Auditing Overview for Employee Benefit Plans1

08/2010 PUGH & COMPANY, Risk Assessment • Materiality… • Need to document basis for materiality • Need to document any changes in materiality that occur during the audit and how they we

Auditing Overview for Employee

Benefit Plans

08/2010 PUGH & COMPANY,

Learning Objectives

Provide an overview of the audit process including :

Risk assessmentSignificant audit areasActuarial assumptionsSAS 70 reports

Terminating plans

08/2010 PUGH & COMPANY,

Risk Assessment

– Objectives of risk assessment standards

• Understanding of the entity

• Assessment of risk

• Improve linkage between assessed risk and work performed

– Assessment process

• Continuous process - must occur throughout the audit

• Evaluation of audit findings (questions to ask throughout the process)

– Has audit risk been reduced to acceptably low level? – Has risk of material misstatement been reduced to an

acceptably low level?

– If the answer is no to either of these, the audit is not

complete.

08/2010 PUGH & COMPANY,

Risk Assessment Process

Procedures Performed

• Preliminary engagement activities.

• Inquiries of plan management and others.

• Preliminary analytical procedures.

• Observation and inspection.

• Discussion among the engagement team.

Understanding Obtained

• Industry, regulatory, and other external factors

• Nature of the plan.

• Objectives, strategies, and related business risks.

• Measurement and review of the plan's financial performance.

• Internal control.

• Selection and application of accounting policies.

• Fraud risk factors.

Decisions and Judgments Made

• Decisions at the Financial Statement Level:

– Materiality at the financial statement level.

– Materiality for particular items of lesser amounts.

– Risks of material misstatement at the financial statement level.

– Overall audit strategy.

• Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level:

– Tolerable misstatement.

– Risks of material misstatement at the relevant assertion level, including identification of significant risks.

– Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures).

08/2010 PUGH & COMPANY,

Risk Assessment

• Materiality

– Based on economic conditions you might

expect a lower materiality level.

– Lower materiality levels may add additional

time to the job.

• Need to be efficient in selecting audit steps in the risk assessment process.

08/2010 PUGH & COMPANY,

Risk Assessment

• Materiality…

• Need to document basis for materiality

• Need to document any changes in materiality that occur during the audit and how they were determined

– Contributions (special bonus/special

compensation)

• Need to document lower level of planning materiality for certain items

– Administrative expenses (declining

profitability of plan sponsor)

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding the Plan and Its Environment

– The Plan

• Review plan document

– Consider summarizing significant

information

• Document flow of information

– Plan sponsor – Record keeper – Custodian

– Trustee – Actuary

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding the Plan

• Records

– Where are they located?

– How do we gain access to the data?

• Specific plan investments

– Are there hard to value assets?

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding the Plan Sponsor’s industry

• Consider factors affecting the industry that could affect the plan

– Decreased sales – Increased costs – Layoffs

– Cash flow problems – Increase risk of bankruptcy

• Increase incentive to minimize expenses through

– Misallocation of required employer

contributions

– Misuse of forfeitures – Shifting plan administrative expenses

directly to plan

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding Plan Sponsor

• Consider interviewing plan sponsor employees

– Owners – Key Management – Participant (especially in ESOP)

» Ask

 What do they know about the plan?

 How do they conduct transactions?

 What are their expectations?

 Should be done during fieldwork on financial statement audit when possible and

incorporated into fraud interview process

08/2010 PUGH & COMPANY,

Risk Assessment

• Interview dos and don’ts

– Dos

» Face to face interviews

» Interview personnel involved in all aspects of the plan’s operations

» Share hypothetical situation to initiate fraud discussion

 Treatment of lost participants and the related fraud opportunities

 How and frequency of contribution reconciliations

Don’ts

» Conduct the interview in the presence of other client employees

» E-mail questions to management

» Interview only the primary audit contact

» Ask only yes and no questions

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding the Design and Implementation of Internal Controls

– Who is ultimately responsible for properly

implementing and operating an employee

benefit plan?

