EBP audits: Don’t let your guard down

Beware of common quality issues that can bite practitioners.
By Ken Tysiac

EBP audits: Don’t let your guard down
Image by momo5287/iStock

A lack of "healthy paranoia" can be one of the biggest problems in approaching employee benefit plan (EBP) audits, said Bertha Minnihan, CPA.

An EBP audit at first may seem straightforward and simple, so auditors may let down their guard or attempt to perform an audit without the specialized training they need to do the job. If practitioners are not careful, they may find that an EBP audit is like a cute little dog that has a surprisingly nasty bite.

"We may think because they're smaller, and the balance sheet may have three items reported as opposed to 20, that we can relax a little bit and kind of just overlook the risk," said Minnihan, the national practice leader of employee benefit plan services for Moss Adams. "That can get us in trouble."

In addition to a healthy dose of paranoia, EBP auditors need to arm themselves with expertise specific to these engagements. Understanding the areas of EBP audits that can be troublesome also can be helpful. With that in mind, the AICPA Professional Ethics Division has identified common quality issues that have arisen from investigations of EBP audits. The following tips address some of those issues and can help practitioners perform high-quality audits.


At a basic level, an auditor needs to have the competence and appropriate technical qualifications to complete the audit in accordance with professional standards (AICPA Code of Professional Conduct, "Competence," ET §1.300.010, .01). Establishing competence begins with specialized training in EBP audits, and competence during an EBP engagement begins with gaining a comprehensive understanding of the plan and how it operates. In an EBP audit, this requires thoughtful consideration of the plan document and the adoption agreement. Each of these documents may be more than 100 pages long, but studying them is the only way to understand the terms and operations of the plan, the service requirements for employees, and the vesting rules, according to Scott Dufek, CPA. Along with his wife, Nancy, who's also a CPA, Dufek runs Dufek & Co., a Midwestern firm that is devoted solely to EBP audits.

"Almost any failure, short of documentation failures, you can trace right back to that the auditor didn't understand or take the time to fully read and digest the plan document and adoption agreement," Dufek said. "It takes a long time. They're long, thick documents. But if you don't understand what you're auditing, you don't have much chance to do it right."


As with any engagement, EBP auditors must not let their familiarity with the client lead them to become too comfortable and fail to perform testing that's necessary to arrive at a proper conclusion in the auditor's report.

"We don't go on our feelings," Minnihan said. "It's all evidential. I always say, 'Every day is new, and every piece of evidence has to fit.' You've got to trace the fact pattern before we conclude. And that's very sacred to what we do."

Relationships with clients are not the only areas where familiarity can cause trouble for CPAs. Auditors of defined benefit plans also may work with the same actuary on several accounts or for several years. Each time, though, sufficient procedures need to be performed related to the actuary. Practitioners are required to test the assumptions used by the actuary, as well as the actuary's reputation, conclusions, and qualifications, and their relationship to the plan. EBP auditors should take care not to rely too heavily on the work of actuaries. And testing the information provided to the actuary can provide assurance that the actuary's output is based on proper input.


EBP audits also require an understanding of a "limited-scope" audit (if applicable; not all EBP audits are limited-scope audits). Limiting the scope of an audit eliminates audit procedures over certified investments and related transactions, but other transactions and balances must be audited as stated in the auditor's report. Under a limited-scope audit, if the auditor receives a certification statement from a bank or insurance company certifying that the investment statements they provide are complete and accurate, the auditor is not required to test the balances and investment transactions. The internal controls over the investments may not need to be tested, either.

But the rest of the audit procedures and testing must be fully carried out.

"The remainder of the audit, and what you need to do in the audit, is exactly the same [as a full-scope audit]," Dufek said.

Likewise, an EBP auditor needs to understand the limitations of a service auditor's report. Although relying on system and organization control (SOC) reports allows the auditor to reduce substantive testing over covered areas, this does not eliminate the need for testing. Relying too heavily on a SOC report without performing the appropriate testing may leave the EBP auditor without enough information to support an opinion on the financial statements (see the sidebar, "Peer Review Shows 2 Primary Concerns in EBP Audits," below).

Minnihan said it's easy to be lulled into a false sense of security by a SOC report because they are performed by outsourced experts who often have strong credentials, and clients often place great faith in them. But auditors still need to make sure key controls are tested.

"Just because something is outsourced doesn't mean it's done correctly, because we as auditors have to evaluate internal control," Minnihan said. "So having a great SOC report frankly is little reflection on the plan or the sponsor's controls. And we can forget that."


