfied that any received or disbursed amounts (such as contributions and benefit payments) reported by the custodian were determined in accordance with plan provisions.

Practitioners also need to remember that they are required to fully comply with auditing standards for everything except the exempted procedures related to the certified investment information.

"There is that tendency in limited-scope audits to stop and relax, even in areas that aren't covered by the exemption, like in benefit payments, contributions, and participant data," Lajoie said. "That's what's driving the recommendation to eliminate limited-scope audits."

Avoid overreliance on reports

Many EBPs use third-party administrators or service organizations in their processing of transactions.

Auditors often use SOC 1 reports from third-party vendors to gain an understanding of the operations and internal controls of the plans' third-party vendors. SOC 1 reports must be fully reviewed and evaluated by the EBP auditor, with an eye toward ensuring all relevant user controls that are likely to be relevant to the plan's internal control over financial reporting were effective. If not, the auditor may need to perform additional testing.

Reliance on a SOC report also must be documented. An AICPA practice aid, Using a SOC 1 Report in Audits of Employee Benefit Plans, can help auditors use and document SOC 1 reports appropriately.

It's also a good idea to remind plan management that they need to obtain and read SOC 1 reports to fulfill their fiduciary responsibility to monitor service providers. Walker said her firm is seeing an increase in the frequency of qualified opinions in SOC 1 reports, which presents a problem for auditors.

"If there's a qualified opinion and it's an area where you were relying on the controls, you can't rely on that anymore," she said.

Perform thorough testing

The most common areas for deficiencies identified in the DOL report were EBP-specific requirements such as testing contributions, benefit payments, participant data, and party-in-interest/prohibited transactions.

Lajoie said thorough testing is essential for auditing success in these areas. For example, comprehensive testing should be done on a sample of participants who withdraw from a plan that has vesting provisions for how much an employee can take upon leaving.

It won't be enough for the auditor simply to look at a copy of the canceled check. Testing should include recalculation of the benefit payments, reviewing elections the participant made on how he or she wanted to get the distribution, reviewing whether the participant received a confirmation from the trustee, and possibly confirming the payment with the participant.

Maintain a rigorous quality-control system

After developing a written firm quality-control document, it's critically important for auditors to pay close attention to how the quality-control principles are applied in their EBP audit practice.

In addition, EBPAQC member firms are required to perform an annual inspection of a representative sample of their EBP audits. Firms may use these reviews to see how they can improve performance on future EBP audits.

Firms that perform a small number of EBP audits may wish to contract with more experienced firms for an engagement quality-control review. Though not a substitute for properly trained staff, such a review can provide added assurance that nothing was overlooked during the audit.

"Think beyond the four walls of your firm, and take a look at all the resources available to your firm," Lajoie said.

Strong quality control also is forward-looking and includes making sure personnel with the appropriate expertise are involved in the planning phase.

Hire and develop people with a passion for this work

Early in Tveit's career, some of her colleagues were surprised when she expressed interest in specializing in EBP audits.

Indeed, at many firms, other audit, tax, or consulting engagements may seem more glamorous than EBP audits. But Tveit and many others enjoy the EBP specialty because of the challenge of rigorous compliance demands, the usefulness that employee benefit plan knowledge can provide in one's career, and the public interest aspect.

"I really love this practice area," Tveit said.

That kind of passion is a critical component of high-quality work, so it's an important aspect to consider when hiring and developing a team to perform these audits.


About the author

Ken Tysiac is a JofA editorial director. To comment on this article or to suggest an idea for another article, contact him at ktysiac@aicpa.org or 919-402-2112.


AICPA resources

JofA articles

Publications

  • Employee Benefit Plans—Audit and
  • Accounting Guide (#AAGEBP15P, paperback; #AAGEBP15E, ebook; #WEB-XX, one-year online access)
  • Employee Benefit Plans—Best Practices in Presentation and Disclosure (#AATTEBP14P, paperback; #AATTEBP14E, ebook; #WET-XX, one-year online access)
  • Employee Benefit Plans Industry Developments—Audit Risk Alert (#ARAEBP15P, paperback; #ARAEBP15E, ebook)
  • Practice Aid Series: Establishing and Maintaining a System of Quality Control for a CPA Firm's Accounting and Auditing Practice—Firm With a Single Office, aicpa.org (available for free download)
  • Using a SOC 1 Report in Audits of Employee Benefit Plans (#APASOC113P, paperback; #APASOC113E, ebook; #APASOC1O, one-year online access)

CPE self-study

  • Auditing Employee Benefit Plans (#733009, text)
  • Audits of 401(k) Plans (#736149, text)

For more information or to make a purchase, go to cpa2biz.com or call the Institute at 888-777-7077.

Webpages

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

QUIZ

News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.