This article, "SAS 136: What Plan Sponsors Need to Know about Upcoming Changes to ERISA Plan Audits," originally appeared on BDO.com.

Employee benefit plan sponsors and their auditing firms need to begin preparing for the adoption of Statement on Auditing Standards No. 136 (SAS 136), Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (Employee Retirement Income Security Act of 1974). This auditing standard was enacted by the American Institute of Certified Public Accountants (AICPA), and was effective for years ending after December 15, 2020. While the AICPA delayed the effective date by one year due to the COVID-19 pandemic, auditing firms may choose to adopt the standard on the original effective date.  Plan sponsors will need to take the time to understand SAS 136 and its effect on the audit process. 
 

Goals of SAS 136

In 2015, the Department of Labor’s Employee Benefits Security Administration (EBSA) examined the quality of audit work done on employee benefit plans by independent qualified public accountants. SAS 136 is the AICPA’s effort to address some of the issues found in the EBSA examinations. 
 
The goal of SAS 136 is to enhance the quality of audits of ERISA plans by prescribing certain procedures that are required to be performed in the audit. The auditing standard also looks to add transparency to the nature and scope of ERISA benefit plan audits as presented in the auditor’s report. 
 

Changes to Audit Reports, Engagement Letters and Other Communications

SAS 136 clarifies the responsibilities of plan management and auditors. Certain of these responsibilities are now included in the auditor’s report, engagement letters and required communications. 
 
The auditor’s responsibilities are now disclosed in the auditor’s report which include professional judgements, professional skepticism and the auditor’s communication with those charged with governance. Management’s responsibility to maintain a plan instrument, administer the plan, maintain sufficient records for plan transactions and benefits, and their responsibility for the financial statements are not stated in the auditor’s report however will be stated in the engagement letter with their plan auditor. Management’s responsibility for the assessment of going concern and the auditor’s responsibility over management’s assessment is also included in the auditor’s report, when applicable.
 
The overriding goal of these changes is to clarify each party’s role and responsibility throughout the audit process and formalize certain procedures that in the past were sometimes left to auditor’s judgement.  
 
Under the new standard, plan sponsors can expect to see a more thorough audit report. SAS 136 changes how auditors report their findings to those charged with governance. In addition to communicating deficiencies in internal control, auditors will now also have to communicate reportable findings in writing to those charged with governance. 

 
Changes to Audit Procedures and Documentation

SAS 136 implements changes that affect multiple aspects of an ERISA plan audit, including engagement acceptance, risk assessment and response, communication with those charged with governance, and performance procedures and reporting.
 
Some of the most notable changes include:

  • If a plan sponsor elects an ERISA Section 103(a)(3)(C) – formerly known as a limited scope audit – management must affirm that this is permissible and that the qualified institution can certify the investment information
  • Management must provide to the auditor a substantially complete Form 5500 draft before issuance of the auditor’s report
  • The auditor must communicate reportable findings

 

Change in Limited Scope Audits

Before SAS 136, plan sponsors could elect to have a limited scope audit performed, which excludes certain audit procedures over investments and investment income that are certified by a qualified institution as complete and accurate. SAS 136 eliminates the limited scope moniker and replaces it with an ERISA Section 103(a)(3)(C) audit, which includes heightened reporting requirements.
 


CONTACT