Benefit-responsive contracts, which guarantee contract value regardless of whether the fair market value (FMV) of the underlying assets is more or less than the contract value, can be a challenge for EBP auditors. Auditors may fail to recognize these types of investments or that they require specific financial statement disclosures.

Minnihan said complex investments in general — not just benefit-responsive contracts — create challenges for EBP auditors. At Moss Adams, auditors overcome these challenges with help from a team of experts in the firm that specializes in reviewing such investments and contracts.

Smaller firms, Dufek said, are less likely to encounter complex investments in the EBP audits they perform. The exception, he said, is employee stock ownership plans (ESOPs). With ESOPs, the company is required to have a valuation specialist value the company and how much a share of its stock is worth. In these cases, the auditor can't just accept the valuation specialist's word. The auditor needs to determine if the valuation specialist's assumptions make sense and whether complete and accurate data were provided to the valuation specialist. A small audit firm may have to hire an outside valuation specialist to assist with this part of the audit.

"We would hire or retain a specialist on our own to see if the work the specialist was doing was accurate," Dufek said.


The extent of eligibility and participant data that auditors need to test is often misunderstood. Auditors need to perform procedures to confirm the allocation of contributions to plan participants and trace the contributions to participants' accounts. Testing also needs to be performed related to the amount of contributions and the investments selected by the participants. Year-end investment values need to be verified, as do purchase and sale transactions throughout the year. Auditors need to understand how employees are able to participate in an employee benefits plan, what their employee classification is, and how their contribution is allocated. Payroll testing on participants' data often is neglected, the Professional Ethics Division has found, especially in multiemployer plan audits.

Minnihan's firm asks clients to provide an employee census file that the firm then tests thoroughly. The census file includes information such as hire/termination dates, compensation, and employee classification.

"Payroll data is a very relevant starting point and focal area for auditing benefit plans," she said. "Understanding how an organization's payroll works, the eligible compensation components, how the plan sponsor approves and actually transmits contributions and loan repayments to the custodian, the controls over payroll functions, who's eligible to enroll in the plan, who is terminated or who shouldn't continue to defer into the plan, who controls pay increases, that's really key."


One of Minnihan's mentors taught her that in auditing, if you didn't document something, you didn't do it. AU-C Section 230, Audit Documentation, requires an auditor to prepare documentation sufficient to enable an experienced auditor with no previous connection to the audit to understand the audit procedures performed, evidence obtained, findings that arose, conclusions reached, and significant professional judgments made. Minnihan is concerned that some firms' audit programs are so checklist-oriented that documentation procedures get replaced by checkmarks. If you had to confirm something with the controller, for example, it's not enough to just check a box and say you did it. In a sufficiently documented audit procedure, you would document whom you spoke with, when the conversation took place, and what was said.

In EBP audits, practitioners especially must remember to document any procedures on the internal controls assessment, administrative expenses, subsequent events, commitments and contingencies, parties in interest and related parties, and risk assessment. (See "Audit Documentation: Tips for Getting It Right," JofA, June 2017). Merely signing the audit program does not provide adequate documentation. Auditors also must obtain an appropriately tailored management representation letter.


The most frequently seen disclosure problem in audits of EBP financial statements relates to omissions or errors in the fair value disclosures required by FASB ASC Topic 820, Fair Value Measurement. Auditors need to verify that financial statement preparers correctly describe valuation methodologies for all investments; level correctly; make sure cash and participant loans are not included in the FMV disclosures; and include disclosures required for investments valued at net asset value as a practical expedient.

Other financial statement pitfalls to watch for include:

  • Omission of disclosures particular to health and welfare plans, notably post-retirement benefit obligations.
  • Failure to include the reconciliation between the amounts in Form 5500, Annual Return/Report of Employee Benefit Plan, and the financial statements.
  • Omission of risks and uncertainties, subsequent events, tax status, and party-in-interest disclosures.
  • Failure to make disclosures about the amount and disposition of forfeited amounts.
  • Failure to comply with the U.S. Department of Labor's requirement to present a comparative statement of net assets available for benefits.
  • Failure to attach the schedule of assets held at the end of the year to the financial statements. The schedule of assets must be formatted correctly and identify the parties in interest.
  • Disclosures regarding certified information that do not include all information certified or that include amounts and/or transactions that were not certified as complete and accurate.
  • Failure to present investment income exclusive of changes in fair value.


It would seem that properly dating an auditor's report should be easy, but that's not always the case. A report may be dated incorrectly because it was not dual-dated or re-dated after it was reissued as a result of additional disclosures or audit procedures. Auditors also should be sure to wait until sufficient evidence is obtained before dating the report.

