Auditing Overview for Employee Benefit Plans Pugh & Company, P.C.
Learning Objectives Provide an overview of the audit process including : Risk assessment Significant audit areas Actuarial assumptions SAS 70 reports Terminating plans PUGH & COMPANY, P.C.
Risk Assessment • Summary of Risk Assessment Standards • Objectives of risk assessment standards • Understanding of the entity • Assessment of risk • Improve linkage between assessed risk and work performed • Assessment process • Continuous process - must occur throughout the audit • Evaluation of audit findings (questions to ask throughout the process) • Has audit risk been reduced to acceptably low level? • Has risk of material misstatement been reduced to an acceptably low level? • If the answer is no to either of these, the audit is not complete. PUGH & COMPANY, P.C.
Risk Assessment Process Procedures Performed • Preliminary engagement activities. • Inquiries of plan management and others. • Preliminary analytical procedures. • Observation and inspection. • Discussion among the engagement team. Understanding Obtained • Industry, regulatory, and other external factors. • Nature of the plan. • Objectives, strategies, and related business risks. • Measurement and review of the plan's financial performance. • Internal control. • Selection and application of accounting policies. • Fraud risk factors. Decisions and Judgments Made • Decisions at the Financial Statement Level: • Materiality at the financial statement level. • Materiality for particular items of lesser amounts. • Risks of material misstatement at the financial statement level. • Overall audit strategy. • Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level: • Tolerable misstatement. • Risks of material misstatement at the relevant assertion level, including identification of significant risks. • Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures). PUGH & COMPANY, P.C.
Risk Assessment • Materiality • Based on economic conditions you might expect a lower materiality level. • Lower materiality levels may add additional time to the job. • Need to be efficient in selecting audit steps in the risk assessment process. PUGH & COMPANY, P.C.
Risk Assessment • Materiality… • Documentation • Need to document basis for materiality • Need to document any changes in materiality that occur during the audit and how they were determined • Contributions (special bonus/special compensation) • Need to document lower level of planning materiality for certain items • Administrative expenses (declining profitability of plan sponsor) PUGH & COMPANY, P.C.
Risk Assessment • Understanding the Plan and Its Environment • The Plan • Review plan document • Consider summarizing significant information • Document flow of information • Plan sponsor • Record keeper • Custodian • Trustee • Actuary PUGH & COMPANY, P.C.
Risk Assessment • Understanding the Plan • Records • Where are they located? • How do we gain access to the data? • Specific plan investments • Are there hard to value assets? • GICs • Information technology • How is information communicated between • Plan sponsor? • Service organization? • Participants? PUGH & COMPANY, P.C.
Risk Assessment • Understanding the Plan Sponsor’s industry • Consider factors affecting the industry that could affect the plan • Decreased sales • Increased costs • Layoffs • Cash flow problems • Increase risk of bankruptcy • Increase incentive to minimize expenses through • Misallocation of required employer contributions • Misuse of forfeitures • Shifting plan administrative expenses directly to plan PUGH & COMPANY, P.C.
Risk Assessment • Understanding Plan Sponsor • Consider interviewing plan sponsor employees • Owners • Key Management • Participant (especially in ESOP) • Ask What do they know about the plan? How do they conduct transactions? What are their expectations? Should be done during fieldwork on financial statement audit when possible and incorporated into fraud interview process PUGH & COMPANY, P.C.
Risk Assessment • Understanding Plan Sponsor • Interview dos and don’ts • Dos • Face to face interviews • Interview personnel involved in all aspects of the plan’s operations • Share hypothetical situation to initiate fraud discussion Treatment of lost participants and the related fraud opportunities How and frequency of contribution reconciliations Don’ts • Conduct the interview in the presence of other client employees • E-mail questions to management • Interview only the primary audit contact • Ask only yes and no questions PUGH & COMPANY, P.C.
Risk Assessment • Understanding the Design and Implementation of Internal Controls • Who is ultimately responsible for properly implementing and operating an employee benefit plan? • The plan sponsor • The responsibility of the plan can not be passed to the service providers • Implementation of appropriate monitoring controls is critical where plan operations is outsourced PUGH & COMPANY, P.C.
Risk Assessment • Understanding Internal Controls • Plan administration controls • Determining plan provisions • Establishment of the investment policy • Authorization of certain transactions • Monitoring and on-going evaluation of service providers PUGH & COMPANY, P.C.
Risk Assessment • Understanding Internal Controls… • Entity level controls – who is in charge of the plan • Monitoring (board of directors) • Personnel (hiring, training, evaluations) • Integrity and ethics (ethics policies) • Segregation of duties (protection of assets) PUGH & COMPANY, P.C.
Risk Assessment • Understanding Internal Controls… • Transaction level controls • Eligibility determination • Contributions • Distributions • Investment transactions • Allocation to participants accounts (currently a hot topic in the industry) • Forfeitures (currently a hot topic in the industry) • Plan fees (currently a hot topic in the industry) • Participant investment elections • Transfers, mergers, new plan setups PUGH & COMPANY, P.C.
