As previously communicated, Statement on Auditing Standards (SAS) 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA, will bring significant changes for employee benefit plans and their auditors effective for audits of periods ending on or after December 15, 2021. For employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA), one of the more notable changes in SAS 136 is the requirement to communicate, in writing to those charged with governance, on a timely basis, reportable findings identified as a result of testing relevant plan provisions. (The relevant plan provisions will vary for each type of plan and the circumstances of each engagement.)
SAS 136 defines reportable findings as matters that are one or more of the following:
- An identified instance of noncompliance or suspected noncompliance with laws or regulations in accordance with AU-C section 250, Consideration of Laws and Regulations in an Audit of Financial Statements.
- A finding arising from the audit that is, in the auditor’s professional judgment, significant and relevant to those charged with governance regarding their responsibility to oversee the financial reporting process in accordance with AU-C section 260, The Auditor’s Communication With Those Charged With Governance.
- An indication of deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention in accordance with AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit.
It is important to note that, under SAS 136, when a control deficiency (that otherwise could be communicated either orally or in writing) relates to a reportable finding, it now would be required to be communicated in writing to those charged with governance. Similarly, AU-C section 260 requires that the auditor communicate in writing to those charged with governance significant findings or issues from the audit if, in the auditor’s professional judgment, oral communications would not be adequate. If the significant finding is also a reportable finding, SAS 136 will require this communication to be in writing.
Examples of matters encountered in an employee benefit plan audit that the auditor may need to evaluate for consideration as a reportable finding include the following, among others:
- Misapplication of plan provisions, such as covered compensation, use of forfeitures, vesting, eligibility
- Non-timely contributions
- Census data errors
- Failure to perform relevant IRC compliance tests
- Financial reporting or disclosure misstatement
- Insufficient monitoring of the plan’s service organizations, including review of relevant SOC 1 reports
- Inadequate complementary user entity controls
When evaluating whether an issue identified during the audit meets one or more of the requirements of AU-C sections 250, 260 or 265 and is a reportable finding, the auditor may consider the following, among other factors:
- What gave rise to the issue (e.g., an operational error identified when testing the provisions of the plan instrument or a financial reporting or disclosure misstatement)
- How the issue was identified and corrected, including whether the issue was timely identified and corrected by management as part of its internal control process and whether it was corrected under available regulatory correction programs before year end
- The extent or scope of the issue (e.g., the number of participants affected, whether the issue is recurring, whether there are several less significant issues, which together may be indicative of a significant issue)
- Whether the issue is indicative of a lack of reporting expertise or a lack of oversight or monitoring of plan operations or service providers
The proposed SAS originally included the communication of reportable findings as part of the auditor’s report. However, the final SAS states that reportable findings should be included within the required communication with those charged with governance. The communications with those charged with governance may be combined in a single written communication covering all reporting matters. Regardless of the format, the written communication of a reportable finding to those charged with governance will include (a) a description of the reportable finding; (b) sufficient information to enable those charged with governance and management to understand the context of the communication; and (c) an explanation of the potential effects of the reportable findings on the financial statements or to the plan. The explanation of the potential effects of the reportable findings does not need to be quantified. If the auditor does not identify any reportable findings, the auditor is prohibited from issuing a written communication stating that no reportable findings were identified during the audit.
As it is not uncommon for reportable findings to occur in the operation of a plan, the IRS and U.S. Department of Labor have voluntary correction programs in place. A timely discussion of reportable findings prior to issuance of the written communication will allow the plan administrator and those charged with governance to avail themselves of all applicable correction options.