The first paragraph of an EBP audit report must identify the financial statements and/or supplementary schedules being reported on. If the auditor performed limited-scope audit procedures, the report needs to indicate that a limited-scope audit was performed. And unless the engagement is a limited-scope audit, the auditor's report must contain an opinion on:

  • All the statements included in the financial statements, or on supplementary information attached to the financial statements.
  • The prior-year financial statements that were presented.

In a limited-scope audit, the auditor would disclaim an opinion on the financial statements and supplemental schedules taken as a whole.


Most of all, Minnihan and Dufek said, experience and specialization are the critical factors in a successful EBP audit. Dufek's firm specializes solely in EBP audits in the hopes that a singular focus will deliver outstanding quality.

Minnihan, meanwhile, constantly stresses the importance of expertise in Moss Adams's practice. She specializes in employee benefits plans because she has a passion for preserving retirement security for the public. She wants to do it right, and she surrounds herself with people who share her goals and understand why a healthy dose of paranoia is necessary in EBP audits.

"It's a complex world, so we really need specialists," she said. "That's where I start off, with quality. ... The first thing I always say when I'm talking to my practitioners is, we need specialists. We need expertise."

Peer review shows 2 primary concerns in EBP audits

SOC reports and documentation pose challenges for practitioners.

By Carl R. Mayes Jr., CPA, and Ken Tysiac

In 2017, the AICPA Peer Review Program analyzed a sample of 109 employee benefit plan (EBP) audits to identify areas where noncompliance was most prevalent. The analysis indicated two primary areas that challenge practitioners who perform EBP audits.

Here are some of the challenges auditors face in those areas.

Understanding system and organization controls

In more than 20% of the audits examined, there was limited or no evidence that the audit team had obtained an understanding of the controls at a service organization. This nonconformity was driven by certain common misconceptions, including:

  • The belief that the auditor is not required to obtain a System and Organization Control (SOC) 1 report or otherwise gain an understanding of a service organization’s controls if he or she is taking a “full substantive approach”; and
  • The belief that an auditor can document his or her evaluation of the design and implementation of the service organization’s controls by placing a SOC 1 report in the working paper file, without any evidence that the report has been analyzed.

Even when a “full substantive approach” is taken, AU-C Section 315.14 requires the auditor to obtain an understanding of controls relevant to the audit. This includes controls at the service organization. The auditor is required to evaluate the design of the service organization’s controls and determine whether they have been implemented. Placing a SOC 1 report in the working paper file does not provide evidence that the evaluation took place.

Audit documentation

In more than 25% of the audits examined, the auditor failed to document sufficient audit evidence to support the audit opinion. Common misconceptions driving nonconformity included:

  • The belief that auditors can meet their overall audit objectives without documenting their work;
  • The belief that a sign-off on an audit program is sufficient documentation of a detail test; and
  • The belief that oral explanation can substitute for written documentation to meet the requirements of AU-C Section 230, Audit Documentation.

According to AU-C Section 200.19, to obtain reasonable assurance that the financial statements are free from material misstatement, the auditor needs sufficient appropriate audit evidence. AU-C Section 230.08 tells us that evidence must be documented, so that an experienced auditor with no connection to the audit will understand the nature, timing, and extent of the procedures performed; the evidence that was obtained; and the results of the procedures.

— Carl R. Mayes Jr., CPA, (Carl.Mayes@aicpa-cima.com) is an AICPA senior manager. Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is a JofA editorial director.

About the author

Ken Tysiac is a JofA editorial director. To comment on this article or to suggest an idea for another article, contact him at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.

AICPA resources



  • Employee Benefit Plans — Audit and Accounting Guide (#AAGEBP18P, paperback; #AAGEBP18E, ebook; #WEB-XX, online access)
  • Employee Benefit Plans Industry Developments — Audit Risk Alert (#ARAEBP18P, paperback; #ARAEBP18E, ebook)
  • Performing Quality ERISA Employee Benefit Plan Audits: Firm Best Practices, aicpa.org
  • Planning Tool: "Summary of Common EBP Audit Deficiencies, Audit Guidance and Resources," aicpa.org (available to Employee Benefit Plan Audit Quality Center members only)

CPE self-study

  • Advanced Auditing for Employee Benefit Plans (#166320, online access)
  • Auditing Employee Benefit Plans (#733841, text; #153007, online access; #GT-EBPE-C, group pricing)
  • Audits of 401(k) Plans (#733851, text; #154845, online access; #GT-AFKP, group pricing)
  • Documenting Your EBP Audit: What You Need to Know (#165841, online access; #GT-EBPD, group pricing)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.


Where to find February’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.