Risk Assessment • Understanding Internal Controls… • Unique control environment • Important to understand and document who does what • Significant controls may be outsourced to third parties • Certain areas may have shared responsibilities • A control at one entity might mitigate risk in another area (e.g. vesting) PUGH & COMPANY, P.C.
Risk Assessment • Understanding Internal Controls… • Participant Controls • How many people open their statement, reconcile it to the payroll deductions, recalculate employer contributions, recalculated allocations, and review investment losses? • Can we rely on the participant to contribute to the internal control structure? • They may not understand the internal control process • They may not open their statement on a regular basis • They may not know what to look for • The internal control process is not their responsibility unless we directly ask them to review a confirmation • We should not rely on this to reduce control risk PUGH & COMPANY, P.C.
Risk Assessment • Documentation of Internal Controls • Identify individual audit areas and related control objectives • Consider classes of transactions • Activity in participant’s account • Existence and occurrence • Account balances • Investments • Receivables • Payables • Disclosures PUGH & COMPANY, P.C.
Risk Assessment • Documentation of Internal Controls… • Document controls • Client memo and flowcharts • Incorporate reference to SAS 70 controls when appropriate • Verification through walkthroughs • Consider flow of information between plan sponsor and the service organization for each individual audit area and control objective • Consider missing steps in the control process PUGH & COMPANY, P.C.
Risk Assessment • Documentation of Internal Controls… • Engagement team discussion • Fraud • Error • Ask “what could go wrong”? • Consider if you only had 8 hours to perform audit procedures - what would you want to do before you personally signed the opinion? • Must be tailored to each plan – cannot rely on one discussion for all plans • Consider the uniqueness of the various plans PUGH & COMPANY, P.C.
Risk Assessment • Challenges of an Employee Benefit Plan Audit • When assessing risk keep the following in mind • Many clients see the audit as a “necessary evil” • Many plan sponsors do not have the policies and procedures in place or do not have them sufficiently documented • Many plan sponsors that rely heavily on service providers may not be as rigorous in their procedures and oversight • Overuse or underuse of the SAS 70 PUGH & COMPANY, P.C.
Risk Assessment • Policies and Procedures of the Plan Administrator Related to the Service Organization • Plan administrator should have an understanding of what the service organization does and what controls are in place • They should be reviewing the SAS 70 annually PUGH & COMPANY, P.C.
Risk Assessment • Policies and Procedures … • Reconciliation of participant accounts to service organization records should be performed on a timely basis • Payroll information should be reconciled to the contribution records • In total • By participant • Reconciling census data provided to service organization to appropriate payroll records • The audit can not be the control PUGH & COMPANY, P.C.
Risk Assessment • Policies and Procedures … • Consider who has access to the data provided to the service organization and the ability to make changes to override controls • CFO/Controller • Human resources • Payroll • IT PUGH & COMPANY, P.C.
Risk Assessment • Other Procedures of the Plan Administrator • Document transactions that are approved • Contributions • Use of forfeitures • Distributions • Meet with investment manager • Audit consequences • Document polices and procedures • Consider management points related to significant deficiencies PUGH & COMPANY, P.C.
Significant Audit Areas • Participant data • Payroll • Cash • Investments • Contributions received and receivable • Benefit payments • Investment income • Fees and Expenses • Actuarial Assumptions • Form 5500 • SAS 70 • Terminating Plans PUGH & COMPANY, P.C.
Participant Data & Payroll Objectives include determining: • Whether all covered employees have been properly included in employee eligibility records • Whether accurate participant data for eligible employees were supplied to the plan administrator and, if applicable, the plan actuary PUGH & COMPANY, P.C.
Participant Data & Payroll Types of data to be tested: • Demographic – birth date, hire date • Payroll data – wage rate, hours worked, earnings, contributions to the plan PUGH & COMPANY, P.C.
Participant Data & Payroll Examples of substantive procedures • Recalculate payroll for selected participants for one or more pay periods • Trace individual payrolls from the payroll journal to the participants earnings records • Review personnel files for hiring notice, pay rate, birth date, termination date PUGH & COMPANY, P.C.
Cash • Typically small • If held under a trust agreement or under an insurance contract, confirmations are usually adequate • If held independent of a trust agreement or insurance contract, customary audit procedures considered appropriate PUGH & COMPANY, P.C.
Investments • Limited Scope Audit • Obtain and read a copy of the certification • Determine whether the entity issuing the certification is a qualifying institution under DOL regs • Compare the investment information certified by the trustee or custodian to the information contained in the plan’s financial statements and related disclosures PUGH & COMPANY, P.C.
Investments • If the auditor becomes aware that the certified information my be incomplete or inaccurate the auditor should instruct the plan administrator to: • Request that the trustee or custodian recertify or amend the certification for such investments at their appropriate year-end values or recertify or amend the certification to exclude such investments from the limited scope certification or • Instruct the auditor to perform full scope procedures on such investments excluded from the certification • If not done auditor should consider modifying his or her report PUGH & COMPANY, P.C.