• The plan sponsor

– The responsibility of the plan can not be

passed to the service providers

– Implementation of appropriate

monitoring controls is critical where plan operations is outsourced

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding Internal Controls

– Plan administration controls

• Determining plan provisions

• Establishment of the investment policy

• Authorization of certain transactions

• Monitoring and on-going evaluation of service providers

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding Internal Controls…

– Entity level controls – who is in charge of the plan

• Monitoring (board of directors)

• Personnel (hiring, training, evaluations)

• Integrity and ethics (ethics policies)

• Segregation of duties (protection of assets)

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding Internal Controls…

– Transaction level controls

• Forfeitures (currently a hot topic in the industry)

• Plan fees (currently a hot topic in the industry)

• Participant investment elections

• Transfers, mergers, new plan setups

08/2010 PUGH & COMPANY,

Risk Assessment

• Understanding Internal Controls…

– Unique control environment

• Important to understand and document who does what

• Significant controls may be outsourced to third parties

• Certain areas may have shared responsibilities

• A control at one entity might mitigate risk in another area (e.g vesting)

08/2010 PUGH & COMPANY,

allocations, and review investment losses?

• Can we rely on the participant to contribute to the internal control structure?

– They may not understand the internal control

08/2010 PUGH & COMPANY,

Risk Assessment

• Documentation of Internal Controls

– Identify individual audit areas and related

control objectives

• Consider classes of transactions

– Activity in participant’s account – Existence and occurrence

• Account balances

– Investments – Receivables – Payables

• Disclosures

08/2010 PUGH & COMPANY,

Risk Assessment

• Documentation of Internal Controls…

• Client memo and flowcharts

• Incorporate reference to SAS 70 controls when appropriate

– Verification through walkthroughs

– Consider flow of information between plan

sponsor and the service organization for each individual audit area and control objective

– Consider missing steps in the control process

08/2010 PUGH & COMPANY,

Risk Assessment

• Documentation of Internal Controls…

• Fraud

• Error

• Ask “what could go wrong”?

• Consider if you only had 8 hours to perform audit procedures - what would you want to do before you personally signed the opinion?

• Must be tailored to each plan – cannot rely on one discussion for all plans

• Consider the uniqueness of the various plans

08/2010 PUGH & COMPANY,

Risk Assessment

• Challenges of an Employee Benefit Plan Audit

– When assessing risk keep the following in

mind

• Many clients see the audit as a “necessary evil”

• Many plan sponsors do not have the policies and procedures in place or do not have them sufficiently documented

• Many plan sponsors that rely heavily on service providers may not be as rigorous in their procedures and oversight

• Overuse or underuse of the SAS 70

08/2010 PUGH & COMPANY,

Risk Assessment

• Policies and Procedures of the Plan Administrator Related

to the Service Organization

– Plan administrator should have an

understanding of what the service

organization does and what controls are in

place

• They should be reviewing the SAS 70 annually

08/2010 PUGH & COMPANY,

Risk Assessment

• Policies and Procedures …

– Reconciliation of participant accounts to

service organization records should be

performed on a timely basis

• Payroll information should be reconciled to the contribution records

– In total – By participant

• Reconciling census data provided to service organization

to appropriate payroll records

• The audit can not be the control

08/2010 PUGH & COMPANY,

Risk Assessment

• Policies and Procedures …

– Consider who has access to the data provided

to the service organization and the ability to make changes to override controls

• CFO/Controller

• Human resources

• Payroll

• IT

08/2010 PUGH & COMPANY,

Risk Assessment

• Other Procedures of the Plan Administrator

– Document transactions that are approved

– Consider management points related to

significant deficiencies

08/2010 PUGH & COMPANY,

08/2010 PUGH & COMPANY,

Participant Data & Payroll

Objectives include determining:

• Whether all covered employees have been properly

included in employee eligibility records

• Whether accurate participant data for eligible employees

were supplied to the plan administrator and, if applicable, the plan actuary

08/2010 PUGH & COMPANY,

Participant Data & Payroll

Types of data to be tested:

• Demographic – birth date, hire date

• Payroll data – wage rate, hours worked, earnings,

contributions to the plan

08/2010 PUGH & COMPANY,

Participant Data & Payroll

Examples of substantive procedures

• Recalculate payroll for selected participants for one or

more pay periods

• Trace individual payrolls from the payroll journal to the

participants earnings records

• Review personnel files for hiring notice, pay rate, birth

date, termination date

08/2010 PUGH & COMPANY,

Cash

• Typically small

– If held under a trust agreement or under an

insurance contract, confirmations are usually adequate

– If held independent of a trust agreement or

insurance contract, customary audit

procedures considered appropriate

08/2010 PUGH & COMPANY,

Investments

• Limited Scope Audit

– Obtain and read a copy of the certification

– Determine whether the entity issuing the

certification is a qualifying institution under

DOL regs

– Compare the investment information certified

by the trustee or custodian to the information contained in the plan’s financial statements

and related disclosures

08/2010 PUGH & COMPANY,

Investments

• If the auditor becomes aware that the certified

information my be incomplete or inaccurate the auditor should instruct the plan administrator to:

