Warning for EBP audit firms: Service agreements can create headaches

An effort aimed at streamlining access to pertinent information for auditors of employee benefit plan (EBP) financial statements is creating concerns that auditors and firms may be subject to the risk of violations of laws, regulations, and professional standards, as well as increased financial risk.

The Employee Benefit Plan Audit Quality Center (EBPAQC), established by the AICPA to support firms that audit EBPs in accordance with the Employee Retirement Income Security Act of 1974 (ERISA), published a letter that describes a growing issue related to nondisclosure agreements (NDAs) and other agreements. The document recommends actions that auditors and firms can take to combat the unintended but unfortunate consequences of a technology-driven process.

“This is an issue the EBPAQC Executive Committee has discussed at length, and members from firms of all sizes are becoming increasingly concerned about the risks associated with agreements they are being asked to sign simply to access information they need to perform an EBP audit,” said Debbie Smith, CPA, chair of the EBPAQC Executive Committee. “We want to make sure that all EBP auditors understand these risks and are carefully considering NDAs and other agreements before signing them.”

EBP sponsors often use third-party service organizations to perform administrative functions. Terms that auditors may be required to agree to before gaining access to materials needed for the audit may be included in NDAs, confidentiality agreements, business associate agreements, and data protection agreements.

The EBPAQC letter details nine examples of potentially troublesome provisions that auditors may be asked to accept in the process of accessing a service organization’s portal in order to obtain data needed to perform an ERISA audit.

The acknowledgements may, for example, expressly prohibit the auditor from using any information obtained through the portal, or state that the auditor cannot download or print the data for commercial use or that the data can’t be copied at all, which compromises the auditor’s ability to perform the audit in accordance with professional standards.

The agreements also may contain confidentiality provisions that, if complied with, may cause the auditor to violate laws, regulations, or ethical standards. And some provisions, although not a violation of standards or laws, may prove overly burdensome or invasive to plan auditors, such as allowing the service organization to monitor an auditor’s activities related to the portal without notification or allowing changes to the already acknowledged agreements without notice.

Sandi Carrier, CPA, a member of the EBPAQC Executive Committee, provided insight on the real-world impact of some of those provisions. “For example, if a provision prohibits auditors from copying or reproducing information obtained on the site, auditors would either violate the documentation requirements of AU-C Section 230, which requires auditors to record the identifying characteristics of the specific items or matters tested, or violate the terms of the NDA.”

So, what are firms and their auditors to do?

As an alternative to agreements that could lead to unintended consequences, EBPAQC recommends that auditors suggest that plan sponsors establish reasonable procedural protections that provide practical alternatives to the agreements, including:

• Contracting with service organizations to ensure plan auditors have the information needed to conduct the audit without inappropriate limitations;
• Requesting service organizations to modify standard provisions in NDAs and other agreements that are not intended to apply to auditors or otherwise negating the applicability of such provisions to auditors; or
• Carefully identifying the data to be exchanged in the course of an audit and discussing alternatives for obtaining such data from service organizations.

Auditors may also wish to consider discussing a workaround with the service organization, such as including language in the NDA or other agreement or in the audit package that notes that any provision that would cause the auditor to violate professional standards, laws, or regulations or is otherwise impracticable would not apply to plan auditors.

Smith emphasized the importance of understanding the risks involved with signing NDAs and other agreements and communicating those risks to others in your firm.

“As I like to say, we all reserve the right to get smarter,” she said. “It’s important to educate all employees in your firm who work on EBP audits about this issue so they don’t inadvertently put your firm at increased risk.”

— To comment on this article or to suggest an idea for another article, contact Bryan Strickland at Bryan.Strickland@aicpa-cima.com.