Investments • Full Scope Audit • Determine nature and location of investments from minutes, agreements with custodians, advisors, etc. • Obtain or prepare a schedule of investments showing beginning balance, purchases sales, ending balance • Typical audit programs have specific procedures depending upon the type of investments held, such as mutual funds, limited partnerships and derivative. PUGH & COMPANY, P.C.
Investments • Full Scope Audit (cont.) • Confirm investments held by third-party custodians • Perform analytical procedures on average and ending balances • Test investment income • Test fair value • Test the calculation of unrealized gains and losses PUGH & COMPANY, P.C.
Stable Value Funds & GIC’s GIC’s - Audit Considerations • Obtain, read and evaluate the GIC contract • Maturity dates, minimum crediting rates, rate resets. • Is the contract fully benefit responsive? • Contract is between plan and issuer. The contract cannot be sold or assigned without consent of the issuer. • Contract issuer must be obligated to (1) repay principal and interest, and (2) provide prospective crediting rate adjustments with an assurance the crediting rate will not be < 0% • Contract requires all participant-initiated transactions to occur at contract value • An event that limits the ability of the plan to transact at contract value with the issuer and with the participants must be probable of not occurring • The plan must allow participants reasonable access to their funds • Confirm principal and income with Insurance Company/Counterparty. • Assess credit quality of the issuer. • If a plan holds multiple contracts, each contract should be evaluated individually. PUGH & COMPANY, P.C.
Contributions Received and Receivable • Typical analytical procedures include: • Comparison to prior year • Average per participant • Other expectation such as % of compensation • Trace to plan sponsor audited financial statements • Vouch subsequent receipt PUGH & COMPANY, P.C.
Contributions Received and Receivable Timeliness of remitting participant contributions Contributions must be remitted ASAP • Failure to remit may be considered a Prohibited Transaction • 15th business day of following month is not a safe harbor PUGH & COMPANY, P.C.
Benefit Payments • Determine participant eligibility (request, approval) • Recompute amount of benefit • Vouch payment • Typical analytical procedures include: • Comparison to prior year • Average per participant • Other expectations PUGH & COMPANY, P.C.
Investment Income • Objective to test whether net assets and transactions have been allocated to accounts properly in accordance with plan document. • Allocation of investment income to be tested even for limited scope audits. PUGH & COMPANY, P.C.
Investment Income • Consider reasonableness by comparing current year income and yield to that in the prior year and to investment reports from advisors, trustees, mutual fund companies and to industry indexes or other expectations. • SAS 70 may be used to reduce but not eliminate scope of testing PUGH & COMPANY, P.C.
Fees and Expenses • Most defined benefit plans and many defined contributions plans pay administrative expenses out of plan assets • Typically plan expenses are below materiality levels and therefore are not subject to significant detailed testing • Auditors should gain an understanding of what expenses are allowed by the plan • Many times expenses paid out of plan assets are prohibited transactions PUGH & COMPANY, P.C.
Commitments and Contingencies • Discuss with client • Review minutes of various committees • Analyze legal expense • Request audit inquiry from attorneys • Obtain client representation PUGH & COMPANY, P.C.
Actuarial Assumptions • Trends and nature of benefit distributions • Lump sum vs. annuity payments • Shift in plan population over time—turnover or retirement age • Recent mergers or acquisitions could cause assumptions to be inappropriate • Plan benefit formula changes or a freezing of the plan • Whether consistent gains/losses are generated each year PUGH & COMPANY, P.C.
Form 5500 • Auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report. • Auditor has no obligation to corroborate other information contained in the 5500. • Auditor should read the other information in the 5500 and consider whether such information or its presentation is materially inconsistent with information appearing in the audited financial statements PUGH & COMPANY, P.C.
SAS 70 Basic roadmap for auditors • Read Independent Service Auditor’s Report and Company Overview to determine that correct SAS 70 has been obtained. • Be mindful that missing control objectives may require additional procedures. PUGH & COMPANY, P.C.
SAS 70 • The following control objectives should be included • Plan setup • Enrollments • Contributions • Distributions, including loans • Investment election changes and transfers • Investments, including purchases/sales, income and valuation • Reconciliation and reporting • IT general controls (including access, changes to programs, back-up) PUGH & COMPANY, P.C.
SAS 70 Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor. PUGH & COMPANY, P.C.
SAS 70 Description of Controls • Auditors should read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place. • Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance. PUGH & COMPANY, P.C.
SAS 70 Tests of Operating Effectiveness • Determine which controls were tested as included in the description of controls – usually listed with testing procedures performed • Consider the level of testing performed for reliance purposes • inquiries alone will not be sufficient evidence for confirming implementation • Observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures. PUGH & COMPANY, P.C.
SAS 70 Exceptions • Evaluate each exception, including nature, extent and mitigating controls • Nature of exception • Error in processing? • Missing evidence? • Extent of exception • Isolated error? • One of many included under control objective? • Did exception lead to qualification of report? • Special consideration – IT general controls – exceptions and qualification could affect more than one area and may be a significant problem in reliance and use of SAS 70 report. PUGH & COMPANY, P.C.