– Request that the trustee or custodian recertify or

amend the certification for such investments at their

appropriate year-end values or recertify or amend the certification to exclude such investments from the

limited scope certification or

– Instruct the auditor to perform full scope procedures on such investments excluded from the certification

• If not done auditor should consider modifying his

or her report

08/2010 PUGH & COMPANY,

Investments

• Full Scope Audit

– Determine nature and location of investments from minutes, agreements with custodians,

advisors, etc.

– Obtain or prepare a schedule of investments showing beginning balance, purchases sales, ending balance

– Typical audit programs have specific

procedures depending upon the type of

investments held, such as mutual funds,

limited partnerships and derivative.

08/2010 PUGH & COMPANY,

Investments

• Full Scope Audit (cont.)

– Confirm investments held by third-party

custodians

– Perform analytical procedures on average and ending balances

– Test fair value

– Test the calculation of unrealized gains and

losses

08/2010 PUGH & COMPANY,

Stable Value Funds & GIC’s

GIC’s - Audit Considerations

• Obtain, read and evaluate the GIC contract

• Maturity dates, minimum crediting rates, rate resets.

• Is the contract fully benefit responsive?

– Contract is between plan and issuer The contract cannot be sold or assigned without consent of the issuer.

– Contract issuer must be obligated to (1) repay principal and interest, and (2) provide prospective crediting rate adjustments with an

assurance the crediting rate will not be < 0%

– Contract requires all participant-initiated transactions to occur at

contract value

– An event that limits the ability of the plan to transact at contract

value with the issuer and with the participants must be probable of not occurring

– The plan must allow participants reasonable access to their funds

• Confirm principal and income with Insurance

Company/Counterparty.

• Assess credit quality of the issuer.

• If a plan holds multiple contracts, each contract should be

evaluated individually.

08/2010 PUGH & COMPANY,

Contributions Received and Receivable

• Typical analytical procedures include:

– Comparison to prior year

– Average per participant

• Trace to plan sponsor audited financial statements

• Vouch subsequent receipt

08/2010 PUGH & COMPANY,

Contributions Received and Receivable

Timeliness of remitting participant contributions

Contributions must be remitted ASAP

• Failure to remit may be considered a Prohibited

Transaction

• 15th business day of following month is not a safe harbor

08/2010 PUGH & COMPANY,

Benefit Payments

• Determine participant eligibility (request, approval)

• Recompute amount of benefit

• Vouch payment

• Typical analytical procedures include:

– Comparison to prior year

– Average per participant

– Other expectations

08/2010 PUGH & COMPANY,

• Allocation of investment income to be tested even for

limited scope audits

08/2010 PUGH & COMPANY,

Investment Income

• Consider reasonableness by comparing current year income and yield to that in the prior year and to investment

reports from advisors, trustees, mutual fund companies

and to industry indexes or other expectations

• SAS 70 may be used to reduce but not eliminate scope of testing

08/2010 PUGH & COMPANY,

Fees and Expenses

• Most defined benefit plans and many defined contributions plans pay administrative expenses out of plan assets

• Typically plan expenses are below materiality levels and

therefore are not subject to significant detailed testing

• Auditors should gain an understanding of what expenses are allowed by the plan

• Many times expenses paid out of plan assets are prohibited transactions

08/2010 PUGH & COMPANY,

Commitments and Contingencies

• Discuss with client

• Review minutes of various committees

• Analyze legal expense

• Request audit inquiry from attorneys

• Obtain client representation

08/2010 PUGH & COMPANY,

Actuarial Assumptions

• Trends and nature of benefit distributions

• Shift in plan population over time—turnover or retirement age

• Recent mergers or acquisitions could cause assumptions to

be inappropriate

• Plan benefit formula changes or a freezing of the plan

• Whether consistent gains/losses are generated each year